What DOESN'T 'permit IP any any' allow?

Answered Question
Jun 12th, 2008
User Badges:

A service provider customer wants to install a pair of fail-over multi-context firewalls in the least disruptive configuration (permit ip any any, inbound and outbound). Over time and according to a multi-phased plan, they will tighten the filtering, filtering that can impact many different customers.


The question is, what protocols won't pass a typical perimeter firewall with permit IP any any in place. I'm thinking of things like ESP. Any other common ones to consider?


Comments welcome.

Correct Answer by Farrukh Haroon about 9 years 2 weeks ago

If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 06/12/2008 - 07:16
User Badges:
  • Red, 2250 points or more

If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.


Regards


Farrukh

mprescher Thu, 06/12/2008 - 08:26
User Badges:

Good answers. Thanks.


Are you aware of any routing protocols that do some communicating not covered by IP?


Best regards,

m.

Farrukh Haroon Thu, 06/12/2008 - 08:28
User Badges:
  • Red, 2250 points or more

Alexander, can you please elucidate this question a little more:


"routing protocols that do some communicating not covered by IP"


Regards


Farrukh

mprescher Thu, 06/12/2008 - 08:32
User Badges:

I had some other responses from other information sources eluding to this. I'm going to guess this could perhaps be something like non-IP routing protocol security (not IPSec) used for peer validation for table exchanges or perhaps some updates.

Farrukh Haroon Thu, 06/12/2008 - 08:39
User Badges:
  • Red, 2250 points or more

Perhaps the old NON-IP routing protocols, things related to IPX etc.?


Regards


Farrukh

mprescher Thu, 06/12/2008 - 08:47
User Badges:

Ah, yeah I suppose that's what the reference was about - that won't be an issue in my customer's case (and hopefully not for anyone else, at least on perimeter firewalls ;-}


Thanks for the responses.


m.

Richard Burts Thu, 06/12/2008 - 08:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mike


The other protocol that fits the description of having its update traffic not carried in IP would be ISIS which sends its updates using CLNP (rather than IP).


HTH


Rick

srue Thu, 06/12/2008 - 09:48
User Badges:
  • Blue, 1500 points or more

this is from the documentation with what can go in the 'protocol' portion of the ACL:

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.

......

so anything that is not IP/tcp/udp, you must explicitly specifiy.

this is for IOS, btw, not PIX/ASA. the ICMP part above doesn't apply to pix/asa.

....

you can use the protocol numbers or names in asa/pix:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ports.html#wpxref39421

Actions

This Discussion