Hi Guys.
Yes- whether it be an access-list on a PIX or a router, saying 'ip any any' means ANY IP protocol number. It's not the 'ANY' that defines that part of it, by the way, its the "ip" part... (the Any's represent the source and destination IP addresses, just in case there was some confusion)
If you think of TCP/IP in layers, first you have the IP protocol layer. This can be TCP, UDP, ICMP, ESP, GRE, and the list goes on... Once you pick one, for example TCP, then you can deal with the next layer. Inside of TCP, you pick a port number for your traffic, say port 23 (which happens to be Telnet). Now toss some source and destination IP addresses in there and you've got yourself a 'socket', or an established communications session.
If you were interested in blocking ICMP for some reason, but wanted to let all other IP traffic pass, you would simply craft your access list to look like this:
access-list xyz deny icmp any any
access-list xyz permit ip any any
In access-lists, order is everything. They are read linearly - from beginning to end. Newer PIX and IOS code allows for the 'insertion' of a new ACL line in between existing ones by using sequence numbers (a very cool, and long overdue feature by the way).
Here's a good link for you if you are intersted in seeing a list of all of the IP Protocol codes and types presently defined:
www.iana.org/assignments/protocol-numbers
tGc
