What DOESN'T 'permit IP any any' allow?

Answered Question
Jun 12th, 2008

A service provider customer wants to install a pair of fail-over multi-context firewalls in the least disruptive configuration (permit ip any any, inbound and outbound). Over time and according to a multi-phased plan, they will tighten the filtering, filtering that can impact many different customers.


The question is, what protocols won't pass a typical perimeter firewall with permit IP any any in place. I'm thinking of things like ESP. Any other common ones to consider?


Comments welcome.

Correct Answer by Farrukh Haroon about 8 years 8 months ago

If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 06/12/2008 - 07:16

If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.


Regards


Farrukh

mprescher Thu, 06/12/2008 - 08:26

Good answers. Thanks.


Are you aware of any routing protocols that do some communicating not covered by IP?


Best regards,

m.

Farrukh Haroon Thu, 06/12/2008 - 08:28

Alexander, can you please elucidate this question a little more:


"routing protocols that do some communicating not covered by IP"


Regards


Farrukh

mprescher Thu, 06/12/2008 - 08:32

I had some other responses from other information sources eluding to this. I'm going to guess this could perhaps be something like non-IP routing protocol security (not IPSec) used for peer validation for table exchanges or perhaps some updates.

Farrukh Haroon Thu, 06/12/2008 - 08:39

Perhaps the old NON-IP routing protocols, things related to IPX etc.?


Regards


Farrukh

mprescher Thu, 06/12/2008 - 08:47

Ah, yeah I suppose that's what the reference was about - that won't be an issue in my customer's case (and hopefully not for anyone else, at least on perimeter firewalls ;-}


Thanks for the responses.


m.

Richard Burts Thu, 06/12/2008 - 08:57

Mike


The other protocol that fits the description of having its update traffic not carried in IP would be ISIS which sends its updates using CLNP (rather than IP).


HTH


Rick

srue Thu, 06/12/2008 - 09:48

this is from the documentation with what can go in the 'protocol' portion of the ACL:

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.

......

so anything that is not IP/tcp/udp, you must explicitly specifiy.

this is for IOS, btw, not PIX/ASA. the ICMP part above doesn't apply to pix/asa.

....

you can use the protocol numbers or names in asa/pix:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ports.html#wpxref39421

Actions

This Discussion