01-31-2018 01:49 PM - edited 02-21-2020 07:15 AM
Hi guys,
I found the configuration of a ASA 5525 strange to me. I can't understand why there's Permit ip any any at the end of ACL, as follows:
access-list DMZ_access_in extended permit tcp object SRV_SYSLOG eq 6514 object SRV_MC eq 6514
access-list DMZ_access_in extended permit udp object SRV_SYSLOG object SRV_AD eq domain
access-list DMZ_access_in extended permit tcp object SRV_SYSLOG object SRV_AD eq LDAP
access-list DMZ_access_in extended permit ip any any
!
access-list MGT_access_in extended permit ip any any
!
access-group DMZ_access_in in interface DMZ
access-group MGT_access_in in interface MGT
where
DMZ (security-level 50) contains: SRV_SYSLOG
MGT (security-level 100) contains: SRV_AD, SRV_MC
Is permit ip any any used to log the traffic? or to allow the return traffic?
Is it useful ? Can I delete it ?
Thanks.
Solved! Go to Solution.
01-31-2018 02:19 PM
01-31-2018 08:53 PM
Hello,
Please find answers below:
Is permit ip any any used to log the traffic? or to allow the return traffic?
Is it useful ? Can I delete it ?
No, its not use to log traffic. It is not needed to allow return traffic. ASA is a stateful device and does need ACL to allow return traffic.
It can be useful at certain times for testing but having ip any any ACL actually defeats the purpose of having a firewall.
You can delete it once you confirm that all the other ACL will be sufficient to handle the traffic and does not break the production environment.
I would suggest that you enable syslogs at level 6 and check whats going through your DMZ interface or list down the requirements and then delete it.
One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.
Good luck,
AJ
01-31-2018 02:19 PM
01-31-2018 08:53 PM
Hello,
Please find answers below:
Is permit ip any any used to log the traffic? or to allow the return traffic?
Is it useful ? Can I delete it ?
No, its not use to log traffic. It is not needed to allow return traffic. ASA is a stateful device and does need ACL to allow return traffic.
It can be useful at certain times for testing but having ip any any ACL actually defeats the purpose of having a firewall.
You can delete it once you confirm that all the other ACL will be sufficient to handle the traffic and does not break the production environment.
I would suggest that you enable syslogs at level 6 and check whats going through your DMZ interface or list down the requirements and then delete it.
One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.
Good luck,
AJ
02-01-2018 04:28 AM
Hi guys,
Thanks for your quick replies.
I will remove this permit ip any and wait for some calls if any. At the sametime, I analyse the logging.
02-02-2018 04:03 AM
@Ajay Saini wrote:
<snip>
One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.
I love it Ajay - made me laugh!
08-24-2024 03:39 PM
Hello Team,
what is the security risk to enable ip any any on the outside interface?
when i remove this ACL, nothing is working.
if it's security risk what is the alternative solutions, please?
08-25-2024 06:53 AM
@SS2020 ,
Could you please create a new post for you question ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide