11-15-2006 08:34 AM - edited 03-11-2019 01:56 AM
A simple question as I cannot seem to find a why to do it on our ASA.
How do you specify a range of addresses that are not summarizable?
For example if I wanted to create an ACL that allows access from hosts 192.168.200.50 through to 192.168.200.239 to the internet, how would I configure these hosts on the ASA?.
Dean
11-15-2006 12:09 PM
You could use an object group.
See this link. http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0f7.html#wp1648552
With in the object group you can specify hosts or ranges defined by subnet masks. You will need to do both.
HTH
11-21-2006 05:39 AM
Just as I thought you cannot easily add a range, so you have to add all addresses or a mixture of summarised and individual addresses.
so there is no command like this
object-group network Internet_Access
network-object range 192.168.1.1-192.168.1.221
Seems an odd ommission.
Thanks for the confirmation.
Dean
11-15-2006 12:44 PM
PIX/ASA provides the object-group to allow you to group host/subnets/services/icmp in a common or specific group, and have a simple one or two lines of ACL to allow the access. This saves your time in defining hundreds of ACL line/entry.
object-group network INTERNET_ACCESS
network-object host 192.168.200.50
network-object host 192.168.200.51
network-object host 192.168.200.52
network-object host 192.168.200.239
object-group service INTERNET_TCP_PORTS tcp
port-object eq www
port-object eq https
object-group service INTERNET_UDP_PORTS udp
port-object eq domain
access-list inside permit tcp object-group INTERNET_ACCESS any object-group INTERNET_TCP_PORTS
access-list inside permit udp object-group INTERNET_ACCESS any object-group INTERNET_UDP_PORTS
access-group inside in interface inside
HTH
AK
11-21-2006 11:22 PM
Yes, no option for 'range' under object-group for host. The option only allows you to specify individual host or network/subnet ID.
HTH
AK
11-22-2006 01:00 PM
You can sort of create a range by using several masks:
192.168.200.50...51....52 and so on to 55
192.168.200.56 255.255.255.248
192.168.200.64 255.255.255.192
192.168.200.128 255.255.255.192
192.168.200.192 255.255.255.224
192.168.200.224 255.255.255.240
ugly but it works
11-22-2006 03:12 PM
But what happened if the IP happened to be the subnet or broadcast ID - currently being used by a host/wks.
I am sure it will conflict or could create a problem:
List/range of host IPs: 192.168.200.50 to 192.168.200.239
Example:
192.168.200.56 255.255.255.248
Subnet ID: 192.168.200.56 ---> this IP is needed/used for host
Usable range: 192.168.200.57 to 192.168.200.62
Broadcast ID: 192.168.200.63 ---> this IP is needed/used for host
Same with the rest.
Just a thought.
HTH
AK
11-26-2006 05:28 PM
Since you are using these for an ACL, it makes absolutely no difference if it is a broadcast address. The masks work for the same reason that the 255.255.255.254 masks work.
11-26-2006 06:12 PM
Mm .. what about a packet been addressed to the broadcast IP address of one of the ranges ( which is actually used by a host ).. which might be considered by the firewall as a broadcast and hence be droped .. just another thought ..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: