Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Subnet error in PIX 515 - IOS 6.1(1)

Status
Not open for further replies.
VITALNOC

VITALNOC

ISP
Nov 25, 2002
6
0
0
GB
Have come across an existing PIX.
Inside interface has 90.10.10.0/8

but some existing rules have

90.10.10.0/24 addresses!

When trying to remove these (clean up job) and replace them with correct /8 subnet I get the following error when creating an ACL:

ERROR: Global address,mask <90.10.10.0,255.0.0.0> doesn't pair
Type help or ? for a list of available commands.

Has anyone got a solution they can point me to 'refresh' these incorrect subnets?

 
Sort by date Sort by votes
Just spotted

"anti spoofing acl error"
thread35-417194

So will check this as well!

Any offers gratefully accepted!

 
Upvote 0 Downvote
Just checked out the above thread - definately not the same cause!
 
Upvote 0 Downvote
well, of course you can't do that, 90.10.10.0/8 is not a valid range of adresses in a global statement, and why would you wan't a global with that many adresses in it ? valid would be 90.10.10.0/24 or 90.0.0.0/8 but would make no sense to configure.


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
just read that your creating an acl, not a global......but anywho what is the exact syntax you are sending that gives this result ?

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Dopehead - many thanks for your notes.

This error occurs even though I have a global statement as follows:

global (outside) 1 21x.3x.x.x

very much a public address.

Am I then looking at removing any globals first which could be "tied" to internal range (this 90.10.10.0/8 is the internal network includes a 90.10.10.x/8 address on the inside interface on the PIX)
 
Upvote 0 Downvote
What version of pix sw are you using, i seem to recall some changes in what is possible regarding masks in some older versions.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
try issuing a "clear global" before entering your global command. It's possible that you have a global address already assigned that is overlapping and causing the error.
 
Upvote 0 Downvote
Just to confirm the IOS version is 6.1(1) as per the title of the thread.

The syntax I have used is . . .

access-list 102 permit ip 90.10.10.0 255.0.0.0 10.0.0.0 255.255.255.0

because once have deleted the existing rule which includes 90.10.10.0 255.255.255.0 and tried to replace it with this
I get the error.

 
Upvote 0 Downvote
ya, thats wrong syntax.....if you wan't to include the entire 90.x.x.x network you need 90.0.0.0 255.0.0.0 instead of 90.10.10.0


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
185
AllenH12
AllenH12
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
51
quazimotto
quazimotto
mattbarkerlfc
  • Locked
  • Question
Checkpoint 2200 subnet overlap problem
Replies
0
Views
65
mattbarkerlfc
mattbarkerlfc
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
58
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
63
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top