topic Re: Why use Permit ip any in Network Security

Why use Permit ip any

h.dam — Fri, 21 Feb 2020 15:15:05 GMT

Hi guys,

I found the configuration of a ASA 5525 strange to me. I can't understand why there's Permit ip any any at the end of ACL, as follows:

access-list DMZ_access_in extended permit tcp object SRV_SYSLOG eq 6514 object SRV_MC eq 6514
access-list DMZ_access_in extended permit udp object SRV_SYSLOG object SRV_AD eq domain
access-list DMZ_access_in extended permit tcp object SRV_SYSLOG object SRV_AD eq LDAP
access-list DMZ_access_in extended permit ip any any
!
access-list MGT_access_in extended permit ip any any
!
access-group DMZ_access_in in interface DMZ
access-group MGT_access_in in interface MGT

where

DMZ (security-level 50) contains: SRV_SYSLOG

MGT (security-level 100) contains: SRV_AD, SRV_MC

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

Thanks.

Re: Why use Permit ip any

mikael.lahtela — Wed, 31 Jan 2018 22:19:17 GMT

Hi,

ASA is stateful firewall, so it will allow return traffic anyways.
As soon as you have added a ACE in a ACL the security levels are disregarded.
So in this case I would believe someone added the permit any any on the end because something wasn't working from the DMZ.
If you disable/remove it you might have something in DMZ that stops working.
I would try to see how much hits I get on that rule and then try to analyze if the traffic should be allowed or not.
If the rule above includes all traffic that should be allowed, I would disable the rule and wait for someone to call for help.

br, Micke

Re: Why use Permit ip any

Ajay Saini — Thu, 01 Feb 2018 04:53:43 GMT

Hello,

Please find answers below:

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

No, its not use to log traffic. It is not needed to allow return traffic. ASA is a stateful device and does need ACL to allow return traffic.

It can be useful at certain times for testing but having ip any any ACL actually defeats the purpose of having a firewall.

You can delete it once you confirm that all the other ACL will be sufficient to handle the traffic and does not break the production environment.

I would suggest that you enable syslogs at level 6 and check whats going through your DMZ interface or list down the requirements and then delete it.

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

Good luck,

Re: Why use Permit ip any

h.dam — Thu, 01 Feb 2018 12:28:40 GMT

Hi guys,

Thanks for your quick replies.

I will remove this permit ip any and wait for some calls if any. At the sametime, I analyse the logging.

Re: Why use Permit ip any

Marvin Rhoads — Fri, 02 Feb 2018 12:03:36 GMT

@Ajay Saini wrote:

<snip>

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

I love it Ajay - made me laugh!

Re: Why use Permit ip any

SS2020 — Sat, 24 Aug 2024 22:39:14 GMT

Hello Team,

what is the security risk to enable ip any any on the outside interface?

when i remove this ACL, nothing is working.

if it's security risk what is the alternative solutions, please?

Re: Why use Permit ip any

Amine ZAKARIA — Sun, 25 Aug 2024 13:53:53 GMT

@SS2020 ,

Could you please create a new post for you question ?