I currently use an IOS ACL which contains the network/wildcard mask pair X.X.1.160 0.0.254.31 to match hosts X.X.1.[160-191], X.X.3.[160-191], X.X.5.[160-191], etc. If the IOS router is replaced by a PIX firewall, will the PIX subnet mask behave in the same way as an inverted wildcard mask. Is the equivalent network/subnet mask X.X.1.160 255.255.1.224, and is this valid?
PIX ACLs differ from the router ACLs in that the PIX does not use a wildcard mask like IOS. It uses a regular subnet mask in the ACL definition. As with IOS routers, the PIX ACL has an implicit "deny all" at the end of the ACL.
I have tried this today with a PIX-501, and it appears that an IOS wildcard mask can be implemented on the PIX by simply inverting the bits. Whilst this is not a true "subnet mask" in the conventional sense, it does appear to work. The only other alternative I can see, is to create many "network" objects and group them in an object-group, but this will essentially create that many access-list entries in the ACL.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...