Original Message:
Sent: May 02, 2024 01:22 AM
From: rebailey
Subject: Third Octet Wildcard Configuration
You should be able to achieve this by configuring a Network Alias match condition with rule-type 'network' which has supported wildcard masks for a while now. (Security > Aliases > Network Alias). You can then use the alias as a match condition in your policy.
Regarding 'permit tcp any any established', this likely isn't necessary as the session ACLs in ArubaOS are stateful - return traffic will be processed using the existing session.
Original Message:
Sent: May 01, 2024 10:01 AM
From: kurtw1
Subject: Third Octet Wildcard Configuration
I have a customer that is moving from a Cisco router connection to an Aruba SD-Branch solution. They have 300+ sites and are restricting ping access to their LAN subnet to only the LAN IP address on the router. I have to port this ACL to a 9004 gateway, but am having trouble entering the ACL line in a group level ACL to apply to all of their store GWs.
Current config on Cisco router:
permit ip any 172.33.0.253 0.0.255.0
permit ip any 172.23.0.253 0.0.255.0
permit ip any 172.16.0.253 0.0.255.0
permit ip any 172.17.0.253 0.0.255.0
When I try to enter the same on the Aruba GW using subnet mask 255.255.0.255, I get an invalid subnet response and I can't save that ACL line.
Is there a solution for this, or will I need to put in a different ACL at each store site with the exact address?
I saw where this question was asked before, but there is no definitive answer supplied.
I could also use assistance with this ACL line:
permit tcp any any established
Thanks for your help!