Re: Network range on PIX
- From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
- Date: Thu, 22 Sep 2005 19:53:19 +0000 (UTC)
In article <1127417671.766380.254680@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Nate <nnord@xxxxxxxxxx> wrote:
:Does the PIX not support some equivalent of the filter masks used on
:Cisco routers to define specific networks of a subnet? How would I
:define, for instance, the 3rd network of a x.x.x.0 255.255.255.240
:subnet (x.x.x.32 network using IPs x.x.x.33 through x.x.x.36 (.37
:broadcast)) for access control purposes? I see you can list all IPs
:and then group them but I was hoping for a filter mask equivalent.
In access-lists, you would use x.x.x.32 255.255.255.240
There are some commands on the PIX that expect a host IP instead of
a network IP and mask. Those commands mostly have to do with access
to the PIX itself. None of those commands permit an object-group
in the relevant position.
One thing to be aware of is that if you use a netmask of other than
255.255.255.255 in a "static" command, then the PIX will treat the
resulting range as if it were a real subnet: it will assume that
there should be no traffic sourced from the base address or high
address of the range, and will reject packets that show up with those
sources [unless you take special steps.] This is the only place that
this is true; in ACL contexts, an address and mask is just a handy
way to list a complete range.
--
When Love is gone, there's always Justice.
When Justice is gone, there's always Force.
When Force is gone, there's always Mom. -- Laurie Anderson
.
- References:
- Network range on PIX
- From: Nate
- Network range on PIX
- Prev by Date: NAT Problems Cisco 501 firewall
- Next by Date: Re: NAT Problems Cisco 501 firewall
- Previous by thread: Network range on PIX
- Next by thread: NAT Problems Cisco 501 firewall
- Index(es):
Relevant Pages
|
|
