Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Convert a strange ACL line to a rule in ASA

Hello,

Can someone tell me if there is a shorter solution to convert those lines in a router ACL to my rule base in ASA / CSM ?

...

...

access-list 109 deny   ip 10.0.0.0 0.15.56.127 10.4.8.0 0.0.0.255
access-list 109 permit ip 10.0.0.0 0.15.56.127 any

...

...

Thanks,

Dave

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Convert a strange ACL line to a rule in ASA

Hi,

You are using a wildcard mask to define a weird group of addresses.

access-list 109 deny   ip 10.0.0.0 0.15.56.127 10.4.8.0 255.255.255.0

access-list 109 permit ip 10.0.0.0 0.15.56.127 any

The ASA won't support wildcards and only support subnet masks.

So to convert those rules to ASA you will need to create the list of entries in the ACL with the appropiate subnet mask.

Just out of curiosity... what is the purpose of the above ACL in your router?

Federico.

5 REPLIES

Re: Convert a strange ACL line to a rule in ASA

Hi,

You are using a wildcard mask to define a weird group of addresses.

access-list 109 deny   ip 10.0.0.0 0.15.56.127 10.4.8.0 255.255.255.0

access-list 109 permit ip 10.0.0.0 0.15.56.127 any

The ASA won't support wildcards and only support subnet masks.

So to convert those rules to ASA you will need to create the list of entries in the ACL with the appropiate subnet mask.

Just out of curiosity... what is the purpose of the above ACL in your router?

Federico.

New Member

Re: Convert a strange ACL line to a rule in ASA

Thanks for the response, even if I kind of knew the answer... I was wondering if someone came with a solution.

Those wierd wildcards are meant for special ranges of IP to access another range of ip.

Instead of repeting lines for nothing and since the environment (subnet) is defined like that in every other subnets, they implemented bizarre wildcards like that. In one line, I can include every other lines, see the following...

deny 10.1.8.0 - 127    10.4.8.0 255.255.255.0  (range of IP)

permit 10.1.8.0 - 127  10.4.8.0 255.255.248.0 (complete subnet)

deny 10.1.16.0 - 127    10.4.8.0 255.255.255.0

permit 10.1.16.0 - 127  10.4.8.0 255.255.248.0

deny 10.1.24.0 - 127    10.4.8.0 255.255.255.0

permit 10.1.24.0 - 127  10.4.8.0 255.255.248.0

...

...

...

deny 10.15.248.0 - 127    10.4.8.0 255.255.255.0

permit 10.15.248.0 - 127  10.4.8.0 255.255.248.0

Best regards,

Dave

Re: Convert a strange ACL line to a rule in ASA

There's no way to use wildcard masks in ASAs.

I guess one option would be to create object-groups.

You can group networks in one object (and have several objects), and then reference the permit/deny statements between objects.

This will simplify the configuration.

Federico.

New Member

Re: Convert a strange ACL line to a rule in ASA

Hello again,

Yep, I know... but it's going to be a pain to implement...

Best regards,

Dave

Re: Convert a strange ACL line to a rule in ASA

I guess it's not as nice as just converting the commands to the ASA... but the nice part is that once you created the object-groups you can manage the subnets just as you did with the routers.

I mean... just reference to the entire object-group (instead than to the wildcard statements in the ACL).

Federico.

656
Views
0
Helpful
5
Replies
CreatePlease to create content