Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Important and urgent Question about hole sec

I have 515r v.5.3 (1) with 3 interfaces;

If I configure only in my inside next line:

access-list xxx permit ip any any

may I have some risk of hackers in my net?

is this a hole security?

New Member

Re: Important and urgent Question about hole sec

When you write "only in my inside", i understand you are talking about outbound trafic. In this case, you have the same security than having a NAT apply to any inside host who are able to communicate with anyone on any ports. If you have NAT configured, your command is useless. In bothcase (public addresses without NAT or private addresses with NAT), you should restrict your users to the ports you want they use.

Also, you should restrict outbound trafic initiated by your internal servers. In most case, those servers don't need to communicate with the outside.

New Member

Re: Important and urgent Question about hole sec

First of all, thanks for your help. but this is my first experience with pix, and I´m worry about us security if I configure some wrong, let me explain more details about my configuration:

in Inside:

yes, I´m using Nat with next line:

nat 1 0 0

and I use Global command for inside, with one address (PAT) and 5 ip address range.

Only in DMZ I´m using static but...

Is inside protected? only with that.

I hope you can help me again and confirm my suspect!


New Member

Re: Important and urgent Question about hole sec

Your inside is partially protected.

A hacker cannot access inside host directly, but a Trojan installed on an inside host can initiate a connection to the external. Trojan can be receive by e-mail.

Also a hacker, can access yous inside through a badly secured server in the DMZ if you have holes opened between DMZ & inside.

To protect your internal resources, you should:

- Block all outgoing packets coming from your internal servers with an access-list. Only user's PC should communicate with the external except for some purpose, like to update the anti-virus software.

- Limit the scope (port numbers) to only what you want your user should use i.e. http, etc.

- Have an always up-to-date antivirus software on servers & hosts to limit Trojan infection. (see the second paragraph of this message)

It's a good beginning. After that, you should work to protect your servers within the DMZ, it will be the next important things.


New Member

Re: Important and urgent Question about hole sec

Thank´s, I´m feel better, but I have another question,( the last I hope) isn´t clear for me When you said Block all outgoing packets and limit the scope port numbers, can you give me an example? please!, I use in DMZ only 2 servers, one www server´s and one of MS Exchange, and I configure only next lines:

Global with pat.

global with scope.

static for 2 servers (www and exchange)

permit tcp any any eq smtp

permit tcp any any eq pop3

permit tcp any any eq 42

permit tcp any any eq domain

permit tcp any any eq 143

permit tcp any any eq 1512

is this a secure configuration???

thanks again for your important help!