Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1976
Views
4
Helpful
2
Replies

Removing "permit ip any any" rule

neuron6911
Level 1
Level 1

‎10-22-2008 02:07 AM - edited ‎03-11-2019 07:01 AM

Hi All,

Good day.

There are "permit ip any any" rules implemented in my cisco pix firewall by the previous administrator.

There are more than 5000 users accessing hundreds of servers behind this firewall and no proper change management system to track the implemented changes.

Kindly advise what would be the best way to rectify this problem.

One idea I have is to run tcpdump to gather all the User IPs and services they are accessing and later verify if those access are valid access or not.

But I believe this method is very time consuming.

Kindly advise if there are other methods to rectify this problem without contacting the clients 1st?

Thanks in advanse.

--bala

Labels:
0 Helpful
2 Replies 2

ray_stone
Level 1
Level 1

‎10-22-2008 02:32 AM

Hi, here I would advice you that first see, what is your org requirment. Suppose few users want to access only internet and few users need to have access the outside Servers or any other Services then my advice is kindly divide your network into V-lans as per users department and give them access only those ports from inside to outside which is required by the users and restrict the other ports.

2) Second make a configuartion documnet without making any changes and take the backup of start-conf file then u can roll back if something wrong happens.

Ray

0 Helpful

jsteffensen
Level 1
Level 1

‎10-22-2008 04:09 AM

Hi Bala

I've experiensed simular situations quite some times when installing new, or replacing old - undocumented firewalls... it isnt funny at all.

What I have done until now, is to create the different access-rules for the "known-to be-" or "guessed-to be " required traffick pattern.

And then at the end create a

permit ip any any LOG

After some time (depends on the environment) i analyse the syslog, which is as you said time consuming, and verifies if the connections are required or not.

Needed connections are spesified in the access-lists, and it beginns from the beginning again.... logging, analysing, modifying ACL's...

After some time of analysing (and adjusting the ACL's) you can replace the "permit ip any any LOG" with a "deny ip any any log".

By this time, you will probably have archeaved that 99% of the nessesary connections are configured and works through the firewall. The last 1% will call you up, and tell you "there is something wrong" ;-)

Greetings

Jarle

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card