summarization on access-list for VPN tunnels on PIX

Kevin Melton · ‎01-22-2003

I have a customer who connects to us via a VPN tunnel on their PIX to ours. The customer has private networks that range from 192.18.171.0 thru 179.0.

Rather than having one independent access-list for each of these networks, I wanted to consider summarization using the mask in the access-list itself.

binary breakdown of the third octet is easy because it is contiguous address space. I was thinking I could summarize using the following:

ip access-list 120 permit 10.1.0.0 255.255.0.0 192.18.0.0 255.255.224.0

will this work for the VPN tunnels??

kagodfrey · ‎01-22-2003

Hi

I don't know whether route summerisation works in practice on a pix though I can't see why it shouldn't, however, whilst

171=10101011

179=10110011

you are right to summerise with the third octec (224=11100000), considering the 3rd octet - if you were to substitute it to the forth and imagine you were dealing with a subnet of a class C address, you would get the following:

00000000 - 256 addresses - 254 hosts

10000000 - 128a - 126h

11000000 -64a - 62h

11100000 -32a - 30h

11110000 -16a - 14h

11111000 -8a - 6h

11111100 -4a - 2h

11111110 -2a - 0h

11111111 -0a - 0h

and if we were looking at 11100000 we would get the networks:

0,32,64,96,128,160,192,224

Therefore, if you are looking at addresses in between 171 and 179, you need to be looking at the 160 network.

From this I would imagine that to contact 192.18.171.0 thru 179.0 I would be looking at trying to use

ip access-list 120 permit 10.1.0.0 255.255.0.0 192.18.160.0 255.255.224.0

HTH

Kev

Kevin Melton · ‎01-22-2003

thanks. I had forgotten about the network bit positions needed to summarize.

I will follow up with you once tested...

Kevin