Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: cisco config help
From: jan () nil si
Date: Mon, 28 May 2001 12:57:12 +0200

                    "Behm, Jeffrey L."                                                            
                    <BehmJL () bvsg com>           To:     firewall-wizards () nfr com                  
                    Sent by:                    cc:                                               
                    firewall-wizards-adm        Subject:     RE: [fw-wiz] cisco config help       
                    in () nfr com                                                                    
                    25.05.2001 22:40                                                              

My understanding of this issue is that the mask in the access list is not
really a subnet mask, as most people think of them. It is more just a mask
that tells how many addresses to include in the range

for example, the next three statements refer to the private IP ranges>,>, and>

access-list 104 deny   ip any
access-list 104 deny   ip any
access-list 104 deny   ip any


be careful - this seems nice, but is definitely NOT the way to write ACLs.
The nice additive
properties which you see in the above example are an EXCEPTION, which only
if you break a contiguous prefix on natural borders (i.e. keep dividing it
by two) and
never cross that border with a single matching rule (i.e. ACL line).

One should never, ever, think about ACLs as ranges, except if you are quite
at home with
binary arithmetics and know when this shortcut can be applied. As Ryan
pointed out, they
are the binary inverse of a subnet mask and this is the safest way to treat
them :)

Try to match with a SINGLE rule and you will see.
And then there are
non-contiguous masks... :)

CAVEAT: PIX Firewall access lists use netmasks instead of wildcards. I
guess Cisco thought
this will be less prone to misconfigurations, when their PIX customers
transitioned from the old
syntax (conduit/outbound, which used netmasks) to the new ACLs.


Jan Bervar
Specialist za podatkovne komunikacije, CCIE #2527
Consulting Engineer

NIL Data Communications,  Einspielerjeva 6,  1000 Ljubljana,  Slovenia
Phone +386 1 4746 500       Fax +386 1 4746 501      http://www.NIL.si

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]