Knowledgebase: Dedicated Server
How to Remove IP ANY ANY Rule
Posted by on 02 August 2012 02:01 PM
 Pix Firewall Deployment
Your Pix firewall has been deployed with an ANY ANY rule in order to simplify the deployment process.
You should check over the configuration, amend the permitted ports list to suit your server and then remove the Any Any rule.
In addition the configuration includes a standard set of ports for a web & mail server that will remain in place after the Any Any rule is removed.
IF YOU DO NOT REMOVE THE ANY ANY RULE YOUR FIREWALL WILL NOT BLOCK ANY TRAFFIC!
Even after removal of the ANY ANY rule you should look at restricting some of the standard ports to specific IP addresses rather than having them open to the public.
If you are not familiar with the process then contact support for assistance.

Removing the ANY ANY Rule

·         Connect to your firewall from the desktop of your server using Putty.exe or similar SSH client

·         Login to the firewall using the details in your welcome note

·         Enter enable mode and type in the enable password from the welcome note

·         Enter ‘show running-config’ to display the configuration and look for the sections below

! this section defines the Private IP address range on your server

object-group network ClientServer

network-object 10.100.0.0 255.255.255.0

 

! this section defines the list of ports that will be open to the public once the Any Any rule is removed

! you should adjust this list to suit the function of your server

object-group service Public_Allowed_TCP tcp

port-object eq www

port-object eq https

port-object eq 25

port-object eq 110

port-object eq 3306

port-object eq 143

port-object eq 21

port-object eq 20

port-object eq 3389

port-object eq 9090

port-object eq 1433


! this section defines the Netcetera NOC to enable our support, please do not change this section

object-group network NetceteraAdmin

network-object host Netcetera_NOC

! this section defines the RULES in place

access-list Inbound-to-Servers permit icmp any any

access-list Inbound-to-Servers permit ip any any   ! *** This line should be remove ***

access-list Inbound-to-Servers permit tcp any object-group ClientServer object-group Public_Allowed_TCP log

access-list Inbound-to-Servers permit ip object-group NetceteraAdmin object-group ClientServer log


! You can remove the above line by entering configuration mode

configure terminal

no access-list Inbound-to-Servers permit ip any any   

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: