09-27-2006 03:59 PM - edited 02-20-2020 09:37 PM
Hi,
I have put the following ACL on the inside interface of our PIX 525, v6.3(5).
The goal is to prevent our network from polluting the rest of the world with Korgo.
This is my first "from scratch" ACL (I administer a system that was originally installed by others).
You'll notice there's a "permit ip any any", then later there's a "deny ip any any".
This is because I'm confused about the scope of the protocol parameter. TCP, UDP, ESP, ICMP, IP, all have their own protocol numbers. But, I know that designating IP encompasses both TCP and UDP.
Does specifying IP in the protocol parameter of an ACL encompass ALL the protocol numbers?
If that's the case, my "permit ip any any" statement ensures that I'm not blocking any outbound traffic that I want to allow. (That's my main concern - ensuring that I haven't inadvertently blocked something I shouldn't, and with the deny ip statement, I'll get hitcounts if I've gotten it wrong...)
Thx...
linnea
access-list acl_outbound line 1 permit tcp 10.0.0.0 255.0.0.0 209.129.196.0 255.255.255.0 eq 445 (hitcnt=1)
access-list acl_outbound line 2 deny tcp any any eq 3067 (hitcnt=0)
access-list acl_outbound line 3 deny tcp any any eq ident (hitcnt=0)
access-list acl_outbound line 4 deny tcp any any eq 445 (hitcnt=6)
access-list acl_outbound line 5 permit ip any any (hitcnt=48537)
access-list acl_outbound line 6 permit icmp any any (hitcnt=0)
access-list acl_outbound line 7 deny ip any any (hitcnt=0)
Solved! Go to Solution.
09-29-2006 02:40 AM
Linnea
Yes I think that you have the concept now. The protocols listed on the IANA page are layer 4 protocols that run on top of IP. When you specify IP you inherently get all of them.
One picky point: about your statement that IP is not a protocol, IP is a protocol. It is a layer 3 protocol that runs over Ethernet, or Frame Relay, or HDLC, etc. When you create an IP access list IP is the base protocol and if you specify IP then you get everything that is built on that base.
HTH
Rick
09-27-2006 04:14 PM
Hi with that access-list you are ..
denying outbound TCP traffic from any to any for ports 3067,ident,445
and allowing any other IP based protocol. Not the best practice but that is waht the access list is doing.
I hope it helps .. please rate it if it does !!!
09-27-2006 08:05 PM
Sorry - that doesn't add to what I already know.
Putting it another way - On IANA's site there's a page listing protocol numbers for over 100 protocols. TCP is #6, UDP is #17, ICMP is #1, etc.
When you specify IP as the protocol parameter in an ACL, the ACL applies to both TCP & UDP. Does it also apply to ALL the protocols on IANA's page?
09-28-2006 11:23 AM
Linnea
Yes when you specify IP it does include all the other protocol numbers (TCP, UDP, ICMP, ESP, GRE, etc)
HTH
Rick
09-28-2006 08:24 PM
Thanks Rick,
I went back to the IANA page to check the protocol number for IP, tried out an ACL using protocol number 4, and sure enough, PIX IOS translates that to IPINIP, not to IP.
So the keyword IP, in this context, is not actually a protocol.
Thanks again. (By the way, when I rated your previous answer, I missed the "solved my problem" check box. Respond again, and I'll fix that...)
09-29-2006 02:40 AM
Linnea
Yes I think that you have the concept now. The protocols listed on the IANA page are layer 4 protocols that run on top of IP. When you specify IP you inherently get all of them.
One picky point: about your statement that IP is not a protocol, IP is a protocol. It is a layer 3 protocol that runs over Ethernet, or Frame Relay, or HDLC, etc. When you create an IP access list IP is the base protocol and if you specify IP then you get everything that is built on that base.
HTH
Rick
09-28-2006 10:07 PM
Hi .. on my previous post I had mentioned IP based protocols. The protocols you are referring to ARE IP BASED and so are included on the access list.
PROTOCOL NUMBERS
(last updated 28 March 2006)
In the Internet Protocol version 4 (IPv4) [RFC791] there is a field,
called "Protocol", to identify the next level protocol. This is an 8
bit field. In Internet Protocol version 6 (IPv6) [RFC1883] this field
is called the "Next Header" field.
09-28-2006 04:21 AM
Just to add here:
The rule base is being read sequentially. Line 5 will permit all IP protocols (TCP and UDP) and that is why you are getting hitcnts.
Line 7 will not see any traffic as packets would have been permitted by line 5.
Lines 2,3,4 are denying port 3067, ident, 445. The only permitted traffic on port 445 will be restricted to the network addresses in source ---> destination portion in line 1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide