ports passed thru the any any command?

Unanswered Question
Aug 18th, 2008

-use the access-list permit tcp any any

thats what the security consultant told me to put at the end of the access-list and from there find out what are the ports used and convert it to specific access-list.

QUESTION: how to find the ports passed thru the any any command?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


That command overides the deny any any rule applied to all access-lists.

You could also have:-

access-list deny tcp any any log

Then when you test whatever you are testing, you will see the specific tcp src & dst port numbers in questions.

You could also use what the consulant advised, with the log comment on the end, but while you are testing - this comment allows ALL traffic....so say you apply this config to the outside interface, for the period of testing - your firewall is just a pass-thru device, leaving you open to attack.


cfajardo1_2 Tue, 08/19/2008 - 02:01

thats exactly the purpose. it will match the any any at the end of the access-list and from that, we wanted to see what are this ports that passed thu and define it explicitly..onece all is explicitly defined then only we can remove the any any..we dont want to block any coz its on production...

Farrukh Haroon Mon, 08/18/2008 - 11:11

There are two easy ways to do this. Get a full/trial version of fireplotter (fireplotter.com) and then analyze the traffic flow. It really is a wonderful software.

Otherwise get a syslog analysis tool like Sawmill and analyze the firewalls syslogs using it. Doing this manually will kill you basically :) The Cisco firewall generates a lot of logs! Or you can use a free syslog server (preferably UNIX) and 'grep' the right data out of it.



cfajardo1_2 Tue, 08/19/2008 - 02:06

already runned some software and already gathered almost all needed. we are on the process of filtering and its on production..because of that we want to put the any any so the legitimate traffics wont be blocked on the process.

from the permit any any, we wanted to dig into the traffic match and explicitly define on the ACE. how to dig into it is just the issue here.


This Discussion