Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

PIX and discontiguous subnet masks

I currently use an IOS ACL which contains the network/wildcard mask pair X.X.1.160 0.0.254.31 to match hosts X.X.1.[160-191], X.X.3.[160-191], X.X.5.[160-191], etc. If the IOS router is replaced by a PIX firewall, will the PIX subnet mask behave in the same way as an inverted wildcard mask. Is the equivalent network/subnet mask X.X.1.160 255.255.1.224, and is this valid?

2 REPLIES
Cisco Employee

Re: PIX and discontiguous subnet masks

PIX ACLs differ from the router ACLs in that the PIX does not use a wildcard mask like IOS. It uses a regular subnet mask in the ACL definition. As with IOS routers, the PIX ACL has an implicit "deny all" at the end of the ACL.

http://www.cisco.com/warp/public/707/28.html

HTH

R/Yusuf

Silver

Re: PIX and discontiguous subnet masks

I have tried this today with a PIX-501, and it appears that an IOS wildcard mask can be implemented on the PIX by simply inverting the bits. Whilst this is not a true "subnet mask" in the conventional sense, it does appear to work. The only other alternative I can see, is to create many "network" objects and group them in an object-group, but this will essentially create that many access-list entries in the ACL.

325
Views
0
Helpful
2
Replies