×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

permit ip protocol?

Unanswered Question
Oct 25th, 2005
User Badges:

hi,

basic question!


what i'm passing when i do access-list t2 permit ip any any?


permiting all tcpip stack?

when i permit tcp i'm not also permiting ip?


thanks


where can i read more about these separation of tcp udp ip icmp?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Patrick Iseli Tue, 10/25/2005 - 17:00
User Badges:
  • Gold, 750 points or more

The statement ip will allow ICMP, TCP, and UDP.


4 - Transport => TCP, UDP, RTP, SCTP

3 - Network => IP, ICMP, IPsec, ARP, RIP, BGP


TCP will allow all TCP connection oriented protocols as http, https, ftp, telnet ...

UDP will all connection less protocols as TFTP, DNS ..

ICMP is all the internet messages protocols as echo, echo reply.


Command reference guide:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755

Establishing Connectivity:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html


Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.


Take also a look at the OSI Reference model of TCP/IP:

http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci523729,00.html

http://en.wikipedia.org/wiki/OSI_model

http://en.wikipedia.org/wiki/OSI_protocols

sincerely

Patrick

jackko Tue, 10/25/2005 - 17:02
User Badges:
  • Gold, 750 points or more

permit ip means permitting both tcp and udp including all ports.


the reason being the router/pix will examine layer3 first then layer4, as layer4 is encapsulated in layer3.

joaquimlopes Wed, 10/26/2005 - 03:16
User Badges:

thanks for the reply


so, can i permit only for eg: outbound tcp www without any permit ip statements?

or do i have always to use permit ip somewhere and then filter at higher level?

i thought that allowing tcp will allow lower stack level to accomplish the permitted task


once again thanks

Patrick Iseli Wed, 10/26/2005 - 05:00
User Badges:
  • Gold, 750 points or more

No, you should never use the ip statement if possible (sometimes for blocking is ok), it is always better to explicit permit the protocols that you want to permit.


example:


access-list inside permit tcp InsideNetwork InsideSubnetmask any eq www

access-list inside permit tcp InsideNetwork InsideSubnetmask any eq https

access-list inside permit tcp InsideNetwork InsideSubnetmask any range 20 21

access-group inside in interface inside


Note: If you do not limit the protocols on the inside interface then all traffic is allowed to go to any other lower security level interfaces on a PIX.


Security levels by default are:

outside = 0

dmz = 50

inside = 100


sincerely

Patrick

Actions

This Discussion