Firewall Wizards mailing list archives

RE: cisco config help

From: jan () nil si
Date: Mon, 28 May 2001 12:57:12 +0200

                                                                                                  
                    "Behm, Jeffrey L."                                                            
                    <BehmJL () bvsg com>           To:     firewall-wizards () nfr com                  
                    Sent by:                    cc:                                               
                    firewall-wizards-adm        Subject:     RE: [fw-wiz] cisco config help       
                    in () nfr com                                                                    
                                                                                                  
                                                                                                  
                    25.05.2001 22:40

My understanding of this issue is that the mask in the access list is not
really a subnet mask, as most people think of them. It is more just a mask
that tells how many addresses to include in the range

for example, the next three statements refer to the private IP ranges
10.0.0.0->10.255.255.255, 172.16.0.0->172.31.255.255, and
192.168.0.0->192.168.255.255:

access-list 104 deny   ip any 10.0.0.0 0.255.255.255
access-list 104 deny   ip any 172.16.0.0 0.15.255.255
access-list 104 deny   ip any 192.168.0.0 0.0.255.255


Hi,


be careful - this seems nice, but is definitely NOT the way to write ACLs.
The nice additive
properties which you see in the above example are an EXCEPTION, which only
happens
if you break a contiguous prefix on natural borders (i.e. keep dividing it
by two) and
never cross that border with a single matching rule (i.e. ACL line).

One should never, ever, think about ACLs as ranges, except if you are quite
at home with
binary arithmetics and know when this shortcut can be applied. As Ryan
pointed out, they
are the binary inverse of a subnet mask and this is the safest way to treat
them :)

Try to match 172.16.0.0-172.63.255.255 with a SINGLE rule and you will see.
And then there are
non-contiguous masks... :)

CAVEAT: PIX Firewall access lists use netmasks instead of wildcards. I
guess Cisco thought
this will be less prone to misconfigurations, when their PIX customers
transitioned from the old
syntax (conduit/outbound, which used netmasks) to the new ACLs.

Cheers,
Jan

Jan Bervar
Specialist za podatkovne komunikacije, CCIE #2527
Consulting Engineer

NIL Data Communications,  Einspielerjeva 6,  1000 Ljubljana,  Slovenia
Phone +386 1 4746 500       Fax +386 1 4746 501      http://www.NIL.si


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

cisco config help Stuart Clark (May 25)
- Re: cisco config help Luca Berra (May 26)
- Re: cisco config help Ryan Russell (May 26)
- Re: cisco config help Mikhail Evstiounin (May 26)
- <Possible follow-ups>
- RE: cisco config help Behm, Jeffrey L. (May 26)
- RE: cisco config help jan (May 30)