Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

permit ip protocol?


basic question!

what i'm passing when i do access-list t2 permit ip any any?

permiting all tcpip stack?

when i permit tcp i'm not also permiting ip?


where can i read more about these separation of tcp udp ip icmp?


Re: permit ip protocol?

The statement ip will allow ICMP, TCP, and UDP.

4 - Transport => TCP, UDP, RTP, SCTP

3 - Network => IP, ICMP, IPsec, ARP, RIP, BGP

TCP will allow all TCP connection oriented protocols as http, https, ftp, telnet ...

UDP will all connection less protocols as TFTP, DNS ..

ICMP is all the internet messages protocols as echo, echo reply.

Command reference guide:

Establishing Connectivity:

Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.

Take also a look at the OSI Reference model of TCP/IP:,,sid7_gci523729,00.html




Re: permit ip protocol?

permit ip means permitting both tcp and udp including all ports.

the reason being the router/pix will examine layer3 first then layer4, as layer4 is encapsulated in layer3.

New Member

Re: permit ip protocol?

thanks for the reply

so, can i permit only for eg: outbound tcp www without any permit ip statements?

or do i have always to use permit ip somewhere and then filter at higher level?

i thought that allowing tcp will allow lower stack level to accomplish the permitted task

once again thanks

Re: permit ip protocol?

No, you should never use the ip statement if possible (sometimes for blocking is ok), it is always better to explicit permit the protocols that you want to permit.


access-list inside permit tcp InsideNetwork InsideSubnetmask any eq www

access-list inside permit tcp InsideNetwork InsideSubnetmask any eq https

access-list inside permit tcp InsideNetwork InsideSubnetmask any range 20 21

access-group inside in interface inside

Note: If you do not limit the protocols on the inside interface then all traffic is allowed to go to any other lower security level interfaces on a PIX.

Security levels by default are:

outside = 0

dmz = 50

inside = 100



CreatePlease to create content