Adding a netmask of /27 to filter

s.gilbrook · ‎08-05-2003

Dear all,

Can anybody tell me how I could add an access-list statment on the outside interface, that allows an IP address with /27 mask to access a host on the inside via Telnet ?

The PIX only seems to allow 255.0.0.0, 255.255.0.0, 255.255.255.0 and 255.255.255.255 - is there are way to specify 255.255.255.224 ?

Thanks,

Simon.

edmonds_robert · ‎08-05-2003

What software version are you running? I have access-lists on my PIX that are using various subnet masks without a problem. I'm not sure what the issue here would be, unless it's syntax. Is that possible?

tvanginneken · ‎08-05-2003

Hi,

which version of the PIX OS are you running?

I am using version 6.3.2 and the following command works fine:

access-list test permit ip A.B.C.D 255.255.255.224 host E.F.G.H

Kind Regards,

Tom

jmia · ‎08-05-2003

Hi -

As Tom says on his post, can't see why you should be having problem as I've also got ACL with mask of .224 running fine on PIX IOS 6.2

Shuld work fine as Tom clearly states (above).

Thanks -

s.gilbrook · ‎08-05-2003

Tom,

I am using ver 6.2(2) and the access-list statement I am entering is the following:

access-list acl-outside permit tcp host A.B.C.D 255.255.255.224 host E.F.G.H eq telnet

The only difference between this entry and nearly all our other entries is the inclusion of the 255.255.255.224 statement.

All other access-list lines do not mention the specific mask as they are from one specific host to another specific host (not range).

Does that help !?!

Thanks,

Simon.

jmia · ‎08-05-2003

Simon -

What error do you see when you place that ACL on the PIX ?

s.gilbrook · ‎08-05-2003

I don't get a specific error, only the help options (as if the command is not complete).

mostiguy · ‎08-05-2003

its because you use the word host with a mask

host 1.2.3.4

is the same thing as

1.2.3.4 255.255.255.255

host 1.2.3.5 255.255.255.224 makes no sense - you are specifying that it is both one host, along with a mask for multiple machines.

s.gilbrook · ‎08-05-2003

So should the line read:

access-list acl-outside permit tcp A.B.C.D 255.255.255.224 host E.F.G.H eq telnet

Does this specify the A.B.C.D host as having the 255.255.255.224 mask, and the E.F.G.H host as having a 255.255.255.255 mask ?

I have tried this entry but it still does not work.

mostiguy · ‎08-05-2003

that specifies the netblock of a.b.c.d. as a source being allowed to access the single host of e.f.g.h

if you want only host a.b.c.d to access e.f.g.h, then use

access-list acl-outside permit tcp host a.b.c.d host e.f.g.h eq telnet

s.gilbrook · ‎08-06-2003

It is the block of addresses that I want to be able to access host e.f.g.h

The access-list entry that you specify will work, but the one that specifies a netblock does not.

Does this mean that the netblock to a single host statement is not allowed ?

tvanginneken · ‎08-06-2003

When you talk about a single host, you always (by definition)use a netmask of 255.255.255.255.

When you use a 'netblock'(like 255.255.255.224) you specify a range of IP addresses.

For example:

* if you specify it like this:

A.B.C.D 255.255.255.255 then only the host A.B.C.D is allowed. 'A.B.C.D 255.255.255.255' can be replaced by 'host A.B.C.D'

* if you specify it like this:

A.B.C.0 255.255.255.224 then the following range of address is allowed: A.B.C.0 - A.B.C.31

Regards,

Tom