From: Ahmad Safiullah (sirsafi@yahoo.com)
Date: Sat Jun 28 2008 - 07:45:26 ART
The gurus say avoid the word ANY as much as you can, try to be as specific as possible. For example, I don't see a reason for any any in permitting IPSec through firewall when you exactly know the peers. In case of DMVPN, the word any seems possible if Hub is behind a FW. Similarly, for allowing routing protocols, you can be specific but for granting access to say web or mail servers, the source usually is any.
Regards,
Safi Rajput
+971-50-2456001
Dubai - UAE
"Knowledge Speaks BUT Wisdom Listens"
----- Original Message ----
From: ciscosec sec <cciesecurityccie@gmail.com>
To: ccielab@groupstudy.com; security@groupstudy.com
Sent: Saturday, June 28, 2008 12:43:56 PM
Subject: doubt with access-list in Firewalls
Hello Group,
I just had a doubt. In the labs is it ok to configure the access-list
on Firewalls with any any.
For eg if i were to configure IPSEC between 2 devices with the
Firewall in between,
can i configure the ASA as follows:
access-list outside permit esp any any
access-list outside permit upd any any eq isakmp
or do we need to specify the exact hosts in the access list.
Regards,
raul
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART