husycisco Fri, 12/12/2008 - 12:20
User Badges:
  • Gold, 750 points or more

Hello Robert,

Most probably, you have web servers or exchange server that needs a tcp port to be opened in outside interface ACL. Generally the ACE contains

permit tcp any host PublicIP eq tcpport

That means this ACE also permits traffic from multicast groups subnet, since source is "any.

Insert an ACE "before" the ACEs that permit from any source, which is like

deny ip any

permit tcp any host PublicIP eq tcpport


Robert Ho Fri, 12/12/2008 - 12:34
User Badges:

nice one. i put the following in earlier and will wait for the scan tonight. thanks!

object-group network ALL-MCAST

description Full Multicast Block



access-list outside_acl extended deny ip object-group ALL-MCAST any


This Discussion