ACL "any" keyword

Is there anyone who can provide a definitive source cite for what the keyword "any" in an ASA ACL refers to?
  • Does it refer to "any" traffic?
  • Or is it more referring to any subnet, as in 0.0.0.0
Is there anyone who knows? I'd love to see this from a definitive source somewhere, because I'm not sure all ASA engineers think about it the same way. But I do want to know what is the actual case...


Cheers!
LVL 3
ArchiTech89IT Security EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

buckethead34Commented:
It means any IP address. In the below entry the first any means any source and the second means any destination. Depending on where the access-list is applied it source/destination could mean inside or outside of the network. Do you have a specific line that you need to know what it's doing?

permit ip any any
1
atlas_shudderedSr. Network EngineerCommented:
ArchiTech89

To further expand on what buckethead34 says above -

The statement any in and ACE (a single line of instruction in and ACL) translates to the following:

0.0.0.0 255.255.255.255

or

00000000.00000000.00000000.00000000 11111111.11111111.11111111.11111111

When reverse masking any string of contiguous 1's means don't care.  In the case above, the mask logically states "don't care, match all"

For further reading and validation on this point, check out this article on cisco's site:

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Check under the section ACL Concepts for the reference you are looking for.

Hope it helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ArchiTech89IT Security EngineerAuthor Commented:
Thanks to both. buckethead, I was already aware of the general properties of the any keyword, but I appreciate your efforts. atlas, thanks so much for the specifics and for the reference. This is exactly what I was looking for.

I'm always very grateful for information from fellow engineers!

Here's basically what I have determined, for what it's worth:
  • Best practices would tend away from the use of the "any" keyword in most ACLs. It's much wiser (and it makes a LOT of sense as well) to use the specific network and mask as opposed to "any".

Here's an example of what I wanted to get clear on:
nameif - DMZ
ipaddr - 192.168.35.0 255.255.255.0
In an ACL, best practice here would not be to use any, but rather 192.168.35.0/24.

Furthermore, it seems that a lot of audits (PCI, HIPPA, NIST, IRS, ISO, etc.) recoil slightly against the use of any.

In contrast, use of any is almost mandatory for public traffic from the internet. In this case, there would be no ability (and no reason) to identify each potential network that could be utilized.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ArchiTech89IT Security EngineerAuthor Commented:
Exactly what I asked for. Thanks to the expert!
0
atlas_shudderedSr. Network EngineerCommented:
Archi - Thanks for the kudos -

Something else to consider after reading your closing post.  During audits, your auditor is more likely to recoil from an any statement on the permit side.  Generally, use in a deny is not even blanched at.  Additionally, remember that ACLs run sequential, top to bottom.  So when building your ACLs the use of a well placed deny X any can shorten the packet runtime and improve performance overall.  Without the deny anys, especially on long ACLs, an packet that will ultimately be denied will run the entire of the ACL looking for a permit match before finally hitting the implied deny all at the bottom.

Just food for thought.  Good luck.

A
1
ArchiTech89IT Security EngineerAuthor Commented:
Good point. I sorta left out that the focus was on permits only...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.