tolinrome
asked on
cisco firewall access rules
Instead of having on the inside interface allow "ip any any". which ports\services should I allow so I can remove the "ip any any"? I can think of 80/443 and DNS, any other that I may need? I wouldnt want to remove the "ip any any" and then lock myself out.
Your question is very vague especially when we cannot see your configuration that you are referring too. Please post a "sanitized copy" of your config and tell us what your overall intent is for us to better assist you in completing this task. Thanks.
ASKER
Its a new firewall with the default settings on the inside interface, which is "ip any any". There is no problem the way it is right now, but having "ip any any" pretty much opens it up to everything. I'm just thinking of general ports to open for common access to a few clients behind the firewall - 80/443, 53, other than that any suggestions as what to add? The reason is I do not want the "ip any any" and want to lock it down to only what is needed. But if I disable the any any I may not be able to get back in to make changes needed. Thanks.
The default doesn't allow traffic inbound other than responses to traffic generated from the inside.
So no outside initiated traffic can get inside.
But as previously stated, it's hard to say without seeing the config.
So no outside initiated traffic can get inside.
But as previously stated, it's hard to say without seeing the config.
ASKER
yes, but those responses generated from the inside need to have an acl for them to go out no?
There won't be a response to outside initiated traffic because the inside host will never receive it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the explanation.