Dear Sachin Raja,

Thanx for the reply , but one doubt , any way pix allows everthing out side and denies everything inside by default. Then y this access-list inside ip any any..r some restrictions on inside ?

Regards

nataraj

Natraj,

you are right... by default the ASA allows everything from inside to outside and denies everything from outside to inside...

There is no harm leaving the inside interface without any access-list.. all traffic will be passed.. but this might be harmful..

for eg.. lets assume some PC on ur inside netwrok is affected with nachi virus.. it sends icmp ping sweep to the pix which allows the traffic onto the outside router. due to this, the router's link might get choked and the CPU might hit peak.. all these are unnecessary traffic.. If you dont put any access-list all these are allowed... my advice always is to have an access-list on the inside and permit only required traffic.. for eg

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq http

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq https

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq ftp

etc etc.. whatever u need

do not include access-list inside permit ip any any here, which will again allow all traffic..

hope u got it..

Raj

Dear SachinRaja

Thnx , one more doubt on the same issue , so as per ASA having access-list inside ip any any not required at all. its presence no matter at all..is this rt ? pls confirm ne this.

now in my firewall we already blocked some ports

access-list inside deny tcp any any eq 135

access-list inside deny tcp any any eq netbios-ssn

access-list inside deny tcp any any eq 445

access-list inside deny tcp any any eq 593

access-list inside deny tcp any any eq 5554

access-list inside deny tcp any any eq 9996

access-list inside deny udp any any eq 135

access-list inside deny udp any any eq netbios-ns

access-list inside deny udp any any eq netbios-dgm

access-list inside deny udp any any eq 445

access-list inside deny udp any any eq 4444

access-list inside permit ip any any

this is our present configuration .

im having 172.16.0.0 internal lan and..192.168.0.0 dmz ..

so.. now..

object-group service lnt tcp

port-object eq 80 21 25 443 etc

access-list inside permit tcp 172.16.0.0 255.255.240.0 any object-group lnt

is this ok ..giving access-list to whole network

Thnx again 4 ur quic reply.and helpful ans.

Regards

nataraj

Hey nataraj,

The ACLs in PIX work the same as any other ACLs.. If you put a permit ip any any at the last, there is no use of defining access-list inside.. If you dont have it, its an implicit deny after the last ACL line.. it wont allow any other traffic or unnecessary broadcasts to go out of PIX..

hope u got it.. rate replies if found useful..

Raj

Dear Raj,

access-list inside deny udp any any eq 4444

access-list inside permit ip any any

suppose if we have above 2 access list in pix..now my doubt is , if a connection going out on udp port 4444 will be denied at first access-list only ( this is wht im thinking ) as per my knowledge this connection nt at all further process access list . suppose if any other connection comes it is matched by second access-list na so it will be allowed. is this is rt ? r am i in wrong thinking ?

Thanks and Regards

Nataraj

Natraj

You are 100 % right.. thats the way it happens...

what i was telling you all the while is, you allow all the traffic which really needs to go out of the PIX.. thats it.. all other traffic are denied.. it should be this way.. not the other way around, denying all traffic and giving ip any any at the end, as you suggested...

so, for http,https,ftp etc put a permit as shown in my previous post.. there will be an implicit deny (access-list inside deny ip any any) at the end of the access-list by default.. let all the unnecessary traffic be denied by this ACL and not permitted.. If you need more help, you can always refer to CCO on the usage of the ACLs with PIX.. I donno if I can explian this anymore.. ;)

Raj