We have a conduit on our test PIX allowing IP any from the DMZ to the internal network. I read this on Cisco's website regarding IP any:
Note: Be careful when implementing these commands. If either the conduit permit ip any any or access-list 101 permit ip any any command is implemented, any host on the untrusted network could access any host on the trusted network using IP as long as there was an active translation.
My question is this: will a conduit denying UDP port 1434 (or any port for that matter) have any affect with the IP any conduit in place? Given that there is more than likely an active translation in the table.
If your conduit rule denying UDP is set before the ip any any, all traffic will be let through except for that specific UDP port or which ever port you define. By looking at your notes it seems that you are trying to protect the slammer worm coming to your network from your DMZ while still allowing for other traffic to go through, if this is the case putting the UDP port rule before the ip any any will protect you from the worm
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :