Solved: What DOESN'T 'permit IP any any' allow?

mprescher · ‎06-12-2008

A service provider customer wants to install a pair of fail-over multi-context firewalls in the least disruptive configuration (permit ip any any, inbound and outbound). Over time and according to a multi-phased plan, they will tighten the filtering, filtering that can impact many different customers.

The question is, what protocols won't pass a typical perimeter firewall with permit IP any any in place. I'm thinking of things like ESP. Any other common ones to consider?

Comments welcome.

Farrukh Haroon · ‎06-12-2008

If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.

Regards

Farrukh

View solution in original post

Farrukh Haroon · ‎06-12-2008

If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.

Regards

Farrukh

mprescher · ‎06-12-2008

Good answers. Thanks.

Are you aware of any routing protocols that do some communicating not covered by IP?

Best regards,

m.

Farrukh Haroon · ‎06-12-2008

Alexander, can you please elucidate this question a little more:

"routing protocols that do some communicating not covered by IP"

Regards

Farrukh

mprescher · ‎06-12-2008

I had some other responses from other information sources eluding to this. I'm going to guess this could perhaps be something like non-IP routing protocol security (not IPSec) used for peer validation for table exchanges or perhaps some updates.

Farrukh Haroon · ‎06-12-2008

Perhaps the old NON-IP routing protocols, things related to IPX etc.?

Regards

Farrukh

mprescher · ‎06-12-2008

Ah, yeah I suppose that's what the reference was about - that won't be an issue in my customer's case (and hopefully not for anyone else, at least on perimeter firewalls ;-}

Thanks for the responses.

m.

Richard Burts · ‎06-12-2008

Mike

The other protocol that fits the description of having its update traffic not carried in IP would be ISIS which sends its updates using CLNP (rather than IP).

HTH

Rick

HTH

Rick

mprescher · ‎06-12-2008

Sweet! Good one.

srue · ‎06-12-2008

this is from the documentation with what can go in the 'protocol' portion of the ACL:

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.

......

so anything that is not IP/tcp/udp, you must explicitly specifiy.

this is for IOS, btw, not PIX/ASA. the ICMP part above doesn't apply to pix/asa.

....

you can use the protocol numbers or names in asa/pix:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ports.html#wpxref39421