Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Firewall rule help

Hi,

I'm pretty new on using Cisco routers, the guy that was in charge of this left and I'm supposed to take care of our Cisco 2811.

I'm trying to add a rule that allows unrestricted access from the whole subnet 192.168.0.0 /255.255.0.0 to certain range of IPs for example: 65.110.162.168 /29 (255.255.255.248)

I'm using Cisco SDM for this.

I'm able to add the rule and apply changes, but after I do an " Write to startup config" the rules changes automatically to a different IP, like this 1.0.0.0 or 5.0.0.0 and the subnet remains unchanged.

The rule looks like this:

Source: A Network = 192.168.0.0

Wildcard mask = 0.0.255.255

Destination: A Network = 65.110.162.168

Wildcard mask = 248.255.255.255

Protocol and Service: TCP

I have no idea what is happening and I would appreciate your help on this.

Thanks in advance.

Adrian

4 REPLIES
Hall of Fame Super Blue

Re: Firewall rule help

Adrian

Are you entering the wildcard mask of 248.255.255.255 ? or is that what the SDM is entering for you.

If it is you that is an incorrect wildcard mask. It needs to be

0.0.0.7

HTH

Jon

Community Member

Re: Firewall rule help

I'm entering the wildcard mask. Why it should be 0.0.0.7? I'll have to create multiple rules that have different kinds of masks....so I need to understand why is like that.....

Thank you for your answer....

Adrian

Hall of Fame Super Blue

Re: Firewall rule help

Adrian

Routers use inverse masks in access-lists so

192.168.0.0 subnet mask = 255.255.0.0

Subnet mask means the first 2 octets must match ie. 192.168.

The 3rd and 4th octet can be anything.

65.110.162.168 subnet mask 255.255.255.248

1st, 2nd, 3rd octect must match and only the last 3 bits in the last octet will change ie.

128 64 32 16 8 4 2 1

1 1 1 1 1 0 0 0 = 248

Last 3 bits ie. 4 + 2 + 1 = 7

Now an inverse mask is just the opposite of a subnet mask so

192.168.0.0 255.255.0.0 =

192.168.0.0 0.0.255.255

That one is easy because you just change 0 to 255 and 255 to 0

65.110.162.168 255.255.255.248 =

65.110.162.168 0.0.0.7 (7 because of the explanation above).

Now if that has totally confused you here is a quick way to do it

Whenever you see 255 change it to 0 and vice-versa.

Then

256 = 248 = 8 - 1 = 7

so 255.255.255.248 = 0.0.0.7

In the same way a subnet mask of 255.255.255.192 =

256 - 192 - 1 = 63 so inverse mask =

0.0.0.63

HTH

Jon

Community Member

Re: Firewall rule help

Thanks a lot.....that makes sense for me.

Adrian

269
Views
5
Helpful
4
Replies
CreatePlease to create content