Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

UDP any any statement, Please help

Status
Not open for further replies.
ianbla

ianbla

IS-IT--Management
Oct 31, 2001
156
GB
I am just taking a look at my companies firewall to see if there are any holes, at the moment they have the following conduit statements (amongst others);

permit esp any any (hitcnt=0)
permit udp any any (hitcnt=8497)

I can get rid of the esp as this is this is not getting used.

It is the UDP that is worrying me, I don't like any any statements especially when they have not eq statement with them.

They do have users using a VPN connection to access remotely so therefore I guess they will need some UDP ports open.

I am trying to get to grips with the DEBUG PACKET command on the PIX to see what sort of UDP packets are going through but I can't find the right syntax.

cheers
Ian.

PS. Happy New Year All
 
Sort by date Sort by votes
There should be no reason to have any UDP ports open to allow traffic in from the outside. Especially seeing that you have 8000+ hits on it. Since you don't know why it is there myself personally I would delete the conduit and see if anything breaks, if people start to complain that something has stopped working either call for an emergency reboot of the firewall (damn computers, need rebooting every now and again, nudge nudge wink wink). Then you can start to see what people were using and try to limit the amount of exposure.
 
Upvote 0 Downvote
So be it.

The conduit is going.

 
Upvote 0 Downvote
I have taken it out. All looks well

VPN users are still connected.

Still surf the web.

Still send/receive e-mail.

I shall wait and see.

Thanks.

 
Upvote 0 Downvote
For what it's worth,a UDP and ESP combo is usually associated with IPSEC VPNs. The UDP is ISAKMP (but only over port 500 - not every port as is listed in your config), and ESP is IPSEC phase 2.

I agree the UDP any any is bad, bad, bad.
 
Upvote 0 Downvote
Yes typically conduits for IPSEC look like this....

conduit permit udp host x.x.x.x eq isakmp host x.x.x.x
conduit permit esp host x.x.x.x host x.x.x.x

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
723
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
518
Sparrow4
Sparrow4
jsaad
  • Locked
  • Question
udp timer
Replies
0
Views
442
jsaad
jsaad
DROFNUD
  • Locked
  • Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
99
DROFNUD
DROFNUD
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
664
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top