Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6693
Views
0
Helpful
6
Replies

when is Permit IP any any OK

Go to solution
leach_stuart
Level 1
Level 1

‎07-05-2010 11:44 PM - edited ‎03-11-2019 11:07 AM

Hi,

I am after a general consensus on permit ip any any, is this command ever acceptable ?

A PCI audit has just taken place on our network and a permit ip any any was found, since then all hell has broken lose.  Please see below explanation for the design.  

Our Network is based on a multi tier approach, which is based on the following.

LAN – Access Lists applied to the layer three SVI’s.  the purpose of this ACL is to control LAN based traffic for example access to DC’s, ISA, Exchange etc.  at the end of this ACL under the deny to anything LAN, is an IP any any, this permits access destined to anything not internal in LAN, this is then filtered at the Inner ASA.

Inner ASA – Most restrictive Access lists are placed at this layer on the inside, outside thrid party and DMZ interfaces.  This controls access from LAN to External based connections such as the Internet and MPLS connections.  We also control what traffic can come in from the outside in terms of VPN’s.   This layer is treated as our strongest layer of traffic control.

Outer ASA – Due to the restrictive filtering on the Inner ASA, we trust the traffic that is sourced from the inside network as it has already been filtered by the Inner layer.  The main purpose of the Outer layer is to be a termination point for VPN’s and control traffic that is connecting from the Internet towards the servers that are in the DMZ.  To secure further we also NAT to a completely separate private range on the Outer Layer for anything that is accessible from the Internet.

Each layer of Firewalls have a distinct purpose as by design and I feel they are performing in an efficient way to provide a high level of data throughput.

The ip any any is actually by design and has been placed on the Outer ASA's inside interface,  the thought process behind this is mainly for supportability in terms of making changes etc, as i do not see the benefit of replicating the rule base from my Inner to my Outer, as this in theory would be the same as an ip any any as it is only possible for my inside network to traverse this interface.

Any comments would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to leach_stuart

‎07-06-2010 10:46 AM

Again, this is not Cisco official statement (I don't have this power) .

One can argue that a firewall sandwitch is probably not the best design in the best place :-)

However I do not see anything wrong with having permit on inside in case of firewall sandwich

Marcin

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-06-2010 07:15 AM

(Mind you) I'm not familiar with the exact design so I assume it's linear.

users --- LAN ACLs ---- Inner ASA ----outer ASA --- WAN

As a disclaimer I want to say that I'm just saying what makes sense to me and it's in no way a statment by Cisco

Applying inbound filtering on inside of outer ASA makes little sense, traffic is incoing from more trusted devices going towards the less trusted WAN.

That's why indeed Cisco assume that traffic is to be allowed. Since ASA is stetful we know that only return traffic will be allowed (or whatever we allow on the outside access-list).

I understand that there is no untrusted device between the two ASAs

I've seen a similar problem from auditors before, for the most part they do understand that firewalls now are stateful, and protection does not come from ACLs.

That being said there's rarely a point in arguing with audit, for you own piece of mind comply with them. Apply an access-list there and deny traffic to auditor's company HQ , even if you permit any any at the end you can always justify that it's there to block know abusive hosts.

Marcin

0 Helpful

Go to solution
leach_stuart
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-06-2010 09:12 AM

Marcin,

Yes it is linear.

Thanks very much for your reply, what is your opion on the never use a permit ip any any on a firewall, in my opion if the infrastructure is secure then a permit ip any any is acceptible, but I am not sure if this goes against best practice.

Stuart

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to leach_stuart

‎07-06-2010 09:21 AM

Stuart,

Inbound filtering on trusted interface is acceptable, however best practice is saying - filtering should be done close to the source and not destination.

If you're already filtering on Inner ASA (closer to source), doing same filtering on Outer ASA can be omited.

Marcin

0 Helpful

Go to solution
leach_stuart
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-06-2010 09:24 AM

so permit ip any any in this scenario does not go against best practice. 

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to leach_stuart

‎07-06-2010 10:46 AM

Again, this is not Cisco official statement (I don't have this power) .

One can argue that a firewall sandwitch is probably not the best design in the best place :-)

However I do not see anything wrong with having permit on inside in case of firewall sandwich

Marcin

0 Helpful

Go to solution
leach_stuart
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-07-2010 12:33 AM

Thank you for your comments

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card