Using Wildcard Masks on Access Rules
The Cisco Secure Access policy is the collection of an organization's internet and private access rules. You can define composite source and destination components on Access rules. A composite source or destination may include multiple network address components.
For composite sources, add IPv4 addresses or CIDR blocks. You can also add a wildcard mask with an IPv4 address.
- For information about sources and internet access rules, see About Configuring Sources in Internet Access Rules.
- For information about sources and private access rules, see About Configuring Sources in Private Access Rules.
For composite destinations, add IP addresses, CIDR blocks, ports and port ranges, and transport protocols. You can also add a wildcard mask with an IP address.
- For information about destinations and internet access rules, see About Configuring Destinations in Internet Access Rules.
- For information about destinations and private access rules, see About Configuring Destinations in Private Access Rules.
Table of Contents
Wildcard Masks in Composite Sources or Destinations
You can add a wildcard mask with an IPv4 address for a composite source or destination on an Access rule.
A wildcard mask represents the bits of an IP address and determines if certain parts of the network address are ignored or allowed. Secure Access applies the wildcard mask to the IP address to configure network addresses for the sources or destinations.
When a user device connects from a source or requests a destination, Secure Access verifies that the traffic on the network address connection or resource is supported by the composite component.
Guidelines
- You can add a 32-bit IPv4 address with a wildcard mask on an Access rule, for example: 192.168.0.1/0.0.255.0.
- Secure Access accepts valid wildcard masks only.
- If the bit value on the position in the wildcard mask is zero (0), then the bit value on the position in the IP address must match.
- If the bit value on the position in the wildcard mask is one (1), then the bit value on the position in the IP address is ignored.
- Secure Access does not support a comma-separated list of wildcard masks in composite sources or destinations.
- Secure Access does not support composite sources or destinations that include a subnet mask with an IPv4 address.
Examples of Wildcard Masks
Wildcard Mask | Bits in IPv4 Address | Description |
---|---|---|
0.0.0.63 | 00000000 00000000 00000000 00111111 | Matches the first three octets. Matches the two leftmost bits of the last octet. Ignores the last six bits. |
0.0.0.254 | 00000000 00000000 00000000 11111110 | Matches the first three octets. Matches the rightmost bit of the last octet. Ignores the first seven bits. |
0.0.0.255 | 00000000 00000000 00000000 11111111 | Matches the first three octets. Ignores the last octet. |
Edit the Default Access Rules < Using Wildcard Masks on Access Rules > Get Started with Internet Access Rules
Updated 3 days ago