09-04-2006 03:01 AM - edited 02-20-2020 09:37 PM
Hi - Is it possible/advisable to use a discontiguous subnet mask on ACLs on ASA550 (VER 7.2(1))?
I need to create an ACL for numerous discontiguous subnets and it looks like I'll need 2000+ entries to cover all subnets for all target hosts/subnets. If I can use a mask of say 255.0.255.0 safely then I can reduce this to about 40 lines. In my situation the second octet of the source ip is not easily summarised and I'm not in a postion to change the addressing scheme, hence the question
ie
permit tcp 10.0.1.0 255.0.255.0 host 172.31.1.1 eq xyx
rather than
permit tcp 10.1.1.0 255.255.255.0 host 172.31.1.1 eq xyz
pemrmit tcp 10.55.1.0 255.255.255.0 host 172.31.1.1 eq xyz
etc
Solved! Go to Solution.
09-04-2006 04:12 PM
Hi .. actually I have successfully configured an access-list on a PIX 515 running 6.3. Originally I had my doubts but when I tested it .. it did work and it has been working since .. I have something like this
access-list discontigous permit ip 10.0.0.10 255.0.0.255 any
You might want to give it a try .. it might work as well ..
I hope it helps .. please rate if it it does !!!
09-04-2006 04:07 AM
No.. this is basically not possible... subnetting will not allow this.. you can basically supernet this to a much higher network and add a single line, like permit tcp 10.0.1.0 255.0.0.0 host 172.131.1.1 eq xyz....
hope this helps...
Raj
09-04-2006 04:35 AM
Thanks Raj - much appreciated.
Dave
09-04-2006 07:01 AM
rate replies if found useful.. :) thanks
Raj
09-04-2006 04:12 PM
Hi .. actually I have successfully configured an access-list on a PIX 515 running 6.3. Originally I had my doubts but when I tested it .. it did work and it has been working since .. I have something like this
access-list discontigous permit ip 10.0.0.10 255.0.0.255 any
You might want to give it a try .. it might work as well ..
I hope it helps .. please rate if it it does !!!
09-11-2006 05:16 AM
Thanks for the reply. I've tested this and it does work - so technically there is no reason this can't be used . I can see the other side of the argument though - if you're not 100% sure about your subnets you could inadvertently let addtional hosts through so you'd have to be a little cautious.
09-11-2006 08:05 PM
Yes .. definetely I agree with you in that point !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide