Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
5
Helpful
6
Replies

ACL mask oN asa5500

Go to solution
ddavenport-dcc
Level 1
Level 1

‎09-04-2006 03:01 AM - edited ‎02-20-2020 09:37 PM

Hi - Is it possible/advisable to use a discontiguous subnet mask on ACLs on ASA550 (VER 7.2(1))?

I need to create an ACL for numerous discontiguous subnets and it looks like I'll need 2000+ entries to cover all subnets for all target hosts/subnets. If I can use a mask of say 255.0.255.0 safely then I can reduce this to about 40 lines. In my situation the second octet of the source ip is not easily summarised and I'm not in a postion to change the addressing scheme, hence the question

ie

permit tcp 10.0.1.0 255.0.255.0 host 172.31.1.1 eq xyx

rather than

permit tcp 10.1.1.0 255.255.255.0 host 172.31.1.1 eq xyz

pemrmit tcp 10.55.1.0 255.255.255.0 host 172.31.1.1 eq xyz

etc

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Fernando_Meza
Level 7
Level 7

‎09-04-2006 04:12 PM

Hi .. actually I have successfully configured an access-list on a PIX 515 running 6.3. Originally I had my doubts but when I tested it .. it did work and it has been working since .. I have something like this

access-list discontigous permit ip 10.0.0.10 255.0.0.255 any

You might want to give it a try .. it might work as well ..

I hope it helps .. please rate if it it does !!!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
sachinraja
Level 9
Level 9

‎09-04-2006 04:07 AM

No.. this is basically not possible... subnetting will not allow this.. you can basically supernet this to a much higher network and add a single line, like permit tcp 10.0.1.0 255.0.0.0 host 172.131.1.1 eq xyz....

hope this helps...

Raj

0 Helpful

Go to solution
ddavenport-dcc
Level 1
Level 1
In response to sachinraja

‎09-04-2006 04:35 AM

Thanks Raj - much appreciated.

Dave

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to ddavenport-dcc

‎09-04-2006 07:01 AM

rate replies if found useful.. :) thanks

Raj

Go to solution
Fernando_Meza
Level 7
Level 7

‎09-04-2006 04:12 PM

Hi .. actually I have successfully configured an access-list on a PIX 515 running 6.3. Originally I had my doubts but when I tested it .. it did work and it has been working since .. I have something like this

access-list discontigous permit ip 10.0.0.10 255.0.0.255 any

You might want to give it a try .. it might work as well ..

I hope it helps .. please rate if it it does !!!

0 Helpful

Go to solution
ddavenport-dcc
Level 1
Level 1
In response to Fernando_Meza

‎09-11-2006 05:16 AM

Thanks for the reply. I've tested this and it does work - so technically there is no reason this can't be used . I can see the other side of the argument though - if you're not 100% sure about your subnets you could inadvertently let addtional hosts through so you'd have to be a little cautious.

0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7
In response to ddavenport-dcc

‎09-11-2006 08:05 PM

Yes .. definetely I agree with you in that point !!!

0 Helpful
Customers Also Viewed These Support Documents