03-25-2011 09:44 AM - edited 03-11-2019 01:12 PM
I was going through an old PIX firewall config, and correct me if I'm wrong, but doesn't the following open the firewall to anything?
access-list acl_in permit ip any any
Solved! Go to Solution.
03-25-2011 10:14 AM
hi,
if you apply it on an outside interface then the answer is 'yes'. it opens the firewall for anything.
Regards,
Anisha
P.S.: please mark this thread as answered if you your query is resolved.Do rate helpful posts.
03-25-2011 02:06 PM
Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.
Is it assinged to no interface?
You need to look for an access-group command with the same access-list name eg. if your access-list was called outside_in then you need to look for a line in your config -
access-group outside_in in
It may well be applied to inside interface although traffic is allowed out by default.
Bear in mind also that simply having this line does not permit all traffic if applied to the outside interface. You also need NAT translations for traffic to be allowed but you should still remove it if it is applied to the outside and replace it with a more restrictive access-list ie. only allow in what you need to.
Jon
03-25-2011 10:14 AM
hi,
if you apply it on an outside interface then the answer is 'yes'. it opens the firewall for anything.
Regards,
Anisha
P.S.: please mark this thread as answered if you your query is resolved.Do rate helpful posts.
03-25-2011 12:16 PM
Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.
Is it assinged to no interface?
03-25-2011 02:06 PM
Ok, that makes sense. This line is showing as quoted when issuing show runningconfig command. This is on a pix 501, version 6.3.
Is it assinged to no interface?
You need to look for an access-group command with the same access-list name eg. if your access-list was called outside_in then you need to look for a line in your config -
access-group outside_in in
It may well be applied to inside interface although traffic is allowed out by default.
Bear in mind also that simply having this line does not permit all traffic if applied to the outside interface. You also need NAT translations for traffic to be allowed but you should still remove it if it is applied to the outside and replace it with a more restrictive access-list ie. only allow in what you need to.
Jon
03-25-2011 03:55 PM
Thanks for the adivce. It looks like this access-list is applied to the inside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide