Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Removing "permit ip any any" rule

Hi All,

Good day.

There are "permit ip any any" rules implemented in my cisco pix firewall by the previous administrator.

There are more than 5000 users accessing hundreds of servers behind this firewall and no proper change management system to track the implemented changes.

Kindly advise what would be the best way to rectify this problem.

One idea I have is to run tcpdump to gather all the User IPs and services they are accessing and later verify if those access are valid access or not.

But I believe this method is very time consuming.

Kindly advise if there are other methods to rectify this problem without contacting the clients 1st?

Thanks in advanse.


Community Member

Re: Removing "permit ip any any" rule

Hi, here I would advice you that first see, what is your org requirment. Suppose few users want to access only internet and few users need to have access the outside Servers or any other Services then my advice is kindly divide your network into V-lans as per users department and give them access only those ports from inside to outside which is required by the users and restrict the other ports.

2) Second make a configuartion documnet without making any changes and take the backup of start-conf file then u can roll back if something wrong happens.


Community Member

Re: Removing "permit ip any any" rule

Hi Bala

I've experiensed simular situations quite some times when installing new, or replacing old - undocumented firewalls... it isnt funny at all.

What I have done until now, is to create the different access-rules for the "known-to be-" or "guessed-to be " required traffick pattern.

And then at the end create a

permit ip any any LOG

After some time (depends on the environment) i analyse the syslog, which is as you said time consuming, and verifies if the connections are required or not.

Needed connections are spesified in the access-lists, and it beginns from the beginning again.... logging, analysing, modifying ACL's...

After some time of analysing (and adjusting the ACL's) you can replace the "permit ip any any LOG" with a "deny ip any any log".

By this time, you will probably have archeaved that 99% of the nessesary connections are configured and works through the firewall. The last 1% will call you up, and tell you "there is something wrong" ;-)



CreatePlease to create content