Firewalls - Subnet Masks

Subnet Masks

Overview

The ip address commands specify addresses for the inside and outside network interfaces.
The inside interface is a Class A address, but only the last octet is used in the example network and therefore has a Class C mask. The outside interface is part of a subnet so the mask reflects the .224 subnet value.
The nat command lets users start connections from the inside network. Because a network address is specified, the class mask specified by the ip address inside command is used.
The global command provides a PAT (Port Address Translation) address to handle the translated connections from the inside. The global address is also part of the subnet and contains the same mask specified in the ip address outside command.
The static command maps an inside host to a global address for access by outside users. Host masks are always specified as 255.255.255.255.
The access-list command permits any outside host to access the global address specified by the static command. The host parameter is the same as if you specified 209.165.201.3 255.255.255.255.
The aaa command indicates that any users wishing to access the global address must be authenticated. Because authentication only occurs when users access the specified global which is mapped to a host, the mask is for a host. The "0 0" entry indicates any host and its respective mask.
The route statement specifies the address of the default router. The "0 0" entry indicates any host and its respective mask.
The telnet command specifies a host that can access the firewall unit's console using Telnet. Because it is a single host, a host mask is used.
If you are using subnet masks, refer to "Using Subnet Masks," to be sure that each IP address you choose for global or static addresses is in the correct subnet.
The subnet masks are also identified by the number of bits in the mask. Table D-3 lists subnet masks by the number of bits in the network ID.

Table D-3: Masks Listed by Number of Bit

Network
ID Bits Host ID Bits Subnet Example Notation # of Subnets # of Hosts on
Each Subnet

24 8 .0 192.168.1.1/24 1 254

25 7 .128 192.168.1.1/25 2 126

26 6 .192 192.168.1.1/26 4 62

27 5 .224 192.168.1.1/27 8 30

28 4 .240 192.168.1.1/28 16 14

29 3 .248 192.168.1.1/29 32 6

30 2 .252 192.168.1.1/30 64 2

The .255 mask indicates a single host in a network.

Uses for Subnet Information

Use subnet information to ensure that the host addresses are in the same subnet and that you are not accidentally using a network or broadcast address for a host.
The network address provides a way to reference all the addresses in a subnet, which you can use in the global, outbound, and static commands. For example, you can use the following net static statement to map global addresses 192.168.1.65 through 192.168.1.126 to local addresses 192.168.2.65 through 192.168.2.126: static (dmz1,dmz2) 192.168.1.64 192.168.2.64 netmask 255.255.255.192.
Subnet mask information is especially valuable when you have disabled Network Address Translation (NAT) using the nat 0 command. firewall requires that IP addresses on each interface be in different subnets.
However all the hosts on a firewall interface between the firewall and the router must be in the same subnet as well. For example, if you have an address such as 192.168.17.0 and you are not using NAT, you could use the 255.255.255.192 subnet mask for all three interfaces and use addresses 192.168.17.1 through 192.168.17.62 for the outside interface, 192.168.17.65 through 192.168.17.126 for the perimeter interface, and 192.168.17.129 through 192.168.17.190 for the inside interface.

With Limited IP Addresses

Another use for subnet mask information is for network planning when an Internet service provider (ISP) gives you a limited number of IP addresses and requires you to use a specific subnet mask. Use the information in this appendix to ensure that the outside addresses you choose are in the subnet for the appropriate subnet mask.
For example, if the ISP assigns you 192.168.17.176 with a subnet mask of .240, you can see in Table D-7, Subnet Number 12 for the .240 mask, that hosts can have IP addresses of 192.168.17.177 through 192.168.17.190. Because this only yields 14 hosts, you will probably use one for the router another for the outside interface of the firewall, one for a static for a web server, if you have it, one for a static for the mail server, and the remaining 10 for global addresses. One of these addresses should be a PAT (Port Address Translation) address so that you do not run out of global addresses.

Addresses in the .128 Mask

Table D-4 lists valid addresses for the .128 subnet mask. This mask permits up to 2 subnets with enough host addresses for 126 hosts per subnet.

Table D-4: .128 Network Mask Addresses

Subnet Number Network Address Starting Host Address Ending Host Address Broadcast Address

1 .0 .1 .126 .127

2 .128 .129 .254 .255

Addresses in the .192 Mask

Table D-5 lists valid addresses for the .192 subnet mask. This mask permits up to 4 subnets with enough host addresses for 62 hosts per subnet.

Table D-5: .192 Network Mask Addresses

Subnet Number Network Address Starting Host Address Ending Host Address Broadcast Address

1 .0 .1 .62 .63

2 .64 .65 .126 .127

3 .128 .129 .190 .191

4 .192 .193 .254 .255

Addresses in the .224 Mask

Table D-6 lists valid addresses for the .224 subnet mask. This mask permits up to 8 subnets with enough host addresses for 30 hosts per subnet.

Table D-6: .224 Network Mask Addresses

Subnet Number Network Address Starting Host Address Ending Host Address Broadcast Address

1 .0 .1 .30 .31

2 .32 .33 .62 .63

3 .64 .65 .94 .95

4 .96 .97 .126 .127

5 .128 .129 .158 .159

6 .160 .161 .190 .191

7 .192 .193 .222 .223

8 .224 .225 .254 .255

Addresses in the .240 Mask

Table D-7 lists valid addresses for the .240 subnet mask. This mask permits up to 16 subnets with enough host addresses for 14 hosts per subnet.

Table D-7: .240 Network Mask Addresses

Subnet Number Network Address Starting Host Address Ending Host Address Broadcast Address

1 .0 .1 .14 .15

2 .16 .17 .30 .31

3 .32 .33 .46 .47

4 .48 .49 .62 .63

5 .64 .65 .78 .79

6 .80 .81 .94 .95

7 .96 .97 .110 .111

8 .112 .113 .126 .127

9 .128 .129 .142 .143

10 .144 .145 .158 .159

11 .160 .161 .174 .175

12 .176 .177 .190 .191

13 .192 .193 .206 .207

14 .208 .209 .222 .223

15 .224 .225 .238 .239

16 .240 .241 .254 .255

Addresses in the .248 Mask

Table D-8 lists valid addresses for the .248 subnet mask. This mask permits up to 32 subnets with enough host addresses for 6 hosts per subnet.

Table D-8: .248 Network Mask Addresses

Subnet Number Network Address Starting Host Address Ending Host Address Broadcast Address

1 .0 .1 .6 .7

2 .8 .9 .14 .15

3 .16 .17 .22 .23

4 .24 .25 .30 .31

5 .32 .33 .38 .39

6 .40 .41 .46 .47

7 .48 .49 .54 .55

8 .56 .57 .62 .63

9 .64 .65 .70 .71

10 .72 .73 .78 .79

11 .80 .81 .86 .87

12 .88 .89 .94 .95

13 .96 .97 .102 .103

14 .104 .105 .110 .111

15 .112 .113 .118 .119

16 .120 .121 .126 .127

17 .128 .129 .134 .135

18 .136 .137 .142 .143

19 .144 .145 .150 .151

20 .152 .153 .158 .159

21 .160 .161 .166 .167

22 .168 .169 .174 .175

23 .176 .177 .182 .183

24 .184 .185 .190 .191

25 .192 .193 .198 .199

26 .200 .201 .206 .207

27 .208 .209 .214 .215

28 .216 .217 .222 .223

29 .224 .225 .230 .231

30 .232 .233 .238 .239

31 .240 .241 .246 .247

32 .248 .249 .254 .255

Addresses in the .252 Mask

Table D-9 lists valid addresses for the .252 subnet mask. This mask permits up to 64 subnets with enough host addresses for 2 hosts per subnet.

Table D-9: .252 Network Mask Addresses

Subnet Number Network Address Starting Host Address Ending Host Address Broadcast Address

1 .0 .1 .2 .3

2 .4 .5 .6 .7

3 .8 .9 .10 .11

4 .12 .13 .14 .15

5 .16 .17 .18 .19

6 .20 .21 .22 .23

7 .24 .25 .26 .27

8 .28 .29 .30 .31

9 .32 .33 .34 .35

10 .36 .37 .38 .39

11 .40 .41 .42 .43

12 .44 .45 .46 .47

13 .48 .49 .50 .51

14 .52 .53 .54 .55

15 .56 .57 .58 .59

16 .60 .61 .62 .63

17 .64 .65 .66 .67

18 .68 .69 .70 .71

19 .72 .73 .74 .75

20 .76 .77 .78 .79

21 .80 .81 .82 .83

22 .84 .85 .86 .87

23 .88 .89 .90 .91

24 .92 .93 .94 .95

25 .96 .97 .98 .99

26 .100 .101 .102 .103

27 .104 .105 .106 .107

28 .108 .109 .110 .111

29 .112 .113 .114 .115

30 .116 .117 .118 .119

31 .120 .121 .122 .123

32 .124 .125 .126 .127

33 .128 .129 .130 .131

34 .132 .133 .134 .135

35 .136 .137 .138 .139

36 .140 .141 .142 .143

37 .144 .145 .146 .147

38 .148 .149 .150 .151

39 .152 .153 .154 .155

40 .156 .157 .158 .159

41 .160 .161 .162 .163

42 .164 .165 .166 .167

43 .168 .169 .170 .171

44 .172 .173 .174 .175

45 .176 .177 .178 .179

46 .180 .181 .182 .183

47 .184 .185 .186 .187

48 .188 .189 .190 .191

49 .192 .193 .194 .195

50 .196 .197 .198 .199

51 .200 .201 .202 .203

52 .204 .205 .206 .207

53 .208 .209 .210 .211

54 .212 .213 .214 .215

55 .216 .217 .218 .219

56 .220 .221 .222 .223

57 .224 .225 .226 .227

58 .228 .229 .230 .231

59 .232 .233 .234 .235

60 .236 .237 .238 .239

61 .240 .241 .242 .243

62 .244 .245 .246 .247

63 .248 .249 .250 .251

64 .252 .253 .254 .255

Network ID Bits	Host ID Bits	Subnet	Example Notation	# of Subnets	# of Hosts on Each Subnet
24	8	.0	192.168.1.1/24	1	254
25	7	.128	192.168.1.1/25	2	126
26	6	.192	192.168.1.1/26	4	62
27	5	.224	192.168.1.1/27	8	30
28	4	.240	192.168.1.1/28	16	14
29	3	.248	192.168.1.1/29	32	6
30	2	.252	192.168.1.1/30	64	2

Subnet Number	Network Address	Starting Host Address	Ending Host Address	Broadcast Address
1	.0	.1	.62	.63
2	.64	.65	.126	.127
3	.128	.129	.190	.191
4	.192	.193	.254	.255

Subnet Number	Network Address	Starting Host Address	Ending Host Address	Broadcast Address
1	.0	.1	.14	.15
2	.16	.17	.30	.31
3	.32	.33	.46	.47
4	.48	.49	.62	.63
5	.64	.65	.78	.79
6	.80	.81	.94	.95
7	.96	.97	.110	.111
8	.112	.113	.126	.127
9	.128	.129	.142	.143
10	.144	.145	.158	.159
11	.160	.161	.174	.175
12	.176	.177	.190	.191
13	.192	.193	.206	.207
14	.208	.209	.222	.223
15	.224	.225	.238	.239
16	.240	.241	.254	.255

Subnet Number	Network Address	Starting Host Address	Ending Host Address	Broadcast Address
1	.0	.1	.6	.7
2	.8	.9	.14	.15
3	.16	.17	.22	.23
4	.24	.25	.30	.31
5	.32	.33	.38	.39
6	.40	.41	.46	.47
7	.48	.49	.54	.55
8	.56	.57	.62	.63
9	.64	.65	.70	.71
10	.72	.73	.78	.79
11	.80	.81	.86	.87
12	.88	.89	.94	.95
13	.96	.97	.102	.103
14	.104	.105	.110	.111
15	.112	.113	.118	.119
16	.120	.121	.126	.127
17	.128	.129	.134	.135
18	.136	.137	.142	.143
19	.144	.145	.150	.151
20	.152	.153	.158	.159
21	.160	.161	.166	.167
22	.168	.169	.174	.175
23	.176	.177	.182	.183
24	.184	.185	.190	.191
25	.192	.193	.198	.199
26	.200	.201	.206	.207
27	.208	.209	.214	.215
28	.216	.217	.222	.223
29	.224	.225	.230	.231
30	.232	.233	.238	.239
31	.240	.241	.246	.247
32	.248	.249	.254	.255

Subnet Number	Network Address	Starting Host Address	Ending Host Address	Broadcast Address
1	.0	.1	.2	.3
2	.4	.5	.6	.7
3	.8	.9	.10	.11
4	.12	.13	.14	.15
5	.16	.17	.18	.19
6	.20	.21	.22	.23
7	.24	.25	.26	.27
8	.28	.29	.30	.31
9	.32	.33	.34	.35
10	.36	.37	.38	.39
11	.40	.41	.42	.43
12	.44	.45	.46	.47
13	.48	.49	.50	.51
14	.52	.53	.54	.55
15	.56	.57	.58	.59
16	.60	.61	.62	.63
17	.64	.65	.66	.67
18	.68	.69	.70	.71
19	.72	.73	.74	.75
20	.76	.77	.78	.79
21	.80	.81	.82	.83
22	.84	.85	.86	.87
23	.88	.89	.90	.91
24	.92	.93	.94	.95
25	.96	.97	.98	.99
26	.100	.101	.102	.103
27	.104	.105	.106	.107
28	.108	.109	.110	.111
29	.112	.113	.114	.115
30	.116	.117	.118	.119
31	.120	.121	.122	.123
32	.124	.125	.126	.127
33	.128	.129	.130	.131
34	.132	.133	.134	.135
35	.136	.137	.138	.139
36	.140	.141	.142	.143
37	.144	.145	.146	.147
38	.148	.149	.150	.151
39	.152	.153	.154	.155
40	.156	.157	.158	.159
41	.160	.161	.162	.163
42	.164	.165	.166	.167
43	.168	.169	.170	.171
44	.172	.173	.174	.175
45	.176	.177	.178	.179
46	.180	.181	.182	.183
47	.184	.185	.186	.187
48	.188	.189	.190	.191
49	.192	.193	.194	.195
50	.196	.197	.198	.199
51	.200	.201	.202	.203
52	.204	.205	.206	.207
53	.208	.209	.210	.211
54	.212	.213	.214	.215
55	.216	.217	.218	.219
56	.220	.221	.222	.223
57	.224	.225	.226	.227
58	.228	.229	.230	.231
59	.232	.233	.234	.235
60	.236	.237	.238	.239
61	.240	.241	.242	.243
62	.244	.245	.246	.247
63	.248	.249	.250	.251
64	.252	.253	.254	.255