cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
4
Replies

Access-list question

Dustin Barnett
Level 1
Level 1

I was going through an old PIX firewall config, and correct me if I'm wrong, but doesn't the following open the firewall to anything?

access-list acl_in permit ip any any

2 Accepted Solutions

Accepted Solutions

andamani
Cisco Employee
Cisco Employee

hi,

if you apply it on an outside interface then the answer is 'yes'. it opens the firewall for anything.

Regards,

Anisha

P.S.: please mark this thread as answered if you your query is resolved.Do rate helpful posts.

View solution in original post

barnettd@nulaid.com

Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.

Is it assinged to no interface?

You need to look for an access-group command with the same access-list name eg. if your access-list was called outside_in then you need to look for a line in your config -

access-group outside_in in    <-- where interface is the actual interface it is applied to.

It may well be applied to inside interface although traffic is allowed out by default.

Bear in mind also that simply having this line does not permit all traffic if applied to the outside interface. You also need NAT translations for traffic to be allowed but you should still remove it if it is applied to the outside and replace it with a more restrictive access-list ie. only allow in what you need to.

Jon

View solution in original post

4 Replies 4

andamani
Cisco Employee
Cisco Employee

hi,

if you apply it on an outside interface then the answer is 'yes'. it opens the firewall for anything.

Regards,

Anisha

P.S.: please mark this thread as answered if you your query is resolved.Do rate helpful posts.

Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.

Is it assinged to no interface?

barnettd@nulaid.com

Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.

Is it assinged to no interface?

You need to look for an access-group command with the same access-list name eg. if your access-list was called outside_in then you need to look for a line in your config -

access-group outside_in in    <-- where interface is the actual interface it is applied to.

It may well be applied to inside interface although traffic is allowed out by default.

Bear in mind also that simply having this line does not permit all traffic if applied to the outside interface. You also need NAT translations for traffic to be allowed but you should still remove it if it is applied to the outside and replace it with a more restrictive access-list ie. only allow in what you need to.

Jon

Thanks for the adivce. It looks like this access-list is applied to the inside interface.

Review Cisco Networking for a $25 gift card