mailing list archives
RE: cisco config help
From: jan () nil si
Date: Mon, 28 May 2001 12:57:12 +0200
"Behm, Jeffrey L."
<BehmJL () bvsg com> To: firewall-wizards () nfr com
Sent by: cc:
firewall-wizards-adm Subject: RE: [fw-wiz] cisco config help
in () nfr com
My understanding of this issue is that the mask in the access list is not
really a subnet mask, as most people think of them. It is more just a mask
that tells how many addresses to include in the range
for example, the next three statements refer to the private IP ranges
10.0.0.0->10.255.255.255, 172.16.0.0->172.31.255.255, and
access-list 104 deny ip any 10.0.0.0 0.255.255.255
access-list 104 deny ip any 172.16.0.0 0.15.255.255
access-list 104 deny ip any 192.168.0.0 0.0.255.255
be careful - this seems nice, but is definitely NOT the way to write ACLs.
The nice additive
properties which you see in the above example are an EXCEPTION, which only
if you break a contiguous prefix on natural borders (i.e. keep dividing it
by two) and
never cross that border with a single matching rule (i.e. ACL line).
One should never, ever, think about ACLs as ranges, except if you are quite
at home with
binary arithmetics and know when this shortcut can be applied. As Ryan
pointed out, they
are the binary inverse of a subnet mask and this is the safest way to treat
Try to match 172.16.0.0-126.96.36.199 with a SINGLE rule and you will see.
And then there are
non-contiguous masks... :)
CAVEAT: PIX Firewall access lists use netmasks instead of wildcards. I
guess Cisco thought
this will be less prone to misconfigurations, when their PIX customers
transitioned from the old
syntax (conduit/outbound, which used netmasks) to the new ACLs.
Specialist za podatkovne komunikacije, CCIE #2527
NIL Data Communications, Einspielerjeva 6, 1000 Ljubljana, Slovenia
Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si
firewall-wizards mailing list
firewall-wizards () nfr com