Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
mic.adrian
mic.adrian
Community Member
‎02-25-2008 08:43 AM
‎02-25-2008 08:43 AM

Firewall rule help

Hi,

I'm pretty new on using Cisco routers, the guy that was in charge of this left and I'm supposed to take care of our Cisco 2811.

I'm trying to add a rule that allows unrestricted access from the whole subnet 192.168.0.0 /255.255.0.0 to certain range of IPs for example: 65.110.162.168 /29 (255.255.255.248)

I'm using Cisco SDM for this.

I'm able to add the rule and apply changes, but after I do an " Write to startup config" the rules changes automatically to a different IP, like this 1.0.0.0 or 5.0.0.0 and the subnet remains unchanged.

The rule looks like this:

Source: A Network = 192.168.0.0

Wildcard mask = 0.0.255.255

Destination: A Network = 65.110.162.168

Wildcard mask = 248.255.255.255

Protocol and Service: TCP

I have no idea what is happening and I would appreciate your help on this.

Thanks in advance.

Adrian

Labels:
0 Helpful
Reply
4 REPLIES
Jon Marshall
Hall of Fame Super Blue Jon Marshall Hall of Fame Super Blue
Hall of Fame Super Blue
‎02-25-2008 10:00 AM
‎02-25-2008 10:00 AM

Re: Firewall rule help

Adrian

Are you entering the wildcard mask of 248.255.255.255 ? or is that what the SDM is entering for you.

If it is you that is an incorrect wildcard mask. It needs to be

0.0.0.7

HTH

Jon

0 Helpful
Reply
mic.adrian
mic.adrian
Community Member
‎02-25-2008 10:51 AM
‎02-25-2008 10:51 AM

Re: Firewall rule help

I'm entering the wildcard mask. Why it should be 0.0.0.7? I'll have to create multiple rules that have different kinds of masks....so I need to understand why is like that.....

Thank you for your answer....

Adrian

0 Helpful
Reply
Jon Marshall
Hall of Fame Super Blue Jon Marshall Hall of Fame Super Blue
Hall of Fame Super Blue
‎02-25-2008 11:01 AM
‎02-25-2008 11:01 AM

Re: Firewall rule help

Adrian

Routers use inverse masks in access-lists so

192.168.0.0 subnet mask = 255.255.0.0

Subnet mask means the first 2 octets must match ie. 192.168.

The 3rd and 4th octet can be anything.

65.110.162.168 subnet mask 255.255.255.248

1st, 2nd, 3rd octect must match and only the last 3 bits in the last octet will change ie.

128 64 32 16 8 4 2 1

1 1 1 1 1 0 0 0 = 248

Last 3 bits ie. 4 + 2 + 1 = 7

Now an inverse mask is just the opposite of a subnet mask so

192.168.0.0 255.255.0.0 =

192.168.0.0 0.0.255.255

That one is easy because you just change 0 to 255 and 255 to 0

65.110.162.168 255.255.255.248 =

65.110.162.168 0.0.0.7 (7 because of the explanation above).

Now if that has totally confused you here is a quick way to do it

Whenever you see 255 change it to 0 and vice-versa.

Then

256 = 248 = 8 - 1 = 7

so 255.255.255.248 = 0.0.0.7

In the same way a subnet mask of 255.255.255.192 =

256 - 192 - 1 = 63 so inverse mask =

0.0.0.63

HTH

Jon

Reply
mic.adrian
mic.adrian
Community Member
‎02-25-2008 11:07 AM
‎02-25-2008 11:07 AM

Re: Firewall rule help

Thanks a lot.....that makes sense for me.

Adrian

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
269
Views
5
Helpful
4
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs