10-22-2008 02:07 AM - edited 03-11-2019 07:01 AM
Hi All,
Good day.
There are "permit ip any any" rules implemented in my cisco pix firewall by the previous administrator.
There are more than 5000 users accessing hundreds of servers behind this firewall and no proper change management system to track the implemented changes.
Kindly advise what would be the best way to rectify this problem.
One idea I have is to run tcpdump to gather all the User IPs and services they are accessing and later verify if those access are valid access or not.
But I believe this method is very time consuming.
Kindly advise if there are other methods to rectify this problem without contacting the clients 1st?
Thanks in advanse.
--bala
10-22-2008 02:32 AM
Hi, here I would advice you that first see, what is your org requirment. Suppose few users want to access only internet and few users need to have access the outside Servers or any other Services then my advice is kindly divide your network into V-lans as per users department and give them access only those ports from inside to outside which is required by the users and restrict the other ports.
2) Second make a configuartion documnet without making any changes and take the backup of start-conf file then u can roll back if something wrong happens.
Ray
10-22-2008 04:09 AM
Hi Bala
I've experiensed simular situations quite some times when installing new, or replacing old - undocumented firewalls... it isnt funny at all.
What I have done until now, is to create the different access-rules for the "known-to be-" or "guessed-to be " required traffick pattern.
And then at the end create a
permit ip any any LOG
After some time (depends on the environment) i analyse the syslog, which is as you said time consuming, and verifies if the connections are required or not.
Needed connections are spesified in the access-lists, and it beginns from the beginning again.... logging, analysing, modifying ACL's...
After some time of analysing (and adjusting the ACL's) you can replace the "permit ip any any LOG" with a "deny ip any any log".
By this time, you will probably have archeaved that 99% of the nessesary connections are configured and works through the firewall. The last 1% will call you up, and tell you "there is something wrong" ;-)
Greetings
Jarle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide