11-22-2017 07:40 AM - edited 02-21-2020 06:49 AM
Hi Guys,
Can someone please explain to me exactly what this command mean:
access-list acl-outside extended permit tcp any4 any4
Thanks,
Lake
Solved! Go to Solution.
11-22-2017 01:26 PM
Hi,
I just checked the ACL configuration (very quickly) and I can tell you there is no need to have that ACL.
You would have that ACL only if you are troubleshooting the fw (only for a minute or so) and you want to check whether the FW is dropping a TCP connection or not but having it in production it's basically like having no firewall for TCP session (please allow any TCP session from anyone on the outside to any asset on the inside {Of course that asset needs to be advertised by NAT and you have a few of those}).
You can remove it as this is not safe @ all
Regards
11-23-2017 07:06 AM
Thanks a lot to everyone who helped answer my questions. I do have one more question. what does this command do: aaa authorization exec authentication-server auto-enable?
Thanks,
Lake
11-23-2017 07:25 AM - edited 11-23-2017 07:26 AM
It is a AAA method to check if a successfully authenticated user can enter EXEC mode, and if so enter EXEC mode automatically upon login.
cheers,
Seb.
11-23-2017 07:28 AM
Thank you very much.
11-23-2017 12:15 AM
Hi there,
We need to see the host addresses of the those network objects to determine if there is a specific ACE in acl-outside covering them. If there isn't then we can assume that NAT'd traffic to those hosts was permitted by the 'any4 any4' rule, and is no no longer functioning correctly.
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide