cisco pix default netmask

Discussion in 'Cisco' started by dima.kagan@gmail.com, Nov 6, 2006.

  1. Guest

    Hi!

    I have a question, to which I couldn't find an answer by searching
    google and cisco docs.

    Let's say I insert a following command in cisco pix cli:

    name 10.1.0.0 test-network

    What is the default netmask given by pix for this network, if any? Do I
    have to speficy a netmask with a different command, before using this
    object in an acl, for example?

    The PIX version is 6.3, if it matters.

    Thanks!
     
    , Nov 6, 2006
    #1
    1. Advertising

  2. * wrote:
    > name 10.1.0.0 test-network
    >
    > What is the default netmask given by pix for this network, if any?


    There is no netmask with names. The name command substitutes the IP address
    with a name regardless of the context, the address is used.
     
    Lutz Donnerhacke, Nov 6, 2006
    #2
    1. Advertising

  3. Brian V Guest

    <> wrote in message
    news:...
    > Hi!
    >
    > I have a question, to which I couldn't find an answer by searching
    > google and cisco docs.
    >
    > Let's say I insert a following command in cisco pix cli:
    >
    > name 10.1.0.0 test-network
    >
    > What is the default netmask given by pix for this network, if any? Do I
    > have to speficy a netmask with a different command, before using this
    > object in an acl, for example?
    >
    > The PIX version is 6.3, if it matters.
    >
    > Thanks!
    >


    It doesn't, you still need to specify it.
    test-network 255.0.0.0 would be 10.X.X.X
    test-network 255.255.0.0 would be 10.1.X.X
    test-network 255.255.255.0 would be 10.1.0.X
    test-network 255.255.255.255 would be host 10.1.0.0
     
    Brian V, Nov 6, 2006
    #3
  4. Guest

    Hi!

    Thanks for the reply.

    Yes, I understand this is like an alias.
    However, if I use test-network in an acl, like this:

    access-list inside_access_in permit tcp test-network any eq ssh

    How will the firewall interpret the 'test-network' object in this case:
    1. 10.1.0.0/16
    2. 10.1.0.0/24
    3. Some other way(?)

    Lutz Donnerhacke wrote:
    > * wrote:
    > > name 10.1.0.0 test-network
    > >
    > > What is the default netmask given by pix for this network, if any?

    >
    > There is no netmask with names. The name command substitutes the IP address
    > with a name regardless of the context, the address is used.
     
    , Nov 6, 2006
    #4
  5. Guest

    Thanks!

    I got it now. Tried to use it without netmask and got an error.

    Dilemma solved!

    Brian V wrote:
    > <> wrote in message
    > news:...
    > > Hi!
    > >
    > > I have a question, to which I couldn't find an answer by searching
    > > google and cisco docs.
    > >
    > > Let's say I insert a following command in cisco pix cli:
    > >
    > > name 10.1.0.0 test-network
    > >
    > > What is the default netmask given by pix for this network, if any? Do I
    > > have to speficy a netmask with a different command, before using this
    > > object in an acl, for example?
    > >
    > > The PIX version is 6.3, if it matters.
    > >
    > > Thanks!
    > >

    >
    > It doesn't, you still need to specify it.
    > test-network 255.0.0.0 would be 10.X.X.X
    > test-network 255.255.0.0 would be 10.1.X.X
    > test-network 255.255.255.0 would be 10.1.0.X
    > test-network 255.255.255.255 would be host 10.1.0.0
     
    , Nov 6, 2006
    #5
  6. * wrote:
    > However, if I use test-network in an acl, like this:
    > access-list inside_access_in permit tcp test-network any eq ssh
    > How will the firewall interpret the 'test-network' object in this case?


    The response will be
    Illegal command: access-list inside_access_in permit tcp 10.1.0.0 any eq ssh
    ^
    If you want to do this right, please use:

    name 10.1.0.0 test-network
    name 255.255.255.248 slash-29
    access-list inside_access permit tcp test-network slash-29 any eq ssh
     
    Lutz Donnerhacke, Nov 6, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Captain

    netmask and access-list?

    Captain, Jul 10, 2003, in forum: Cisco
    Replies:
    1
    Views:
    5,918
    Barry Margolin
    Jul 10, 2003
  2. Walter Roberson

    netmask calculation trick

    Walter Roberson, Jan 31, 2004, in forum: Cisco
    Replies:
    4
    Views:
    5,125
    Walter Roberson
    Feb 2, 2004
  3. Pete Mainwaring

    Default Netmask on VPN Client

    Pete Mainwaring, Feb 19, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,839
    Pete Mainwaring
    Feb 19, 2004
  4. AM
    Replies:
    1
    Views:
    920
    Walter Roberson
    Feb 25, 2005
  5. Replies:
    2
    Views:
    472
    Frank Winkler
    Feb 28, 2007
Loading...

Share This Page