Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
647
Views
0
Helpful
4
Replies

Access-list question

Go to solution
Dustin Barnett
Level 1
Level 1

‎03-25-2011 09:44 AM - edited ‎03-11-2019 01:12 PM

I was going through an old PIX firewall config, and correct me if I'm wrong, but doesn't the following open the firewall to anything?

access-list acl_in permit ip any any

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee

‎03-25-2011 10:14 AM

hi,

if you apply it on an outside interface then the answer is 'yes'. it opens the firewall for anything.

Regards,

Anisha

P.S.: please mark this thread as answered if you your query is resolved.Do rate helpful posts.

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Dustin Barnett

‎03-25-2011 02:06 PM 

barnettd@nulaid.com
Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.
Is it assinged to no interface?

You need to look for an access-group command with the same access-list name eg. if your access-list was called outside_in then you need to look for a line in your config -

access-group outside_in in    <-- where interface is the actual interface it is applied to.

It may well be applied to inside interface although traffic is allowed out by default.

Bear in mind also that simply having this line does not permit all traffic if applied to the outside interface. You also need NAT translations for traffic to be allowed but you should still remove it if it is applied to the outside and replace it with a more restrictive access-list ie. only allow in what you need to.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andamani
Cisco Employee
Cisco Employee

‎03-25-2011 10:14 AM

hi,

if you apply it on an outside interface then the answer is 'yes'. it opens the firewall for anything.

Regards,

Anisha

P.S.: please mark this thread as answered if you your query is resolved.Do rate helpful posts.

0 Helpful

Go to solution
Dustin Barnett
Level 1
Level 1
In response to andamani

‎03-25-2011 12:16 PM

Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.

Is it assinged to no interface?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Dustin Barnett

‎03-25-2011 02:06 PM 

barnettd@nulaid.com
Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.
Is it assinged to no interface?

You need to look for an access-group command with the same access-list name eg. if your access-list was called outside_in then you need to look for a line in your config -

access-group outside_in in    <-- where interface is the actual interface it is applied to.

It may well be applied to inside interface although traffic is allowed out by default.

Bear in mind also that simply having this line does not permit all traffic if applied to the outside interface. You also need NAT translations for traffic to be allowed but you should still remove it if it is applied to the outside and replace it with a more restrictive access-list ie. only allow in what you need to.

Jon

0 Helpful

Go to solution
Dustin Barnett
Level 1
Level 1
In response to Jon Marshall

‎03-25-2011 03:55 PM

Thanks for the adivce. It looks like this access-list is applied to the inside interface.

0 Helpful
Related community topics
Review Cisco Networking for a $25 gift card
Top