cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2996
Views
15
Helpful
6
Replies

Why use Permit ip any

h.dam
Level 1
Level 1

Hi guys,

 

I found the configuration of a ASA 5525 strange to me. I can't understand why there's Permit ip any any at the end of ACL, as follows:

 

access-list DMZ_access_in extended permit tcp object SRV_SYSLOG eq 6514 object SRV_MC eq 6514
access-list DMZ_access_in extended permit udp object SRV_SYSLOG object SRV_AD eq domain
access-list DMZ_access_in extended permit tcp object SRV_SYSLOG object SRV_AD eq LDAP
access-list DMZ_access_in extended permit ip any any
!
access-list MGT_access_in extended permit ip any any
!
access-group DMZ_access_in in interface DMZ
access-group MGT_access_in in interface MGT

 

where

DMZ (security-level 50) contains: SRV_SYSLOG

MGT (security-level 100) contains: SRV_AD, SRV_MC

 

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

 

Thanks.

2 Accepted Solutions

Accepted Solutions

mikael.lahtela
Level 4
Level 4
Hi,

ASA is stateful firewall, so it will allow return traffic anyways.
As soon as you have added a ACE in a ACL the security levels are disregarded.
So in this case I would believe someone added the permit any any on the end because something wasn't working from the DMZ.
If you disable/remove it you might have something in DMZ that stops working.
I would try to see how much hits I get on that rule and then try to analyze if the traffic should be allowed or not.
If the rule above includes all traffic that should be allowed, I would disable the rule and wait for someone to call for help.

br, Micke

View solution in original post

Ajay Saini
Level 7
Level 7

Hello, 

Please find answers below:

 

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

 

No, its not use to log traffic. It is not needed to allow return traffic. ASA is a stateful device and does need ACL to allow return traffic.

 

It can be useful at certain times for testing but having ip any any ACL actually defeats the purpose of having a firewall.

You can delete it once you confirm that all the other ACL will be sufficient to handle the traffic and does not break the production environment. 

 

I would suggest that you enable syslogs at level 6 and check whats going through your DMZ interface or list down the requirements and then delete it.

 

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

 

Good luck,

 

AJ

View solution in original post

6 Replies 6

mikael.lahtela
Level 4
Level 4
Hi,

ASA is stateful firewall, so it will allow return traffic anyways.
As soon as you have added a ACE in a ACL the security levels are disregarded.
So in this case I would believe someone added the permit any any on the end because something wasn't working from the DMZ.
If you disable/remove it you might have something in DMZ that stops working.
I would try to see how much hits I get on that rule and then try to analyze if the traffic should be allowed or not.
If the rule above includes all traffic that should be allowed, I would disable the rule and wait for someone to call for help.

br, Micke

Ajay Saini
Level 7
Level 7

Hello, 

Please find answers below:

 

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

 

No, its not use to log traffic. It is not needed to allow return traffic. ASA is a stateful device and does need ACL to allow return traffic.

 

It can be useful at certain times for testing but having ip any any ACL actually defeats the purpose of having a firewall.

You can delete it once you confirm that all the other ACL will be sufficient to handle the traffic and does not break the production environment. 

 

I would suggest that you enable syslogs at level 6 and check whats going through your DMZ interface or list down the requirements and then delete it.

 

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

 

Good luck,

 

AJ

Hi guys,

 

Thanks for your quick replies.

I will remove this permit ip any and wait for some calls if any. At the sametime, I analyse the logging.


@Ajay Saini wrote:

<snip> 

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

 


I love it Ajay - made me laugh!

Hello Team,

what is the security risk to enable ip any any on the outside interface?

when i remove this ACL, nothing is working.

if it's security risk what is the alternative solutions, please?

@SS2020 , 

Could you please create a new post for you question ?

Review Cisco Networking for a $25 gift card