Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7681
Views
35
Helpful
4
Replies

permit ip protocol?

joaquimlopes
Level 1
Level 1

‎10-25-2005 04:09 PM - edited ‎03-09-2019 12:49 PM

hi,

basic question!

what i'm passing when i do access-list t2 permit ip any any?

permiting all tcpip stack?

when i permit tcp i'm not also permiting ip?

thanks

where can i read more about these separation of tcp udp ip icmp?

Labels:
0 Helpful
4 Replies 4

Patrick Iseli
Level 7
Level 7

‎10-25-2005 05:00 PM

The statement ip will allow ICMP, TCP, and UDP.

4 - Transport => TCP, UDP, RTP, SCTP

3 - Network => IP, ICMP, IPsec, ARP, RIP, BGP

TCP will allow all TCP connection oriented protocols as http, https, ftp, telnet ...

UDP will all connection less protocols as TFTP, DNS ..

ICMP is all the internet messages protocols as echo, echo reply.

Command reference guide:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755

Establishing Connectivity:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.

Take also a look at the OSI Reference model of TCP/IP:

http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci523729,00.html

http://en.wikipedia.org/wiki/OSI_model

http://en.wikipedia.org/wiki/OSI_protocols

sincerely

Patrick

jackko
Level 7
Level 7

‎10-25-2005 05:02 PM

permit ip means permitting both tcp and udp including all ports.

the reason being the router/pix will examine layer3 first then layer4, as layer4 is encapsulated in layer3.

joaquimlopes
Level 1
Level 1
In response to jackko

‎10-26-2005 03:16 AM

thanks for the reply

so, can i permit only for eg: outbound tcp www without any permit ip statements?

or do i have always to use permit ip somewhere and then filter at higher level?

i thought that allowing tcp will allow lower stack level to accomplish the permitted task

once again thanks

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to joaquimlopes

‎10-26-2005 05:00 AM

No, you should never use the ip statement if possible (sometimes for blocking is ok), it is always better to explicit permit the protocols that you want to permit.

example:

access-list inside permit tcp InsideNetwork InsideSubnetmask any eq www

access-list inside permit tcp InsideNetwork InsideSubnetmask any eq https

access-list inside permit tcp InsideNetwork InsideSubnetmask any range 20 21

access-group inside in interface inside

Note: If you do not limit the protocols on the inside interface then all traffic is allowed to go to any other lower security level interfaces on a PIX.

Security levels by default are:

outside = 0

dmz = 50

inside = 100

sincerely

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents