04-17-2008 10:23 PM - edited 03-11-2019 05:33 AM
Hi,
I have ASA 5520 device.In that i have only one access list that is for the inbound connection from outside.Please find the access-list config..
access-list outside_in extended permit tcp any host x.x.x.1 eq www
access-list outside_in extended permit udp any host x.x.x.1 eq domain
access-list outside_in extended permit tcp any host x.x.x.2 eq www
access-list outside_in extended permit tcp any host x.x.x.2 eq www
access-list outside_in extended permit tcp any host x.x.x.3 eq www
access-list outside_in extended permit tcp any host x.x.x.4 eq www
access-list outside_in extended permit tcp any host x.x.x.5 eq www
access-list outside_in extended permit tcp any host x.x.x.6 eq www
access-list outside_in extended permit tcp any host x.x.x.7 eq www
access-list outside_in extended permit tcp any host x.x.x.7 eq 3389
access-list outside_in extended permit tcp any host x.x.x.8 eq 3389
access-list outside_in extended permit tcp any host x.x.x.8 eq www
access-list outside_in extended permit tcp any host x.x.x.9 eq ftp
access-list outside_in extended permit tcp any host x.x.x.9 eq ftp-data
access-list outside_in extended permit tcp any host x.x.x.11 eq 6013
access-list outside_in extended permit tcp any host x.x.x.11 eq www
access-list outside_in extended permit tcp any host x.x.x.12 eq 91
access-list outside_in extended permit tcp any host x.x.x.12 eq 92
access-list outside_in extended permit tcp any host x.x.x.12 eq 333
access-list outside_in extended permit tcp any host x.x.x.12 eq ftp
access-list outside_in extended permit tcp any host x.x.x.12 eq ftp-data
access-list outside_in extended permit tcp any eq kerberos any eq kerberos
access-list outside_in extended permit tcp any eq www any eq www
access-list outside_in extended permit tcp any eq https any eq https
access-list outside_in extended permit ip any any
at the end of the access-list " ip any any" is configured. Now my question :is
it make any security risk? if i remove ip any any then i am unable to access anything from outside..
please guide me that "ip any any " command is a right configuration or not. is it make any security risk?
please assist in this matter
Thanx,
som
04-17-2008 11:05 PM
Som
When you say if you remove the "permit ip any any" and you can't access anything does that include the other things allowed in your access-list or is all access denied ?
As for security if you have a "permit ip any any" then
1) You don't need all the other entries in your access-list unless you want to record how many times each rule is accessed
2) Yes it is a security risk. Firewalls are there to limit traffic generally and by permitting ip any any you have negated one of it's main purposes. I'm assuming this is your main Internet facing firewall.
Jon
04-19-2008 08:14 AM
Just to add to Jon's comments:
You should really troubleshoot your ACL's. Do a "Show Access-list" to see the counters on the ACE. If you're not seeing any counters then something is configured wrong. If all the counters are going to the "IP ANY ANY" you really need to rethink your ACL seutp. If you are indeed having counters on those entries, and you're still not getting what you need, maybe do a debug. If you're able to slap something in front and do a TCPdump or what have you even better. The key here is to NOT allow "any any's" and get only the traffic needed over the firewall.
I hope this assists.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide