This wouldn't be an access

scotteberl · ‎08-19-2014

wondering if anyone has any tricks to allow a single /32 out of a /8 on a cisco non-asa firewall

the network is 121.0.0.0/8 and I want to only allow 121.240.128.58/32

This is pretty messy with multiple lines of summery routes, is there an easier way?

Karsten Iwen · ‎08-19-2014

With "non-asa", are you talking about IOS-router? Can you explain a little more detailed what you want to achieve? Just by reading your post it sounds like a simple two/three-line ACL. But probably you want to achieve something different?

ip access-list ext TEST

permit ip host 121.240.128.58 any

deny ip 121.0.0.0 0.255.255.255 any

permit ip any any

scotteberl · ‎08-19-2014

This wouldn't be an access-list but an access-group applied to an interface on a cisco firewall context. So we have a customer who has an entire /8 blocked from attack but wants one ip out of that /8 allowed.

Karsten Iwen · ‎08-19-2014

Thats pretty much what the above ACL does, it allows that single IP, denies the /8 and allows the rest. And yes, such ACL has to be applied to an interface with an access-group-command.

scotteberl · ‎08-19-2014

Problem with that is there are other rules that the host must match against. If I just allow the host in the beginning it will bypass all other rules won't it.

Karsten Iwen · ‎08-19-2014

Yes, if that line is at the beginning it will match regardless what comes later. If you need more control then the way to achieve it is the same. allow the most specific, then deny the next less specific. Then allow again the next less specific and so on and so on ...

allow single /32 out of /8 on a cisco context firewall