How to Remove IP ANY ANY Rule
Posted by on 02 August 2012 02:01 PM
Pix Firewall Deployment |
Your Pix firewall has been deployed with an ANY ANY rule in order to simplify the deployment process.
You should check over the configuration, amend the permitted ports list to suit your server and then remove the Any Any rule.
In addition the configuration includes a standard set of ports for a web & mail server that will remain in place after the Any Any rule is removed.
IF YOU DO NOT REMOVE THE ANY ANY RULE YOUR FIREWALL WILL NOT BLOCK ANY TRAFFIC!
Even after removal of the ANY ANY rule you should look at restricting some of the standard ports to specific IP addresses rather than having them open to the public.
If you are not familiar with the process then contact support for assistance.
Removing the ANY ANY Rule
· Connect to your firewall from the desktop of your server using Putty.exe or similar SSH client
· Login to the firewall using the details in your welcome note
· Enter enable mode and type in the enable password from the welcome note
· Enter ‘show running-config’ to display the configuration and look for the sections below
! this section defines the Private IP address range on your server
object-group network ClientServer
network-object 10.100.0.0 255.255.255.0
! this section defines the list of ports that will be open to the public once the Any Any rule is removed
! you should adjust this list to suit the function of your server
object-group service Public_Allowed_TCP tcp
port-object eq www
port-object eq https
port-object eq 25
port-object eq 110
port-object eq 3306
port-object eq 143
port-object eq 21
port-object eq 20
port-object eq 3389
port-object eq 9090
port-object eq 1433
! this section defines the Netcetera NOC to enable our support, please do not change this section
object-group network NetceteraAdmin
network-object host Netcetera_NOC
! this section defines the RULES in place
access-list Inbound-to-Servers permit icmp any any
access-list Inbound-to-Servers permit ip any any ! *** This line should be remove ***
access-list Inbound-to-Servers permit tcp any object-group ClientServer object-group Public_Allowed_TCP log
access-list Inbound-to-Servers permit ip object-group NetceteraAdmin object-group ClientServer log
! You can remove the above line by entering configuration mode
no access-list Inbound-to-Servers permit ip any any