Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

allow single /32 out of /8 on a cisco context firewall

wondering if anyone has any tricks to allow a single /32 out of a /8 on a cisco non-asa firewall


the network is and I want to only allow


This is pretty messy with multiple lines of summery routes, is there an easier way?

VIP Purple

Can you explain a little more

With "non-asa", are you talking about IOS-router? Can you explain a little more detailed what you want to achieve? Just by reading your post it sounds like a simple two/three-line ACL. But probably you want to achieve something different?

ip access-list ext TEST

  permit ip host any

  deny ip any

  permit ip any any


Community Member

This wouldn't be an access

This wouldn't be an access-list but an access-group applied to an interface on a cisco firewall context. So we have a customer who has an entire /8 blocked from attack but wants one ip out of that /8 allowed. 

VIP Purple

Thats pretty much what the

Thats pretty much what the above ACL does, it allows that single IP, denies the /8 and allows the rest. And yes, such ACL has to be applied to an interface with an access-group-command.

Community Member

Problem with that is there

Problem with that is there are other rules that the host must match against. If I just allow the host in the beginning it will bypass all other rules won't it.

VIP Purple

Yes, if that line is at the

Yes, if that line is at the beginning it will match regardless what comes later. If you need more control then the way to achieve it is the same. allow the most specific, then deny the next less specific. Then allow again the next less specific and so on and so on ...

CreatePlease to create content