Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
2
Replies

PIX and discontiguous subnet masks

mmelbourne
Level 5
Level 5

‎08-16-2002 02:00 PM - edited ‎02-20-2020 10:12 PM

I currently use an IOS ACL which contains the network/wildcard mask pair X.X.1.160 0.0.254.31 to match hosts X.X.1.[160-191], X.X.3.[160-191], X.X.5.[160-191], etc. If the IOS router is replaced by a PIX firewall, will the PIX subnet mask behave in the same way as an inverted wildcard mask. Is the equivalent network/subnet mask X.X.1.160 255.255.1.224, and is this valid?

0 Helpful
2 Replies 2

yusuff
Cisco Employee
Cisco Employee

‎08-19-2002 05:05 AM

PIX ACLs differ from the router ACLs in that the PIX does not use a wildcard mask like IOS. It uses a regular subnet mask in the ACL definition. As with IOS routers, the PIX ACL has an implicit "deny all" at the end of the ACL.

http://www.cisco.com/warp/public/707/28.html

HTH

R/Yusuf

0 Helpful

mmelbourne
Level 5
Level 5
In response to yusuff

‎08-19-2002 11:46 AM

I have tried this today with a PIX-501, and it appears that an IOS wildcard mask can be implemented on the PIX by simply inverting the bits. Whilst this is not a true "subnet mask" in the conventional sense, it does appear to work. The only other alternative I can see, is to create many "network" objects and group them in an object-group, but this will essentially create that many access-list entries in the ACL.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card