Removing "permit ip any any" rule

Unanswered Question
Oct 22nd, 2008

Hi All,

Good day.

There are "permit ip any any" rules implemented in my cisco pix firewall by the previous administrator.

There are more than 5000 users accessing hundreds of servers behind this firewall and no proper change management system to track the implemented changes.

Kindly advise what would be the best way to rectify this problem.

One idea I have is to run tcpdump to gather all the User IPs and services they are accessing and later verify if those access are valid access or not.

But I believe this method is very time consuming.

Kindly advise if there are other methods to rectify this problem without contacting the clients 1st?

Thanks in advanse.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
ray_stone Wed, 10/22/2008 - 02:32

Hi, here I would advice you that first see, what is your org requirment. Suppose few users want to access only internet and few users need to have access the outside Servers or any other Services then my advice is kindly divide your network into V-lans as per users department and give them access only those ports from inside to outside which is required by the users and restrict the other ports.

2) Second make a configuartion documnet without making any changes and take the backup of start-conf file then u can roll back if something wrong happens.


jsteffensen Wed, 10/22/2008 - 04:09

Hi Bala

I've experiensed simular situations quite some times when installing new, or replacing old - undocumented firewalls... it isnt funny at all.

What I have done until now, is to create the different access-rules for the "known-to be-" or "guessed-to be " required traffick pattern.

And then at the end create a

permit ip any any LOG

After some time (depends on the environment) i analyse the syslog, which is as you said time consuming, and verifies if the connections are required or not.

Needed connections are spesified in the access-lists, and it beginns from the beginning again.... logging, analysing, modifying ACL's...

After some time of analysing (and adjusting the ACL's) you can replace the "permit ip any any LOG" with a "deny ip any any log".

By this time, you will probably have archeaved that 99% of the nessesary connections are configured and works through the firewall. The last 1% will call you up, and tell you "there is something wrong" ;-)




This Discussion