Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2985
Views
15
Helpful
6
Replies

Why use Permit ip any

Go to solution
h.dam
Level 1
Level 1

‎01-31-2018 01:49 PM - edited ‎02-21-2020 07:15 AM

Hi guys,

 

I found the configuration of a ASA 5525 strange to me. I can't understand why there's Permit ip any any at the end of ACL, as follows:

 

access-list DMZ_access_in extended permit tcp object SRV_SYSLOG eq 6514 object SRV_MC eq 6514
access-list DMZ_access_in extended permit udp object SRV_SYSLOG object SRV_AD eq domain
access-list DMZ_access_in extended permit tcp object SRV_SYSLOG object SRV_AD eq LDAP
access-list DMZ_access_in extended permit ip any any
!
access-list MGT_access_in extended permit ip any any
!
access-group DMZ_access_in in interface DMZ
access-group MGT_access_in in interface MGT

 

where

DMZ (security-level 50) contains: SRV_SYSLOG

MGT (security-level 100) contains: SRV_AD, SRV_MC

 

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

 

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mikael.lahtela
Level 4
Level 4

‎01-31-2018 02:19 PM

Hi,

ASA is stateful firewall, so it will allow return traffic anyways.
As soon as you have added a ACE in a ACL the security levels are disregarded.
So in this case I would believe someone added the permit any any on the end because something wasn't working from the DMZ.
If you disable/remove it you might have something in DMZ that stops working.
I would try to see how much hits I get on that rule and then try to analyze if the traffic should be allowed or not.
If the rule above includes all traffic that should be allowed, I would disable the rule and wait for someone to call for help.

br, Micke

View solution in original post

Go to solution
Ajay Saini
Level 7
Level 7

‎01-31-2018 08:53 PM

Hello, 

Please find answers below:

 

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

 

No, its not use to log traffic. It is not needed to allow return traffic. ASA is a stateful device and does need ACL to allow return traffic.

 

It can be useful at certain times for testing but having ip any any ACL actually defeats the purpose of having a firewall.

You can delete it once you confirm that all the other ACL will be sufficient to handle the traffic and does not break the production environment. 

 

I would suggest that you enable syslogs at level 6 and check whats going through your DMZ interface or list down the requirements and then delete it.

 

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

 

Good luck,

 

AJ

View solution in original post

6 Replies 6

Go to solution
mikael.lahtela
Level 4
Level 4

‎01-31-2018 02:19 PM

Hi,

ASA is stateful firewall, so it will allow return traffic anyways.
As soon as you have added a ACE in a ACL the security levels are disregarded.
So in this case I would believe someone added the permit any any on the end because something wasn't working from the DMZ.
If you disable/remove it you might have something in DMZ that stops working.
I would try to see how much hits I get on that rule and then try to analyze if the traffic should be allowed or not.
If the rule above includes all traffic that should be allowed, I would disable the rule and wait for someone to call for help.

br, Micke

Go to solution
Ajay Saini
Level 7
Level 7

‎01-31-2018 08:53 PM

Hello, 

Please find answers below:

 

Is permit ip any any used to log the traffic? or to allow the return traffic?

Is it useful ? Can I delete it ?

 

No, its not use to log traffic. It is not needed to allow return traffic. ASA is a stateful device and does need ACL to allow return traffic.

 

It can be useful at certain times for testing but having ip any any ACL actually defeats the purpose of having a firewall.

You can delete it once you confirm that all the other ACL will be sufficient to handle the traffic and does not break the production environment. 

 

I would suggest that you enable syslogs at level 6 and check whats going through your DMZ interface or list down the requirements and then delete it.

 

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

 

Good luck,

 

AJ

Go to solution
h.dam
Level 1
Level 1
In response to Ajay Saini

‎02-01-2018 04:28 AM

Hi guys,

 

Thanks for your quick replies.

I will remove this permit ip any and wait for some calls if any. At the sametime, I analyse the logging.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ajay Saini

‎02-02-2018 04:03 AM

@Ajay Saini wrote:

<snip> 

One approach is cowboy approach wherein you delete it and then let people complaint. Then you can create specific ACL as per requirement. As a downside, you might not get happy people around.

 

I love it Ajay - made me laugh!

0 Helpful

Go to solution
SS2020
Level 1
Level 1
In response to Ajay Saini

‎08-24-2024 03:39 PM

Hello Team,

what is the security risk to enable ip any any on the outside interface?

when i remove this ACL, nothing is working.

if it's security risk what is the alternative solutions, please?

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to SS2020

‎08-25-2024 06:53 AM

@SS2020 , 

Could you please create a new post for you question ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card