Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6396
Views
0
Helpful
4
Replies

What does 'ip' mean (low level) in an ASA ACL?

Go to solution
aLeffingwell
Level 1
Level 1

‎03-07-2013 09:13 AM - edited ‎03-11-2019 06:11 PM

Hey All,

Having a moment here - I see it every day: access-list SOMETHING extended permit ip ........

I use 'ip' when I intend to say 'everything' but I didn't know how the IOS actually summarized 'ip' internally.

All of the other port 'macros' (not really sure you would call them?) like www, and ftp, have direct correlations like 80, 21.. Anyway, just got me thinking.  Looking forward to learning what it really means at the lower level!

Thanks in advance,

Kindest Regards,

Alan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to aLeffingwell

‎03-07-2013 09:45 AM

Hi,

Yes it should pretty much allow everything through the firewall.

Most common are the mentioned TCP (every port), UDP (every port) and ICMP

Naturally some traffic might be controlled by the ASA differently and a simple ACL might not do the trick. Might have to for example enable or disable inspections on the ASA.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-07-2013 09:30 AM

Hi,

The "access-list" rule containing "permit ip" basically allows all the traffic

This includes TCP, UDP and ICMP

When you use either TCP or UDP then you can permit separate ports

- Jouni

0 Helpful

Go to solution
aLeffingwell
Level 1
Level 1
In response to Jouni Forss

‎03-07-2013 09:33 AM

Hey Jouni,

Yeah, this is how I understood it, so are you saying that at the low level it's like putting: Extended permit TCP _every port, UDP _every port, ICMP _every flag?

I know I'm overthinking this, but curiosity did kill the cat !!  Perhaps I should just leave my understanding at 'ip' means 'everything'.

Thanks!

Kindest Regards,

ALAN

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to aLeffingwell

‎03-07-2013 09:45 AM

Hi,

Yes it should pretty much allow everything through the firewall.

Most common are the mentioned TCP (every port), UDP (every port) and ICMP

Naturally some traffic might be controlled by the ASA differently and a simple ACL might not do the trick. Might have to for example enable or disable inspections on the ASA.

- Jouni

0 Helpful

Go to solution
aLeffingwell
Level 1
Level 1
In response to Jouni Forss

‎03-07-2013 09:49 AM

Hey Jouni,

Awesome!  Thanks for relieving my brain fart moment!

Kindest Regards,

ALAN

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card