A service provider customer wants to install a pair of fail-over multi-context firewalls in the least disruptive configuration (permit ip any any, inbound and outbound). Over time and according to a multi-phased plan, they will tighten the filtering, filtering that can impact many different customers.
The question is, what protocols won't pass a typical perimeter firewall with permit IP any any in place. I'm thinking of things like ESP. Any other common ones to consider?
If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.