08-16-2002 02:00 PM - edited 02-20-2020 10:12 PM
I currently use an IOS ACL which contains the network/wildcard mask pair X.X.1.160 0.0.254.31 to match hosts X.X.1.[160-191], X.X.3.[160-191], X.X.5.[160-191], etc. If the IOS router is replaced by a PIX firewall, will the PIX subnet mask behave in the same way as an inverted wildcard mask. Is the equivalent network/subnet mask X.X.1.160 255.255.1.224, and is this valid?
08-19-2002 05:05 AM
PIX ACLs differ from the router ACLs in that the PIX does not use a wildcard mask like IOS. It uses a regular subnet mask in the ACL definition. As with IOS routers, the PIX ACL has an implicit "deny all" at the end of the ACL.
http://www.cisco.com/warp/public/707/28.html
HTH
R/Yusuf
08-19-2002 11:46 AM
I have tried this today with a PIX-501, and it appears that an IOS wildcard mask can be implemented on the PIX by simply inverting the bits. Whilst this is not a true "subnet mask" in the conventional sense, it does appear to work. The only other alternative I can see, is to create many "network" objects and group them in an object-group, but this will essentially create that many access-list entries in the ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide