Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
0
Helpful
1
Replies

ASA 5505: How Do I Create an ACE for a range of IP addresses via ASDM?

johncwoo2
Level 1
Level 1

‎11-08-2011 05:54 PM - edited ‎03-11-2019 02:47 PM

Hi All,

I'm a total noob trying to configure our ASA 5505 (hence my request for help with the ASDM). However, I can go CLI if push comes to shove.

What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.

I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.

I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks  2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)

To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?

Thanks for your patience in helping out a new guy.

Labels:
0 Helpful
1 Reply 1

darren.g
Level 5
Level 5

‎11-08-2011 06:34 PM 

John Woo wrote:
Hi All,
I'm a total noob trying to configure our ASA 5505 (hence my request for help with the ASDM). However, I can go CLI if push comes to shove.
What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.
I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.
I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks  2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)
To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?
Thanks for your patience in helping out a new guy.

John

I don't think you can create just a random range like that in a PIX/ASA config - at least I don't know of a way to do it.

As far as I know, all network objects in the Cisco config are defined by classless network boundaries - so, for example, to allow *only* the objects you want you'd have to create several objects - XXX.YYY.ZZZ.12/30 (addresses .12 through .15), XXX.YYY.ZZZ.16/28 (addresses .16 through .31), XXX.YYY.ZZZ.32/27 (addresses .32 through .63), XXX.YYY.ZZZ.64/28 (addresses .64 through .127) & XXX.YYY.ZZZ.128/28 (addresses .128 through .143)- and you'd still have a couple of extra addresses at the start (.12 & .13) and the end (.141 through .143) allowed through the range.

That'd be one *ugly* access rule, and I'm not sure how the ASA would parse it with respect to the overlapping address ranges.

Is it possible to either narrow the range of the DHCP server or fit it to a bit-wise boundary  - for example, change the range to be XXX.YYY.ZZZ.64/25, giving IP addresses from .65 through .126? Although you'd lose one of them for the router.

As for question 2 - Access rules are parsed from the top down - and the implicit deny rule is *always* present. So if you put in an allow rule at the top of your list, there will always be a deny rule at the bottom - but the implicit "Allow to any less secure interface" rule will vanish, and you'll need to add extra rules (allow any any between your secure interface and your less secure interface) if you want this functionality to continue.

Phew. That's taken a bit fo research, and I'm still not 100% sure of the veracity of my logic - but I hope I've given you some ideas on how to do what you need to do.

Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card