Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

summarization on access-list for VPN tunnels on PIX

I have a customer who connects to us via a VPN tunnel on their PIX to ours. The customer has private networks that range from thru 179.0.

Rather than having one independent access-list for each of these networks, I wanted to consider summarization using the mask in the access-list itself.

binary breakdown of the third octet is easy because it is contiguous address space. I was thinking I could summarize using the following:

ip access-list 120 permit

will this work for the VPN tunnels??

  • Other Security Subjects
New Member

Re: summarization on access-list for VPN tunnels on PIX


I don't know whether route summerisation works in practice on a pix though I can't see why it shouldn't, however, whilst



you are right to summerise with the third octec (224=11100000), considering the 3rd octet - if you were to substitute it to the forth and imagine you were dealing with a subnet of a class C address, you would get the following:

00000000 - 256 addresses - 254 hosts

10000000 - 128a - 126h

11000000 -64a - 62h

11100000 -32a - 30h

11110000 -16a - 14h

11111000 -8a - 6h

11111100 -4a - 2h

11111110 -2a - 0h

11111111 -0a - 0h

and if we were looking at 11100000 we would get the networks:


Therefore, if you are looking at addresses in between 171 and 179, you need to be looking at the 160 network.

From this I would imagine that to contact thru 179.0 I would be looking at trying to use

ip access-list 120 permit



New Member

Re: summarization on access-list for VPN tunnels on PIX

thanks. I had forgotten about the network bit positions needed to summarize.

I will follow up with you once tested...


This widget could not be displayed.