Firewall rulesets and defaults
at the end of the access list: "permit any any".
There can be a good reason for allowing any - any as the last rule in a ruleset. It depends on the firewall defaults: block, or allow.
Back in the day when networking was simpler, one function of firewall* rulesets was to drop, rewrite, or redirect chosen traffic only, and allow the rest through.
I have worked on firewalls where each rule in the ruleset was tested in order**, and if no rule matched, then the traffic, by default, was dropped. In this case, it was important that the last rule in a ruleset was any - any, as without it, traffic that you expected to traverse the firewall in fact would not.
I would not be surprised if whoever worked on the ruleset expected the above behaviour - that is, the firewall by default drops/blocks everything and has to be explicitly told to allow through everything not already matched.
Of course, if allowing any - any was the first rule in the ruleset, criticisms of the competence of the writer are fully justified.
Note that if the 'On Call' writer didn't know this ruleset quirk, they might possibly have made unjustified assumptions about their predecessor.
NN
*Where firewall == router configured with some ACLs
** Linking to the relevant Cisco documentation on ACLs
Cisco:Configure Commonly Used IP ACLs
The IP ACL is a sequential collection of permit and deny conditions that apply to an IP packet. The router tests packets against the conditions in the ACL one at a time.
The first match determines whether the Cisco IOS® Software accepts or rejects the packet. Because the Cisco IOS Software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet because of an implicit deny all clause.