Is it possible to have ranges in two octets in an ACL / object-group

Question

I'm trying to find out if there is a "clean" way to do this.

I need to setup a ACL on a FWSM that effects devices over multiple subnets.

The structure looks like this: 10.10.1-254.1-15

I could do:

object-group network example
 network-object 10.10.1.0 255.255.255.240
 ..
 ..
 network-object 10.10.254.0 255.255.255.240

but i'm hoping there a way to do this without having to add each subnet?

John Kennedy · Accepted Answer · 2013-11-13T23:41:41.820

6

Certainly! I believe inverse masks were created to be dis-contiguous rather than a normal subnet mask that must be contiguous.

An ACL such as the following should do the trick on an IOS device.

Ip access-list [standard/extended] SUBNET_240
permit ip 10.10.0.0 0.0.255.15

I am not familar with the FWSM but you should be able to create a similar ACL on an ASA.

I also just logged in to my ASA 5512 and I was able to create a network object with a dis-contiguous mask (but not inverse).

192.168.0.0 255.255.0.240

edited Nov 13 '13 at 23:41

answered Nov 13 '13 at 21:22

John Kennedy

1

I was way over thinking this haha. I'm guessing in the object-group the following would work -> network-object 10.10.0.0 255.255.0.240 ? – evolvd Nov 13 '13 at 23:20
1

That is exactly what you need sir, please rate my answer if you found it helpful – John Kennedy Nov 13 '13 at 23:42

1 Answers1