Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA ACL and SUBNET MASKING

Retiring subnet 172.16.24.x 255.255.252.0 in phases, moving devices to 172.17.24.0 255.255.252.0. Current phase - move Messaging server devices. Senior stating that currently proposed command set for move does not make sense in terms of subnet masks for given ACL's. I am not understanding given existing config appears to utilize same subnet mask. I submitted below change outline based upon existing config that is in attachment. Any thoughts?

section (names)

name 172.17.24.126 chints1

name 172.17.24.127 chints2

name 172.17.24.134 chiapp1

section (access-list acl-dmz1)

command set to be used

access-list acl-dmz1 linenumber extended deny tcp host nantsgw4 172.17.0.0 255.240.0.0 eq www

access-list acl-dmz1 linenumber extended permit tcp host nantsgw4 172.17.0.0 255.240.0.0 eq lotusnotes

access-list acl-dmz1 linenumber extended deny tcp host chibry1 172.17.0.0 255.240.0.0 eq 3101

access-list acl-dmz1 linenumber extended deny tcp host chibry2 172.17.0.0 255.240.0.0 eq 3101

section (access-list acl-dmz4)

command set to be used

access-list acl-dmz4 extended permit tcp 172.16.0.0 255.240.0.0 172.17.0.0 255.240.0.0 object-group Permit-Inbound-Remote-Internal-TCP

access-list acl-dmz4 extended permit udp 172.16.0.0 255.240.0.0 172.17.0.0 255.240.0.0 object-group Permit-Inbound-Remote-Internal-UDP

1 REPLY
Anonymous
N/A

Re: ASA ACL and SUBNET MASKING

I think the you have to change the subnet mask from 255.240.0.0 to 255.255.0.0. This is the default subnetmask for class B ip address.

285
Views
0
Helpful
1
Replies
CreatePlease to create content