Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505: How Do I Create an ACE for a range of IP addresses via ASDM?

Hi All,

I'm a total noob trying to configure our ASA 5505 (hence my request for help with the ASDM). However, I can go CLI if push comes to shove.

What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.

I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.

I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks  2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)

To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?

Thanks for your patience in helping out a new guy.

1 REPLY
Silver

Re: ASA 5505: How Do I Create an ACE for a range of IP addresses

John Woo wrote:

Hi All,

I'm a total noob trying to configure our ASA 5505 (hence my request for help with the ASDM). However, I can go CLI if push comes to shove.

What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.

I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.

I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks  2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)

To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?

Thanks for your patience in helping out a new guy.

John

I don't think you can create just a random range like that in a PIX/ASA config - at least I don't know of a way to do it.

As far as I know, all network objects in the Cisco config are defined by classless network boundaries - so, for example, to allow *only* the objects you want you'd have to create several objects - XXX.YYY.ZZZ.12/30 (addresses .12 through .15), XXX.YYY.ZZZ.16/28 (addresses .16 through .31), XXX.YYY.ZZZ.32/27 (addresses .32 through .63), XXX.YYY.ZZZ.64/28 (addresses .64 through .127) & XXX.YYY.ZZZ.128/28 (addresses .128 through .143)- and you'd still have a couple of extra addresses at the start (.12 & .13) and the end (.141 through .143) allowed through the range.

That'd be one *ugly* access rule, and I'm not sure how the ASA would parse it with respect to the overlapping address ranges.

Is it possible to either narrow the range of the DHCP server or fit it to a bit-wise boundary  - for example, change the range to be XXX.YYY.ZZZ.64/25, giving IP addresses from .65 through .126? Although you'd lose one of them for the router.

As for question 2 - Access rules are parsed from the top down - and the implicit deny rule is *always* present. So if you put in an allow rule at the top of your list, there will always be a deny rule at the bottom - but the implicit "Allow to any less secure interface" rule will vanish, and you'll need to add extra rules (allow any any between your secure interface and your less secure interface) if you want this functionality to continue.

Phew. That's taken a bit fo research, and I'm still not 100% sure of the veracity of my logic - but I hope I've given you some ideas on how to do what you need to do.

Cheers.

675
Views
0
Helpful
1
Replies
CreatePlease login to create content