How to Remove IP ANY ANY Rule
Posted by on 02 August 2012 02:01 PM
|
|
Pix Firewall Deployment Your Pix firewall has been deployed with an ANY ANY rule in order to simplify the deployment process. You should check over the configuration, amend the permitted ports list to suit your server and then remove the Any Any rule. In addition the configuration includes a standard set of ports for a web & mail server that will remain in place after the Any Any rule is removed. IF YOU DO NOT REMOVE THE ANY ANY RULE YOUR FIREWALL WILL NOT BLOCK ANY TRAFFIC! Even after removal of the ANY ANY rule you should look at restricting some of the standard ports to specific IP addresses rather than having them open to the public. If you are not familiar with the process then contact support for assistance. Removing the ANY ANY Rule· Connect to your firewall from the desktop of your server using Putty.exe or similar SSH client · Login to the firewall using the details in your welcome note · Enter enable mode and type in the enable password from the welcome note · Enter ‘show running-config’ to display the configuration and look for the sections below ! this section defines the Private IP address range on your server object-group network ClientServer network-object 10.100.0.0 255.255.255.0 ! this section defines the list of ports that will be open to the public once the Any Any rule is removed ! you should adjust this list to suit the function of your server object-group service Public_Allowed_TCP tcp port-object eq www port-object eq https port-object eq 25 port-object eq 110 port-object eq 3306 port-object eq 143 port-object eq 21 port-object eq 20 port-object eq 3389 port-object eq 9090 port-object eq 1433 ! this section defines the Netcetera NOC to enable our support, please do not change this section object-group network NetceteraAdmin network-object host Netcetera_NOC ! this section defines the RULES in place access-list Inbound-to-Servers permit icmp any any access-list Inbound-to-Servers permit ip any any ! *** This line should be remove *** access-list Inbound-to-Servers permit tcp any object-group ClientServer object-group Public_Allowed_TCP log access-list Inbound-to-Servers permit ip object-group NetceteraAdmin object-group ClientServer log
! You can remove the above line by entering configuration mode configure terminal no access-list Inbound-to-Servers permit ip any any | |
|