Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding a netmask of /27 to filter

Dear all,

Can anybody tell me how I could add an access-list statment on the outside interface, that allows an IP address with /27 mask to access a host on the inside via Telnet ?

The PIX only seems to allow 255.0.0.0, 255.255.0.0, 255.255.255.0 and 255.255.255.255 - is there are way to specify 255.255.255.224 ?

Thanks,

Simon.

11 REPLIES
New Member

Re: Adding a netmask of /27 to filter

What software version are you running? I have access-lists on my PIX that are using various subnet masks without a problem. I'm not sure what the issue here would be, unless it's syntax. Is that possible?

Re: Adding a netmask of /27 to filter

Hi,

which version of the PIX OS are you running?

I am using version 6.3.2 and the following command works fine:

access-list test permit ip A.B.C.D 255.255.255.224 host E.F.G.H

Kind Regards,

Tom

Gold

Re: Adding a netmask of /27 to filter

Hi -

As Tom says on his post, can't see why you should be having problem as I've also got ACL with mask of .224 running fine on PIX IOS 6.2

Shuld work fine as Tom clearly states (above).

Thanks -

New Member

Re: Adding a netmask of /27 to filter

Tom,

I am using ver 6.2(2) and the access-list statement I am entering is the following:

access-list acl-outside permit tcp host A.B.C.D 255.255.255.224 host E.F.G.H eq telnet

The only difference between this entry and nearly all our other entries is the inclusion of the 255.255.255.224 statement.

All other access-list lines do not mention the specific mask as they are from one specific host to another specific host (not range).

Does that help !?!

Thanks,

Simon.

Gold

Re: Adding a netmask of /27 to filter

Simon -

What error do you see when you place that ACL on the PIX ?

New Member

Re: Adding a netmask of /27 to filter

I don't get a specific error, only the help options (as if the command is not complete).

Silver

Re: Adding a netmask of /27 to filter

its because you use the word host with a mask

host 1.2.3.4

is the same thing as

1.2.3.4 255.255.255.255

host 1.2.3.5 255.255.255.224 makes no sense - you are specifying that it is both one host, along with a mask for multiple machines.

New Member

Re: Adding a netmask of /27 to filter

So should the line read:

access-list acl-outside permit tcp A.B.C.D 255.255.255.224 host E.F.G.H eq telnet

Does this specify the A.B.C.D host as having the 255.255.255.224 mask, and the E.F.G.H host as having a 255.255.255.255 mask ?

I have tried this entry but it still does not work.

Silver

Re: Adding a netmask of /27 to filter

that specifies the netblock of a.b.c.d. as a source being allowed to access the single host of e.f.g.h

if you want only host a.b.c.d to access e.f.g.h, then use

access-list acl-outside permit tcp host a.b.c.d host e.f.g.h eq telnet

New Member

Re: Adding a netmask of /27 to filter

It is the block of addresses that I want to be able to access host e.f.g.h

The access-list entry that you specify will work, but the one that specifies a netblock does not.

Does this mean that the netblock to a single host statement is not allowed ?

Re: Adding a netmask of /27 to filter

When you talk about a single host, you always (by definition)use a netmask of 255.255.255.255.

When you use a 'netblock'(like 255.255.255.224) you specify a range of IP addresses.

For example:

* if you specify it like this:

A.B.C.D 255.255.255.255 then only the host A.B.C.D is allowed. 'A.B.C.D 255.255.255.255' can be replaced by 'host A.B.C.D'

* if you specify it like this:

A.B.C.0 255.255.255.224 then the following range of address is allowed: A.B.C.0 - A.B.C.31

Regards,

Tom

138
Views
0
Helpful
11
Replies