Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
2
Replies

We have configured access list on outside interface for permit any any. Please check firewall configuration and help me to sort out if this is security concern.

vikasahuja2006
Level 1
Level 1

‎12-31-2015 12:04 AM - edited ‎03-12-2019 12:05 AM

TSAL-FW01/act# sh run access-group
access-group OUTSIDE1_access_in in interface OUTSIDE1
access-group OUTSIDE2_access_in in interface OUTSIDE2
access-group INSIDE_access_in in interface INSIDE
access-group TSAL_WAN1_access_in in interface TSAL_WAN1

TSAL-FW01/act# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE1_access_in; 1 elements; name hash: 0x6417c86c
access-list OUTSIDE1_access_in line 1 extended permit ip any any (hitcnt=113414) 0x224c20c3
access-list acl-amzn; 1 elements; name hash: 0xa4c82052
access-list acl-amzn line 1 extended permit ip any 192.168.144.0 255.255.252.0 (hitcnt=0) 0xa9205a1a
access-list <outside_access_in>; 4 elements; name hash: 0x4a082cfb
access-list <outside_access_in> line 1 extended permit ip host 203.83.222.237 host 14.141.251.218 (hitcnt=0) 0x26118cfc
access-list <outside_access_in> line 2 extended permit ip host 203.83.222.236 host 14.141.251.218 (hitcnt=0) 0x77799af1
access-list <outside_access_in> line 3 extended permit ip host 46.34.90.132 host 14.141.251.218 (hitcnt=0) 0x1a0c6ab3
access-list <outside_access_in> line 4 extended permit ip host 46.34.90.132 host 125.16.58.54 (hitcnt=0) 0xe98f0512
access-list TSAL_WAN1_access_in; 1 elements; name hash: 0xf1299c6a
access-list TSAL_WAN1_access_in line 1 extended permit ip any any (hitcnt=472071) 0x8676f8bc
access-list OUTSIDE2_access_in; 1 elements; name hash: 0xf2f5e661
access-list OUTSIDE2_access_in line 1 extended permit ip any any (hitcnt=34) 0x011802be
access-list INSIDE_access_in; 1 elements; name hash: 0xb71cec1d
access-list INSIDE_access_in line 1 extended permit ip any any (hitcnt=2873884) 0xeabcad32
access-list acl-amadeus-germany; 14 elements; name hash: 0x8df5663f
access-list acl-amadeus-germany line 1 extended permit ip object 156_157_Subnet host 194.156.170.207 (hitcnt=36) 0xa60501ea
access-list acl-amadeus-germany line 1 extended permit ip 192.168.156.0 255.255.254.0 host 194.156.170.207 (hitcnt=36) 0xa60501ea
access-list acl-amadeus-germany line 2 extended permit ip object 156_157_Subnet host 194.156.170.208 (hitcnt=36) 0x00c426ee
access-list acl-amadeus-germany line 2 extended permit ip 192.168.156.0 255.255.254.0 host 194.156.170.208 (hitcnt=36) 0x00c426ee
access-list acl-amadeus-germany line 3 extended permit ip object 156_157_Subnet host 194.76.166.33 (hitcnt=213) 0xc58ed9e2
access-list acl-amadeus-germany line 3 extended permit ip 192.168.156.0 255.255.254.0 host 194.76.166.33 (hitcnt=213) 0xc58ed9e2
access-list acl-amadeus-germany line 4 extended permit ip object 156_157_Subnet host 194.76.166.34 (hitcnt=200) 0x67f50a98
access-list acl-amadeus-germany line 4 extended permit ip 192.168.156.0 255.255.254.0 host 194.76.166.34 (hitcnt=200) 0x67f50a98
access-list acl-amadeus-germany line 5 extended permit ip object 156_157_Subnet host 171.17.36.12 (hitcnt=209) 0x2e63ff7c
access-list acl-amadeus-germany line 5 extended permit ip 192.168.156.0 255.255.254.0 host 171.17.36.12 (hitcnt=209) 0x2e63ff7c
access-list acl-amadeus-germany line 6 extended permit ip object 156_157_Subnet host 171.17.37.12 (hitcnt=218) 0x025d3b50
access-list acl-amadeus-germany line 6 extended permit ip 192.168.156.0 255.255.254.0 host 171.17.37.12 (hitcnt=218) 0x025d3b50
access-list acl-amadeus-germany line 7 extended permit ip object 156_157_Subnet host 171.17.38.12 (hitcnt=35) 0xd6bd8cc3
access-list acl-amadeus-germany line 7 extended permit ip 192.168.156.0 255.255.254.0 host 171.17.38.12 (hitcnt=35) 0xd6bd8cc3
access-list acl-amadeus-germany line 8 extended permit ip object 156_157_Subnet host 171.17.39.12 (hitcnt=34) 0x208d3dad
access-list acl-amadeus-germany line 8 extended permit ip 192.168.156.0 255.255.254.0 host 171.17.39.12 (hitcnt=34) 0x208d3dad
access-list acl-amadeus-germany line 9 extended permit ip object 156_157_Subnet host 171.17.38.2 (hitcnt=177) 0xc7bc21de
access-list acl-amadeus-germany line 9 extended permit ip 192.168.156.0 255.255.254.0 host 171.17.38.2 (hitcnt=177) 0xc7bc21de
access-list acl-amadeus-germany line 10 extended permit ip object 156_157_Subnet host 171.17.39.2 (hitcnt=175) 0x329ab2e5
access-list acl-amadeus-germany line 10 extended permit ip 192.168.156.0 255.255.254.0 host 171.17.39.2 (hitcnt=175) 0x329ab2e5
access-list acl-amadeus-germany line 11 extended permit ip object 156_157_Subnet host 193.23.185.93 (hitcnt=33) 0x0fba557b
access-list acl-amadeus-germany line 11 extended permit ip 192.168.156.0 255.255.254.0 host 193.23.185.93 (hitcnt=33) 0x0fba557b
access-list acl-amadeus-germany line 12 extended permit ip object 156_157_Subnet host 194.76.166.93 (hitcnt=175) 0x3387db19
access-list acl-amadeus-germany line 12 extended permit ip 192.168.156.0 255.255.254.0 host 194.76.166.93 (hitcnt=175) 0x3387db19
access-list acl-amadeus-germany line 13 extended permit ip object 156_157_Subnet host 171.17.10.21 (hitcnt=329) 0x3ee99c08
access-list acl-amadeus-germany line 13 extended permit ip 192.168.156.0 255.255.254.0 host 171.17.10.21 (hitcnt=329) 0x3ee99c08
access-list acl-amadeus-germany line 14 extended permit ip object 156_157_Subnet host 194.156.171.129 (hitcnt=12) 0x67597d5a
access-list acl-amadeus-germany line 14 extended permit ip 192.168.156.0 255.255.254.0 host 194.156.171.129 (hitcnt=12) 0x67597d5a
access-list acl-amadeus-turkey; 6 elements; name hash: 0x83af7361
access-list acl-amadeus-turkey line 1 extended permit ip host 192.168.157.30 object-group A1turkey-all (hitcnt=131) 0xe3d57164
access-list acl-amadeus-turkey line 1 extended permit ip host 192.168.157.30 host 129.1.4.120 (hitcnt=0) 0xa74cfebd
access-list acl-amadeus-turkey line 1 extended permit ip host 192.168.157.30 host 129.1.4.121 (hitcnt=273) 0x5a265254
access-list acl-amadeus-turkey line 1 extended permit ip host 192.168.157.30 host 129.1.4.16 (hitcnt=14) 0x1113e6c9
access-list acl-amadeus-turkey line 1 extended permit ip host 192.168.157.30 host 129.1.4.17 (hitcnt=10) 0x7870bdd9
access-list acl-amadeus-turkey line 1 extended permit ip host 192.168.157.30 host 129.1.4.24 (hitcnt=192) 0x07791e26
access-list acl-amadeus-turkey line 2 extended permit esp any any (hitcnt=26439) 0x7dcb208c
access-list acl-mumbai-airport; 2 elements; name hash: 0xdd64ea07
access-list acl-mumbai-airport line 1 extended permit ip object 156_157_Subnet object Mumbai-LAN (hitcnt=109) 0x1d709e19
access-list acl-mumbai-airport line 1 extended permit ip 192.168.156.0 255.255.254.0 192.168.162.0 255.255.255.192 (hitcnt=109) 0x1d709e19
access-list acl-mumbai-airport line 2 extended permit ip object 100_101_Subnet object Mumbai-LAN (hitcnt=0) 0x4cb71af5
access-list acl-mumbai-airport line 2 extended permit ip 192.168.100.0 255.255.254.0 192.168.162.0 255.255.255.192 (hitcnt=0) 0x4cb71af5
access-list Dubai_Local_LAN; 1 elements; name hash: 0x7c8e7222
access-list Dubai_Local_LAN line 1 extended permit ip any any (hitcnt=0) 0xf37061c9
access-list VPN_Access_Rule; 23 elements; name hash: 0x4473bddb
access-list VPN_Access_Rule line 1 standard permit host 171.17.10.21 (hitcnt=0) 0xdf4f31b6
access-list VPN_Access_Rule line 2 standard permit host 171.17.36.12 (hitcnt=0) 0xb1912462
access-list VPN_Access_Rule line 3 standard permit host 171.17.37.12 (hitcnt=0) 0xf916f33d
access-list VPN_Access_Rule line 4 standard permit host 171.17.38.2 (hitcnt=0) 0xf085f539
access-list VPN_Access_Rule line 5 standard permit host 171.17.38.12 (hitcnt=0) 0x8f956009
access-list VPN_Access_Rule line 6 standard permit host 171.17.39.2 (hitcnt=0) 0x40f2888a
access-list VPN_Access_Rule line 7 standard permit host 171.17.39.12 (hitcnt=0) 0xbb8e2762
access-list VPN_Access_Rule line 8 standard permit host 193.23.185.93 (hitcnt=0) 0xa9a8cafc
access-list VPN_Access_Rule line 9 standard permit host 194.76.166.33 (hitcnt=0) 0xf9ac01d9
access-list VPN_Access_Rule line 10 standard permit host 194.76.166.34 (hitcnt=0) 0x07b9cf52
access-list VPN_Access_Rule line 11 standard permit host 194.76.166.93 (hitcnt=0) 0xc6d4d2d3
access-list VPN_Access_Rule line 12 standard permit host 194.156.170.207 (hitcnt=0) 0x33732ebb
access-list VPN_Access_Rule line 13 standard permit host 194.156.170.208 (hitcnt=0) 0xc53d3795
access-list VPN_Access_Rule line 14 standard permit host 194.156.171.129 (hitcnt=0) 0xf08989d6
access-list VPN_Access_Rule line 15 standard permit host 129.1.4.24 (hitcnt=0) 0x87de6108
access-list VPN_Access_Rule line 16 standard permit host 129.1.4.121 (hitcnt=0) 0xee6214e6
access-list VPN_Access_Rule line 17 remark Vistara LAN
access-list VPN_Access_Rule line 18 standard permit 192.168.156.0 255.255.255.0 (hitcnt=0) 0x2e38d155
access-list VPN_Access_Rule line 19 remark Vistara WLAN
access-list VPN_Access_Rule line 20 standard permit 192.168.100.0 255.255.254.0 (hitcnt=0) 0x54bace40
access-list VPN_Access_Rule line 21 remark Network Equipment Access range
access-list VPN_Access_Rule line 22 standard permit 192.168.158.240 255.255.255.240 (hitcnt=0) 0x691e3430
access-list VPN_Access_Rule line 23 remark Management Range of Vistara
access-list VPN_Access_Rule line 24 standard permit 192.168.157.224 255.255.255.224 (hitcnt=0) 0x72b455c6
access-list VPN_Access_Rule line 25 remark CX-Module-I
access-list VPN_Access_Rule line 26 standard permit host 172.16.16.10 (hitcnt=0) 0x6e215cda
access-list VPN_Access_Rule line 27 remark CX-Module-II
access-list VPN_Access_Rule line 28 standard permit host 172.16.16.20 (hitcnt=0) 0x6e978110
access-list VPN_Access_Rule line 29 remark Airport-T3 IP Range
access-list VPN_Access_Rule line 30 standard permit 192.168.159.0 255.255.255.0 (hitcnt=0) 0x8f43e9d1

Labels:
0 Helpful
2 Replies 2

krishnangangster
Level 1
Level 1

‎01-19-2016 11:39 PM

Hi Vishal,

Do not configure permit ip any any on the outside interface as it will allow all the traffic to be permitted inside your network.

0 Helpful

Chris Izatt
Level 1
Level 1
In response to krishnangangster

‎01-21-2016 07:57 AM

I completely agree with the above statement. With that any any you basically disabled your firewall.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card