husycisco Fri, 12/12/2008 - 12:20
User Badges:
  • Gold, 750 points or more

Hello Robert,

Most probably, you have web servers or exchange server that needs a tcp port to be opened in outside interface ACL. Generally the ACE contains


permit tcp any host PublicIP eq tcpport


That means this ACE also permits traffic from multicast groups 224.0.0.0 subnet, since source is "any.

Insert an ACE "before" the ACEs that permit from any source, which is like


deny ip 224.0.0.0 16.0.0.0 any

permit tcp any host PublicIP eq tcpport


Regards

Robert Ho Fri, 12/12/2008 - 12:34
User Badges:

nice one. i put the following in earlier and will wait for the scan tonight. thanks!


object-group network ALL-MCAST

description Full Multicast Block

network-object 224.0.0.0 240.0.0.0

!

access-list outside_acl extended deny ip object-group ALL-MCAST any

Actions

This Discussion