Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
5
Helpful
7
Replies

your thoughts on this outbound acl?

Go to solution
linnea.wren
Level 1
Level 1

‎09-27-2006 03:59 PM - edited ‎02-20-2020 09:37 PM

Hi,

I have put the following ACL on the inside interface of our PIX 525, v6.3(5).

The goal is to prevent our network from polluting the rest of the world with Korgo.

This is my first "from scratch" ACL (I administer a system that was originally installed by others).

You'll notice there's a "permit ip any any", then later there's a "deny ip any any".

This is because I'm confused about the scope of the protocol parameter. TCP, UDP, ESP, ICMP, IP, all have their own protocol numbers. But, I know that designating IP encompasses both TCP and UDP.

Does specifying IP in the protocol parameter of an ACL encompass ALL the protocol numbers?

If that's the case, my "permit ip any any" statement ensures that I'm not blocking any outbound traffic that I want to allow. (That's my main concern - ensuring that I haven't inadvertently blocked something I shouldn't, and with the deny ip statement, I'll get hitcounts if I've gotten it wrong...)

Thx...

linnea

access-list acl_outbound line 1 permit tcp 10.0.0.0 255.0.0.0 209.129.196.0 255.255.255.0 eq 445 (hitcnt=1)

access-list acl_outbound line 2 deny tcp any any eq 3067 (hitcnt=0)

access-list acl_outbound line 3 deny tcp any any eq ident (hitcnt=0)

access-list acl_outbound line 4 deny tcp any any eq 445 (hitcnt=6)

access-list acl_outbound line 5 permit ip any any (hitcnt=48537)

access-list acl_outbound line 6 permit icmp any any (hitcnt=0)

access-list acl_outbound line 7 deny ip any any (hitcnt=0)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to linnea.wren

‎09-29-2006 02:40 AM

Linnea

Yes I think that you have the concept now. The protocols listed on the IANA page are layer 4 protocols that run on top of IP. When you specify IP you inherently get all of them.

One picky point: about your statement that IP is not a protocol, IP is a protocol. It is a layer 3 protocol that runs over Ethernet, or Frame Relay, or HDLC, etc. When you create an IP access list IP is the base protocol and if you specify IP then you get everything that is built on that base.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Fernando_Meza
Level 7
Level 7

‎09-27-2006 04:14 PM

Hi with that access-list you are ..

denying outbound TCP traffic from any to any for ports 3067,ident,445

and allowing any other IP based protocol. Not the best practice but that is waht the access list is doing.

I hope it helps .. please rate it if it does !!!

0 Helpful

Go to solution
linnea.wren
Level 1
Level 1
In response to Fernando_Meza

‎09-27-2006 08:05 PM

Sorry - that doesn't add to what I already know.

Putting it another way - On IANA's site there's a page listing protocol numbers for over 100 protocols. TCP is #6, UDP is #17, ICMP is #1, etc.

When you specify IP as the protocol parameter in an ACL, the ACL applies to both TCP & UDP. Does it also apply to ALL the protocols on IANA's page?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to linnea.wren

‎09-28-2006 11:23 AM

Linnea

Yes when you specify IP it does include all the other protocol numbers (TCP, UDP, ICMP, ESP, GRE, etc)

HTH

Rick

HTH

Rick

Go to solution
linnea.wren
Level 1
Level 1
In response to Richard Burts

‎09-28-2006 08:24 PM

Thanks Rick,

I went back to the IANA page to check the protocol number for IP, tried out an ACL using protocol number 4, and sure enough, PIX IOS translates that to IPINIP, not to IP.

So the keyword IP, in this context, is not actually a protocol.

Thanks again. (By the way, when I rated your previous answer, I missed the "solved my problem" check box. Respond again, and I'll fix that...)

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to linnea.wren

‎09-29-2006 02:40 AM

Linnea

Yes I think that you have the concept now. The protocols listed on the IANA page are layer 4 protocols that run on top of IP. When you specify IP you inherently get all of them.

One picky point: about your statement that IP is not a protocol, IP is a protocol. It is a layer 3 protocol that runs over Ethernet, or Frame Relay, or HDLC, etc. When you create an IP access list IP is the base protocol and if you specify IP then you get everything that is built on that base.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7
In response to linnea.wren

‎09-28-2006 10:07 PM

Hi .. on my previous post I had mentioned IP based protocols. The protocols you are referring to ARE IP BASED and so are included on the access list.

PROTOCOL NUMBERS

(last updated 28 March 2006)

In the Internet Protocol version 4 (IPv4) [RFC791] there is a field,

called "Protocol", to identify the next level protocol. This is an 8

bit field. In Internet Protocol version 6 (IPv6) [RFC1883] this field

is called the "Next Header" field.

0 Helpful

Go to solution
obynz
Level 1
Level 1

‎09-28-2006 04:21 AM

Just to add here:

The rule base is being read sequentially. Line 5 will permit all IP protocols (TCP and UDP) and that is why you are getting hitcnts.

Line 7 will not see any traffic as packets would have been permitted by line 5.

Lines 2,3,4 are denying port 3067, ident, 445. The only permitted traffic on port 445 will be restricted to the network addresses in source ---> destination portion in line 1.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents