10-25-2005 04:09 PM - edited 03-09-2019 12:49 PM
hi,
basic question!
what i'm passing when i do access-list t2 permit ip any any?
permiting all tcpip stack?
when i permit tcp i'm not also permiting ip?
thanks
where can i read more about these separation of tcp udp ip icmp?
10-25-2005 05:00 PM
The statement ip will allow ICMP, TCP, and UDP.
4 - Transport => TCP, UDP, RTP, SCTP
3 - Network => IP, ICMP, IPsec, ARP, RIP, BGP
TCP will allow all TCP connection oriented protocols as http, https, ftp, telnet ...
UDP will all connection less protocols as TFTP, DNS ..
ICMP is all the internet messages protocols as echo, echo reply.
Command reference guide:
Establishing Connectivity:
Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
Take also a look at the OSI Reference model of TCP/IP:
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci523729,00.html
http://en.wikipedia.org/wiki/OSI_model
http://en.wikipedia.org/wiki/OSI_protocols
sincerely
Patrick
10-25-2005 05:02 PM
permit ip means permitting both tcp and udp including all ports.
the reason being the router/pix will examine layer3 first then layer4, as layer4 is encapsulated in layer3.
10-26-2005 03:16 AM
thanks for the reply
so, can i permit only for eg: outbound tcp www without any permit ip statements?
or do i have always to use permit ip somewhere and then filter at higher level?
i thought that allowing tcp will allow lower stack level to accomplish the permitted task
once again thanks
10-26-2005 05:00 AM
No, you should never use the ip statement if possible (sometimes for blocking is ok), it is always better to explicit permit the protocols that you want to permit.
example:
access-list inside permit tcp InsideNetwork InsideSubnetmask any eq www
access-list inside permit tcp InsideNetwork InsideSubnetmask any eq https
access-list inside permit tcp InsideNetwork InsideSubnetmask any range 20 21
access-group inside in interface inside
Note: If you do not limit the protocols on the inside interface then all traffic is allowed to go to any other lower security level interfaces on a PIX.
Security levels by default are:
outside = 0
dmz = 50
inside = 100
sincerely
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: