cisco asa: network mask issue

[mjardeli]

Hi Martin,

Sorry to send so much things over to you.
When a network is new loading an ACL, seems netmask is being incorrectly interpreted.
Try to process the following config line:
access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4

result:
CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=)
ACLRule(name=FromInside,src=N_1.5.0.8-3,dst=any,port=any,action=deny,pol=My_Policy,inst=My_Firewall,disabled=False,desc=)
Desc:
Src: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=)
Dst: CiscoAnyHost(name=any,ipAddr=None,desc=,alias=)
Port: CiscoAnyPort(name=any,port=0,desc=,alias=)
Verify: <ASAAclLine # 0 'access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4'>

kind regards,

[martindube]

That is possible. I think it was caused by a policy in the past which had hostmasks instead of netmasks. I know that cisco supports both but I don't know in which context. Can you make a test by changing `hostmask2netmask` function in `lib/cisco2checkpoint.py` (line 262) by: def hostmask2netmask(self,hostmask): return hostmask If it works, I will need to understand when hostmasks and netmasks are used before fixing the code.

…

On Tue, Apr 25, 2017 at 1:33 PM, mjardeli ***@***.***> wrote: Hi Martin, Sorry to send so much things over to you. When a network is new loading an ACL, seems netmask is being incorrectly interpreted. Try to process the following config line: access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4 result: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=) ACLRule(name=FromInside,src=N_1.5.0.8-3,dst=any,port=any, action=deny,pol=My_Policy,inst=My_Firewall,disabled=False,desc=) Desc: Src: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=) Dst: CiscoAnyHost(name=any,ipAddr=None,desc=,alias=) Port: CiscoAnyPort(name=any,port=0,desc=,alias=) Verify: <ASAAclLine # 0 'access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4'> kind regards, — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#9>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AECtws7QMwccsW-lyP-Q3fa0NCc9Zoqqks5rzi6EgaJpZM4NH0Cl> .

-- Mart

[mjardeli]

Worked!
I replaced:
def hostmask2netmask(self,hostmask):
mask_bytes = hostmask.split('.',3)
mask_bytes = [str(int(b) ^ 255) for b in mask_bytes]
return '.'.join(mask_bytes)
with:
def hostmask2netmask(self,hostmask):
return hostmask

now result is normal:
CiscoNet(name=N_1.5.0.8-29,ipAddr=1.5.0.8/255.255.255.248,desc=,alias=)
ACLRule(name=FromInside,src=N_1.5.0.8-29,dst=any,port=any,action=deny,pol=My_Policy,inst=My_Firewall,disabled=False,desc=)
Desc:
Src: CiscoNet(name=N_1.5.0.8-29,ipAddr=1.5.0.8/255.255.255.248,desc=,alias=)
Dst: CiscoAnyHost(name=any,ipAddr=None,desc=,alias=)
Port: CiscoAnyPort(name=any,port=0,desc=,alias=)
Verify: <ASAAclLine # 0 'access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4'>

cheers,

[mjardeli]

I tried to find when to use wildcard or netmask. All references to wildcard are old some of then more then 10 years. Maybe this was the old way to configure, need to research more.

My suggestion is to create another modifier and user can change it on command line at start.