https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452746#M80652 <P>hi,</P><P>basic question!</P><P></P><P>what i'm passing when i do access-list t2 permit ip any any?</P><P></P><P>permiting all tcpip stack?</P><P>when i permit tcp i'm not also permiting ip?</P><P></P><P>thanks</P><P></P><P>where can i read more about these separation of tcp udp ip icmp?</P> Sat, 09 Mar 2019 20:49:52 GMT joaquimlopes 2019-03-09T20:49:52Z https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452746#M80652 <P>hi,</P><P>basic question!</P><P></P><P>what i'm passing when i do access-list t2 permit ip any any?</P><P></P><P>permiting all tcpip stack?</P><P>when i permit tcp i'm not also permiting ip?</P><P></P><P>thanks</P><P></P><P>where can i read more about these separation of tcp udp ip icmp?</P> Sat, 09 Mar 2019 20:49:52 GMT https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452746#M80652 joaquimlopes 2019-03-09T20:49:52Z https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452747#M80653 <HTML><HEAD></HEAD><BODY><P>The statement ip will allow ICMP, TCP, and UDP.</P><P></P><P>4 - Transport =&gt; TCP, UDP, RTP, SCTP </P><P>3 - Network =&gt; IP, ICMP, IPsec, ARP, RIP, BGP</P><P></P><P>TCP will allow all TCP connection oriented protocols as http, https, ftp, telnet ...</P><P>UDP will all connection less protocols as TFTP, DNS ..</P><P>ICMP is all the internet messages protocols as echo, echo reply.</P><P></P><P>Command reference guide:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755</A></P><P>Establishing Connectivity:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html</A></P><P></P><P>Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.</P><P></P><P>Take also a look at the OSI Reference model of TCP/IP:</P><P><A class="jive-link-custom" href="http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci523729,00.html" target="_blank">http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci523729,00.html</A></P><P><A class="jive-link-custom" href="http://en.wikipedia.org/wiki/OSI_model" target="_blank">http://en.wikipedia.org/wiki/OSI_model</A></P><P><A class="jive-link-custom" href="http://en.wikipedia.org/wiki/OSI_protocols" target="_blank">http://en.wikipedia.org/wiki/OSI_protocols</A></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 26 Oct 2005 00:00:35 GMT https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452747#M80653 Patrick Iseli 2005-10-26T00:00:35Z https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452748#M80654 <HTML><HEAD></HEAD><BODY><P>permit ip means permitting both tcp and udp including all ports.</P><P></P><P>the reason being the router/pix will examine layer3 first then layer4, as layer4 is encapsulated in layer3.</P></BODY></HTML> Wed, 26 Oct 2005 00:02:03 GMT https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452748#M80654 jackko 2005-10-26T00:02:03Z https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452749#M80655 <HTML><HEAD></HEAD><BODY><P>thanks for the reply</P><P></P><P>so, can i permit only for eg: outbound tcp www without any permit ip statements?</P><P>or do i have always to use permit ip somewhere and then filter at higher level?</P><P>i thought that allowing tcp will allow lower stack level to accomplish the permitted task</P><P></P><P>once again thanks</P></BODY></HTML> Wed, 26 Oct 2005 10:16:00 GMT https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452749#M80655 joaquimlopes 2005-10-26T10:16:00Z https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452750#M80656 <HTML><HEAD></HEAD><BODY><P>No, you should never use the ip statement if possible (sometimes for blocking is ok), it is always better to explicit permit the protocols that you want to permit.</P><P></P><P>example:</P><P></P><P>access-list inside permit tcp InsideNetwork InsideSubnetmask any eq www</P><P>access-list inside permit tcp InsideNetwork InsideSubnetmask any eq https</P><P>access-list inside permit tcp InsideNetwork InsideSubnetmask any range 20 21</P><P>access-group inside in interface inside</P><P></P><P>Note: If you do not limit the protocols on the inside interface then all traffic is allowed to go to any other lower security level interfaces on a PIX.</P><P></P><P>Security levels by default are:</P><P>outside = 0</P><P>dmz = 50</P><P>inside = 100</P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 26 Oct 2005 12:00:49 GMT https://community.cisco.com/t5/other-security-subjects/permit-ip-protocol/m-p/452750#M80656 Patrick Iseli 2005-10-26T12:00:49Z