ASA denies L2 broadcasts

Unanswered Question
Feb 12th, 2008
User Badges:
  • Bronze, 100 points or more

Hi folks.


On my ASA 5520 I have an interface that connects to a layer 2 switch for DMZ servers. I regularly get the syslog below whenever the DMZ servers send out a broadcast (which is, of course, quite often.)


What's the best way to make this message go away? Should I just permit the broadcast (even though the ASA won't be able to do anything with it anyways)?


106023 Deny udp src DMZ:10.10.10.58/137 dst Inside:10.10.255.255/137 by access-group "dmz-in" [0x0, 0x0]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Tue, 02/12/2008 - 14:38
User Badges:
  • Cisco Employee,

this is a netbios ip broadcast..ASA would would not allow broadcast through ever..


you may get away with the logg message using


no logg message 106023

clausonna Tue, 02/12/2008 - 15:37
User Badges:
  • Bronze, 100 points or more

I'm aware that its a netbios broadcast and as such the ASA wouldn't route it. I'm just trying to clean up the flood of syslogs that I'm getting.


Turning off 106023 would stop ALL 'deny' messages, and that's definitely not what I want. There's a lot of value in looking at what's getting denied, but NO value in seeing denied broadcasts.


I guess I'll just try an explicit permit for the broadcasts and see what happens.


Actions

This Discussion