Cisco ACL – Unusual Wildcard Mask in Cisco ACL Configuration

aclcisco

I inherited some configs on a network I manage from a previous administrator.

In some of the ACLs there are some very strange wildcard masks that i've not seen before, for example:

10 permit ip any 10.160.1.0 0.31.0.255

I cannot find anywhere online where it states that this kind of ACL is valid. Is anyone able to confirm/deny this for me?

Thanks in advance

Best Answer

That is a valid wildcard mask. It will match any IP with the format 10.(160-191).1.(0-255). Whether or not this is intended, or good design, is unknown.

Wildcard masks are just "do-we-care" bitwise masks used when looking at an IP -- a value of 0 means "do-care", and 1 means "don't-care".

In this case, 0.31.0.255 translates to:

00000000 00011111 00000000 1111111

So the IP listed in the ACL (10.160.1.0) will have a binary value of

00001010 10100000 00000001 00000000

Testing an IP (10.190.1.200):

00001010 10111110 00000001 11001000 (10.190.1.200)
00001010 10100000 00000001 00000000 (10.160.1.0)
^^^^^^^^ ^^^      ^^^^^^^^          (0.31.0.255)

The carets represent the wildcard mask, showing which bits MUST match. Since they do, 10.190.1.200 would match this ACL statement.

Related Solutions

Cisco WLC External WebAuth Apparent Random Behavior

I've seen similar issues twice in the past.

The first time, it had to do with DNS resolution. I performed a DNS lookup on a client that was having issues, and realized that the client wasn't capable of resolving the URL that I was passing for the login page. This was because I was passing an external DNS server. Check that first. I resolved that by passing the IP in the URL, although you could create a cname that resolves to 1.1.1.1.

The second time, it was a certificate issue. Some default browsers won't show the splash screen if the user must accept a self-signed certificate. I would test that by manually browsing to the splash screen or login page from a client that does not automatically show it.

Hope one of those helps you out. I know that I was ready to pull my hair out when I saw this the first time.

Cisco IOS – Simple Egress Block ACL Configuration

With Cisco ACL's, there is an implicit deny ip any any at the end of every list. You need to explicitly state the traffic that you want to allow/deny. Note that it short-circuits on the first ACL entry it hits that it applies to, so if you're sending a packet from a host on the 208.73.210.0/23 network, it will first hit this ACL entry:

permit tcp any any

If it is TCP, it will be allowed regardless of its source. This is a rather moot entry since the next one will allow any source IP address over any protocol. Change it to:

ip access-list extended wan_ipv4_out
  deny tcp any 208.73.210.0 0.0.1.255
  permit ip any any

Note that the 208.73.210.0/23 network will still be able to communicate to other networks over different protocols (UDP, ICMP, etc). To block all outgoing traffic, try:

ip access-list extended wan_ipv4_out
  deny ip any 208.73.210.0 0.0.1.255
  permit ip any any

This will allow all traffic except incoming traffic on FastEthernet8 with a source address of 208.73.210.0/23.

Best Answer

Related Solutions

Cisco WLC External WebAuth Apparent Random Behavior

Cisco IOS – Simple Egress Block ACL Configuration

Related Topic