Hi all,
I dont have much experience with Cisco firewalls, but I'm going through some configs and am looking for some confirmation.
I believe the config I see permits Any to Any, essentially making the firewall pointless.
Here are the access-control lists:
access-list acl-outside extended permit icmp any any
access-list nnt-inside extended permit ip object-group chr-cabr-net any
access-list vpn-chr-swcr extended permit ip object-group chr-cabr-grp object-group chr-swcr-grp
access-list acl-inside extended permit ip any any
access-list acl-inside extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-hmcr-db-grp
access-list acl-inside extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-uat-icshmcr-grp
access-list vpn-hisc-regn extended permit ip interface outside object-group hisc-net-mgmt
access-list vpn-hisc-regn extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-hmcr-db-grp
access-list vpn-chr-mpck extended permit ip object-group chr-cabr-grp object-group chr-mpck-grp
access-list vpn-shin-regn-uat extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-uat-icshmcr-grp
access-list vpn-chr-cabr-mdcl extended permit ip object-group chr-cabr-grp object-group chr-cabr-mdcl-net
There are no explicit deny lists at all, so I believe that one line above opens up the firewall to Any Any entirely.
Is anyone able to confirm this?
Or is there something else in the config I should be looking for relating to the access-control lists. I can't see anything which connects/links to them.
I dont have much experience with Cisco firewalls, but I'm going through some configs and am looking for some confirmation.
I believe the config I see permits Any to Any, essentially making the firewall pointless.
Here are the access-control lists:
access-list acl-outside extended permit icmp any any
access-list nnt-inside extended permit ip object-group chr-cabr-net any
access-list vpn-chr-swcr extended permit ip object-group chr-cabr-grp object-group chr-swcr-grp
access-list acl-inside extended permit ip any any
access-list acl-inside extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-hmcr-db-grp
access-list acl-inside extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-uat-icshmcr-grp
access-list vpn-hisc-regn extended permit ip interface outside object-group hisc-net-mgmt
access-list vpn-hisc-regn extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-hmcr-db-grp
access-list vpn-chr-mpck extended permit ip object-group chr-cabr-grp object-group chr-mpck-grp
access-list vpn-shin-regn-uat extended permit ip object-group chr-cabr-hmcr-mds-user object-group hisc-uat-icshmcr-grp
access-list vpn-chr-cabr-mdcl extended permit ip object-group chr-cabr-grp object-group chr-cabr-mdcl-net
There are no explicit deny lists at all, so I believe that one line above opens up the firewall to Any Any entirely.
Is anyone able to confirm this?
Or is there something else in the config I should be looking for relating to the access-control lists. I can't see anything which connects/links to them.
