Re: IP Ranges on ASA

dean.x.murray · ‎11-15-2006

A simple question as I cannot seem to find a why to do it on our ASA.

How do you specify a range of addresses that are not summarizable?

For example if I wanted to create an ACL that allows access from hosts 192.168.200.50 through to 192.168.200.239 to the internet, how would I configure these hosts on the ASA?.

Dean

mgaysek · ‎11-15-2006

You could use an object group.

See this link. http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0f7.html#wp1648552

With in the object group you can specify hosts or ranges defined by subnet masks. You will need to do both.

HTH

dean.x.murray · ‎11-21-2006

Just as I thought you cannot easily add a range, so you have to add all addresses or a mixture of summarised and individual addresses.

so there is no command like this

object-group network Internet_Access

network-object range 192.168.1.1-192.168.1.221

Seems an odd ommission.

Thanks for the confirmation.

Dean

a.kiprawih · ‎11-15-2006

PIX/ASA provides the object-group to allow you to group host/subnets/services/icmp in a common or specific group, and have a simple one or two lines of ACL to allow the access. This saves your time in defining hundreds of ACL line/entry.

object-group network INTERNET_ACCESS

network-object host 192.168.200.50

network-object host 192.168.200.51

network-object host 192.168.200.52

network-object host 192.168.200.239

object-group service INTERNET_TCP_PORTS tcp

port-object eq www

port-object eq https

object-group service INTERNET_UDP_PORTS udp

port-object eq domain

access-list inside permit tcp object-group INTERNET_ACCESS any object-group INTERNET_TCP_PORTS

access-list inside permit udp object-group INTERNET_ACCESS any object-group INTERNET_UDP_PORTS

access-group inside in interface inside

HTH

AK

a.kiprawih · ‎11-21-2006

Yes, no option for 'range' under object-group for host. The option only allows you to specify individual host or network/subnet ID.

http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0f7.html#wp1647583

HTH

AK

dflick · ‎11-22-2006

You can sort of create a range by using several masks:

192.168.200.50...51....52 and so on to 55

192.168.200.56 255.255.255.248

192.168.200.64 255.255.255.192

192.168.200.128 255.255.255.192

192.168.200.192 255.255.255.224

192.168.200.224 255.255.255.240

ugly but it works

a.kiprawih · ‎11-22-2006

But what happened if the IP happened to be the subnet or broadcast ID - currently being used by a host/wks.

I am sure it will conflict or could create a problem:

List/range of host IPs: 192.168.200.50 to 192.168.200.239

Example:

192.168.200.56 255.255.255.248

Subnet ID: 192.168.200.56 ---> this IP is needed/used for host

Usable range: 192.168.200.57 to 192.168.200.62

Broadcast ID: 192.168.200.63 ---> this IP is needed/used for host

Same with the rest.

Just a thought.

HTH

AK

dflick · ‎11-26-2006

Since you are using these for an ACL, it makes absolutely no difference if it is a broadcast address. The masks work for the same reason that the 255.255.255.254 masks work.

Fernando_Meza · ‎11-26-2006

Mm .. what about a packet been addressed to the broadcast IP address of one of the ranges ( which is actually used by a host ).. which might be considered by the firewall as a broadcast and hence be droped .. just another thought ..