ACLs on Cisco devices – Part two | Understanding Wildcard Masks

Home > Blogs > Cisco > ACLs on Cisco devices – Part two | Understanding Wildcard Masks

ACLs on Cisco devices – Part two | Understanding Wildcard Masks

Like This Blog 1 Mark Jacob
Added by May 16, 2014

This is part 2 of understanding ACLs on Cisco Devices. In part 1, ACLs on Cisco devices-introduction, I covered the NAT ACL sequence.

If you have read the initial blog in this ACL sequence, then you are no doubt primed to start seeing the ‘meat’ of the matter – that is, what to type.  As a reminder, the introductory blog indicated that the main function of an ACL is to identify traffic.  Once you have identified the interesting traffic, you decide what to do with it.  So let’s take a look at that piece….

One very common use of a standard ACL is to identify which traffic on an internal LAN is permitted to be NATed to the outside world.  Let’s look at a sample environment:


  • In the figure above, the addresses that need to be permitted by a standard ACL are the /24 addresses

To fully understand the syntax of ACLs, we must first review another topic – that of wildcard masks.  This is because a portion of the command consists of just such a mask.  Let’s cover that part first.  Many networking people refer to a wildcard mask as an inverse subnet mask.  While this may be an oversimplification, it does help figure out what wildcard mask to use.  Let’s look at one and analyze it.

A wildcard mask is composed of 32 bits, like an IPv4 address or subnet mask.  The bits are either 0s or 1s, with 0 meaning ‘look at this’ and 1 meaning ‘ignore this’ or ‘don’t care.’  My memory aid on this concept is to imagine the 0s as eyeballs, like this:


I imagine a wildcard mask as sitting above a hallway watching what passes through.  Once again, the eyeballs (the 0s) mean ‘watch this bit,’ while 1s means ‘ignore this bit.’  Let’s see that with actual numbers.

Let’s say I have a network with this address:  If I wanted a wildcard that would watch the third octet, the 10, that 3rd octet would look like this


A wildcard mask of all 0s (in the above example, the given all 0s wildcard mask is in octet 3) means watch these bits – they aren’t allowed to change.  This means an IP network tried to go through our hallway with the address, (looking ONLY at octet 3) it would match.  The network address of would not match, because the eyeballs (the 0s) are looking at EACH bit in octet 3.  Let see a wildcard mask with a bit more complexity.


This wildcard mask is neither 0 nor 255.  So what now?  Well, the 0s still mean ‘look at’ and the 1s still mean ‘ignore.’  Interpretation?  The 0s are watching the first four bits of the address below.  Those numbers equal 144 in decimal.  The rest of the wildcard mask is composed of 1s.  That means ‘I don’t care.’

Watch what happens to the green numbers in Figure 2 as the red numbers aren’t allowed to change:


The green numbers roll through all possible combinations that binary numbers will allow.  Let’s say the numbers we are examining here were in the third octet, for example, of some given network information.  In that case, note what this wildcard mask allows us to do.  Let’s pick an arbitrary network ID: /24.  The wildcard mask shown above would allow me to match all the networks from through, because those network IDs are matched by that mask.

Earlier I mentioned that some people refer to a wildcard mask as an inverse subnet mask.  Let’s see why that is the case.  Think about what subnet mask would be needed to match the above scenario where the network bits progress 4 bits into the third octet.  This would be a mask of  A quick way to determine the matching wildcard mask is to subtract the subnet mask from all 255s, like so:


This wildcard mask,, will match all the addresses (in the 3rd octet) shown in Figure 2 above. 

Now let’s turn our attention back to our original objective.  We wanted to create an access list that permits certain addresses to be NATed.  The pre-translation addresses are /24.  Let’s create a standard list that permits those addresses:

(config) access-list 1 permit

This wildcard mask says look at the 172, the 20, and the 1.  The last octet, which has a wildcard mask of 255 (all 1s in binary) says I don’t care what is in the last octet of the IP address.  If you imagine this access list as a bouncer in the router, this scene might occur:  Along comes Host1 from Figure 1.  Let’s say its IP address is /24.  The NAT bouncer will look at his list and say to Host1, “Does your IP address start with 172.20.1?”  Of course, Host1 will respond in the affirmative.  The bouncer (access list) will then allow the host to pass through the NAT process.

We have just created a simple standard numbered access list which, when associated with the ip nat command, will allow selected IP addresses to be NATed.

Just in case you want to see the entire NAT (PAT, in this case) configuration, here it is:

For more complete coverage of NAT, see my previous blog.

The next blog entry in this series will progress to extended access lists which have far more granularity of control than do standard access lists.  See you next time…

Mark Jacob
Cisco Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

Agile Methodology in Project Management

0 154 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Identifying and Fixing Misconfigured Subnet Masks in Your Network Environment

0 354 1

In this video, Cisco CCNA instructor Mark Jacob show how to find and fix misconfigured subnet masks in a typical IT network environment.   Mark Jacob Cisco and CompTIA Network + Instructor – Interface Technical Training Phoenix, AZ

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 608 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

See what people are saying...

  1. Pingback: Understanding Access Control Lists (ACLs) on Cisco Devices - Intro

Share your thoughts...

Please fill out the comment form below to post a reply.