Access-list PIXV6

[Nightcrawler]

Hiya,

I am trying to get some access-list working on my pix firewall. I need to address a range of ip address using this command and at present have failed.

How does one address a range say 10.1.51.128-10.1.51.255 on a PIX access-list..??

Thanks
in advance

Ed Williams

 

[cissp2002]

Is this what you need:

global (outside) 1 209.165.201.10-209.165.201.20 netmask 255.255.255.224

 

[Nightcrawler]

No unfortantly not - im looking at access-lists....

 

[cissp2002]

How about this:

access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224

Of course this is the entire subnet!

 

[Nightcrawler]

Well okay what abpout wanting only two machines say 10.1.51.10 and 10.1.51.11 ???

THanks

Ed

 

[yizhar]

HI.

You can use this for single hosts:

access-list X permit ip host a.a.a.a any
access-list X permit ip host b.b.b.b any

for a subnet:

access-list X permit ip 10.1.51.128 255.255.255.128 any

Don't forget to apply using the access-group command.

Note that in pix you use subnet masks, unlike in routers where the mask has reverse meaning.

You'll find the syntax here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm

For complex access-lists, I recommend using PDM.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Nightcrawler]

What about just 2 or 3 computers in a row ? 10.1.51.11 - 10.1.51.13 ??? What would be subnet for that ?

Thanks

Ed

 

[xlee]

You can use a /29. That would cover from 10.1.51.8-10.1.51.15

 

[Nightcrawler]

But I cant just specifiy those three ??