6-75
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 Managing Policy Objects
Understanding Networks/Hosts Objects
Networks/Hosts group objects make it easier to manage scalable policies. By using the associative
capabilities of Networks/Hosts objects, you can expand your policies along with your network. For
example, when you make changes to the list of addresses contained in a Networks/Hosts object, the
changes propagate to all other Networks/Hosts objects, and to policies that refer to that Networks/Hosts
object.
The host, network, and address range objects have special uses when used in policies for an ASA 8.3+
device. On these devices, you can configure object NAT rules in the policy object itself. If you use the
object on other types of device, this NAT configuration is ignored.
The following topics describe how to work with Networks/Hosts objects:
Contiguous and Discontiguous Network Masks for IPv4 Addresses, page 6-75
Creating Networks/Hosts Objects, page 6-76
Using Unspecified Networks/Hosts Objects, page 6-80
Specifying IP Addresses During Policy Definition, page6-81
Contiguous and Discontiguous Network Masks for IPv4 Addresses
A network mask determines which portion of an IPv4 address identifies the network and which portion
identifies the host. Like the IP address, the mask is represented by four octets. (An octet is an 8-bit binary
number equivalent to a decimal number in the range 0-255.) If a given bit of the mask is 1, the
corresponding bit of the IP address is in the network portion of the address, and if a given bit of the mask
is 0, the corresponding bit of the IP address is in the host portion.
Standard, or contiguous, network masks start with zero or more 1s followed by zero or more 0s. This
kind of network mask is considered contiguous because it represents a network that consists of a
contiguous IP address range. For example, the network 192.168.1.0/255.255.255.0 contains all the IP
addresses ranging from 192.168.1.0 to 192.168.1.255.
The following table shows different methods of representing commonly used standard network masks:
For example, 255.255.255.0 indicates that the first three octets of the IP address (24 bits or /24 in CIDR
notation) are made up of ones and identify the network; the last octet is made up of zeros and identifies
the host.
Discontiguous Network Masks
Nonstandard, or discontiguous, network masks are masks that do not conform to the contiguous format.
For example, 10.0.1.1/255.0.255.255 indicates that you want to match an address that matches octets 1,
3, and 4 exactly, but any value in octet 2 is accepted.
Table6-29 Standard Network Masks
Dotted Decimal Notation Classless Inter-Domain Routing (CIDR) Notation
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.255 /32