husycisco Fri, 12/12/2008 - 12:20

Hello Robert,

Most probably, you have web servers or exchange server that needs a tcp port to be opened in outside interface ACL. Generally the ACE contains

permit tcp any host PublicIP eq tcpport

That means this ACE also permits traffic from multicast groups 224.0.0.0 subnet, since source is "any.

Insert an ACE "before" the ACEs that permit from any source, which is like

deny ip 224.0.0.0 16.0.0.0 any

permit tcp any host PublicIP eq tcpport

Regards

Robert Ho Fri, 12/12/2008 - 12:34

nice one. i put the following in earlier and will wait for the scan tonight. thanks!

object-group network ALL-MCAST

description Full Multicast Block

network-object 224.0.0.0 240.0.0.0

!

access-list outside_acl extended deny ip object-group ALL-MCAST any

Actions

This Discussion