08-05-2003 04:10 AM - edited 03-09-2019 04:18 AM
Dear all,
Can anybody tell me how I could add an access-list statment on the outside interface, that allows an IP address with /27 mask to access a host on the inside via Telnet ?
The PIX only seems to allow 255.0.0.0, 255.255.0.0, 255.255.255.0 and 255.255.255.255 - is there are way to specify 255.255.255.224 ?
Thanks,
Simon.
08-05-2003 06:29 AM
What software version are you running? I have access-lists on my PIX that are using various subnet masks without a problem. I'm not sure what the issue here would be, unless it's syntax. Is that possible?
08-05-2003 06:34 AM
Hi,
which version of the PIX OS are you running?
I am using version 6.3.2 and the following command works fine:
access-list test permit ip A.B.C.D 255.255.255.224 host E.F.G.H
Kind Regards,
Tom
08-05-2003 06:49 AM
Hi -
As Tom says on his post, can't see why you should be having problem as I've also got ACL with mask of .224 running fine on PIX IOS 6.2
Shuld work fine as Tom clearly states (above).
Thanks -
08-05-2003 07:06 AM
Tom,
I am using ver 6.2(2) and the access-list statement I am entering is the following:
access-list acl-outside permit tcp host A.B.C.D 255.255.255.224 host E.F.G.H eq telnet
The only difference between this entry and nearly all our other entries is the inclusion of the 255.255.255.224 statement.
All other access-list lines do not mention the specific mask as they are from one specific host to another specific host (not range).
Does that help !?!
Thanks,
Simon.
08-05-2003 07:13 AM
Simon -
What error do you see when you place that ACL on the PIX ?
08-05-2003 07:29 AM
I don't get a specific error, only the help options (as if the command is not complete).
08-05-2003 07:24 AM
its because you use the word host with a mask
host 1.2.3.4
is the same thing as
1.2.3.4 255.255.255.255
host 1.2.3.5 255.255.255.224 makes no sense - you are specifying that it is both one host, along with a mask for multiple machines.
08-05-2003 08:06 AM
So should the line read:
access-list acl-outside permit tcp A.B.C.D 255.255.255.224 host E.F.G.H eq telnet
Does this specify the A.B.C.D host as having the 255.255.255.224 mask, and the E.F.G.H host as having a 255.255.255.255 mask ?
I have tried this entry but it still does not work.
08-05-2003 10:52 AM
that specifies the netblock of a.b.c.d. as a source being allowed to access the single host of e.f.g.h
if you want only host a.b.c.d to access e.f.g.h, then use
access-list acl-outside permit tcp host a.b.c.d host e.f.g.h eq telnet
08-06-2003 12:16 AM
It is the block of addresses that I want to be able to access host e.f.g.h
The access-list entry that you specify will work, but the one that specifies a netblock does not.
Does this mean that the netblock to a single host statement is not allowed ?
08-06-2003 12:45 AM
When you talk about a single host, you always (by definition)use a netmask of 255.255.255.255.
When you use a 'netblock'(like 255.255.255.224) you specify a range of IP addresses.
For example:
* if you specify it like this:
A.B.C.D 255.255.255.255 then only the host A.B.C.D is allowed. 'A.B.C.D 255.255.255.255' can be replaced by 'host A.B.C.D'
* if you specify it like this:
A.B.C.0 255.255.255.224 then the following range of address is allowed: A.B.C.0 - A.B.C.31
Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide