Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL mask oN asa5500

Hi - Is it possible/advisable to use a discontiguous subnet mask on ACLs on ASA550 (VER 7.2(1))?

I need to create an ACL for numerous discontiguous subnets and it looks like I'll need 2000+ entries to cover all subnets for all target hosts/subnets. If I can use a mask of say 255.0.255.0 safely then I can reduce this to about 40 lines. In my situation the second octet of the source ip is not easily summarised and I'm not in a postion to change the addressing scheme, hence the question

ie

permit tcp 10.0.1.0 255.0.255.0 host 172.31.1.1 eq xyx

rather than

permit tcp 10.1.1.0 255.255.255.0 host 172.31.1.1 eq xyz

pemrmit tcp 10.55.1.0 255.255.255.0 host 172.31.1.1 eq xyz

etc

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL mask oN asa5500

Hi .. actually I have successfully configured an access-list on a PIX 515 running 6.3. Originally I had my doubts but when I tested it .. it did work and it has been working since .. I have something like this

access-list discontigous permit ip 10.0.0.10 255.0.0.255 any

You might want to give it a try .. it might work as well ..

I hope it helps .. please rate if it it does !!!

6 REPLIES

Re: ACL mask oN asa5500

No.. this is basically not possible... subnetting will not allow this.. you can basically supernet this to a much higher network and add a single line, like permit tcp 10.0.1.0 255.0.0.0 host 172.131.1.1 eq xyz....

hope this helps...

Raj

New Member

Re: ACL mask oN asa5500

Thanks Raj - much appreciated.

Dave

Re: ACL mask oN asa5500

rate replies if found useful.. :) thanks

Raj

Re: ACL mask oN asa5500

Hi .. actually I have successfully configured an access-list on a PIX 515 running 6.3. Originally I had my doubts but when I tested it .. it did work and it has been working since .. I have something like this

access-list discontigous permit ip 10.0.0.10 255.0.0.255 any

You might want to give it a try .. it might work as well ..

I hope it helps .. please rate if it it does !!!

New Member

Re: ACL mask oN asa5500

Thanks for the reply. I've tested this and it does work - so technically there is no reason this can't be used . I can see the other side of the argument though - if you're not 100% sure about your subnets you could inadvertently let addtional hosts through so you'd have to be a little cautious.

Re: ACL mask oN asa5500

Yes .. definetely I agree with you in that point !!!

363
Views
5
Helpful
6
Replies
CreatePlease to create content