Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Access list -Urgent

Hi,

I have ASA 5520 device.In that i have only one access list that is for the inbound connection from outside.Please find the access-list config..

access-list outside_in extended permit tcp any host x.x.x.1 eq www

access-list outside_in extended permit udp any host x.x.x.1 eq domain

access-list outside_in extended permit tcp any host x.x.x.2 eq www

access-list outside_in extended permit tcp any host x.x.x.2 eq www

access-list outside_in extended permit tcp any host x.x.x.3 eq www

access-list outside_in extended permit tcp any host x.x.x.4 eq www

access-list outside_in extended permit tcp any host x.x.x.5 eq www

access-list outside_in extended permit tcp any host x.x.x.6 eq www

access-list outside_in extended permit tcp any host x.x.x.7 eq www

access-list outside_in extended permit tcp any host x.x.x.7 eq 3389

access-list outside_in extended permit tcp any host x.x.x.8 eq 3389

access-list outside_in extended permit tcp any host x.x.x.8 eq www

access-list outside_in extended permit tcp any host x.x.x.9 eq ftp

access-list outside_in extended permit tcp any host x.x.x.9 eq ftp-data

access-list outside_in extended permit tcp any host x.x.x.11 eq 6013

access-list outside_in extended permit tcp any host x.x.x.11 eq www

access-list outside_in extended permit tcp any host x.x.x.12 eq 91

access-list outside_in extended permit tcp any host x.x.x.12 eq 92

access-list outside_in extended permit tcp any host x.x.x.12 eq 333

access-list outside_in extended permit tcp any host x.x.x.12 eq ftp

access-list outside_in extended permit tcp any host x.x.x.12 eq ftp-data

access-list outside_in extended permit tcp any eq kerberos any eq kerberos

access-list outside_in extended permit tcp any eq www any eq www

access-list outside_in extended permit tcp any eq https any eq https

access-list outside_in extended permit ip any any

at the end of the access-list " ip any any" is configured. Now my question :is

it make any security risk? if i remove ip any any then i am unable to access anything from outside..

please guide me that "ip any any " command is a right configuration or not. is it make any security risk?

please assist in this matter

Thanx,

som

2 REPLIES
Hall of Fame Super Blue

Re: Access list -Urgent

Som

When you say if you remove the "permit ip any any" and you can't access anything does that include the other things allowed in your access-list or is all access denied ?

As for security if you have a "permit ip any any" then

1) You don't need all the other entries in your access-list unless you want to record how many times each rule is accessed

2) Yes it is a security risk. Firewalls are there to limit traffic generally and by permitting ip any any you have negated one of it's main purposes. I'm assuming this is your main Internet facing firewall.

Jon

Community Member

Re: Access list -Urgent

Just to add to Jon's comments:

You should really troubleshoot your ACL's. Do a "Show Access-list" to see the counters on the ACE. If you're not seeing any counters then something is configured wrong. If all the counters are going to the "IP ANY ANY" you really need to rethink your ACL seutp. If you are indeed having counters on those entries, and you're still not getting what you need, maybe do a debug. If you're able to slap something in front and do a TCPdump or what have you even better. The key here is to NOT allow "any any's" and get only the traffic needed over the firewall.

I hope this assists.

151
Views
5
Helpful
2
Replies
CreatePlease to create content