Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1347
Views
0
Helpful
2
Replies

ASA Fails spank.c securty scan

Robert Ho
Level 1
Level 1

‎12-12-2008 11:37 AM - edited ‎03-11-2019 07:25 AM

hey all, we have a customer failing the spank.c security scan. there is no multicast enabled on the outside. anyone else have any luck with this?

http://www.securityspace.com/smysecure/catid.html?id=11901

Labels:
0 Helpful
2 Replies 2

husycisco
Level 7
Level 7

‎12-12-2008 12:20 PM

Hello Robert,

Most probably, you have web servers or exchange server that needs a tcp port to be opened in outside interface ACL. Generally the ACE contains

permit tcp any host PublicIP eq tcpport

That means this ACE also permits traffic from multicast groups 224.0.0.0 subnet, since source is "any.

Insert an ACE "before" the ACEs that permit from any source, which is like

deny ip 224.0.0.0 16.0.0.0 any

permit tcp any host PublicIP eq tcpport

Regards

0 Helpful

Robert Ho
Level 1
Level 1
In response to husycisco

‎12-12-2008 12:34 PM

nice one. i put the following in earlier and will wait for the scan tonight. thanks!

object-group network ALL-MCAST

description Full Multicast Block

network-object 224.0.0.0 240.0.0.0

!

access-list outside_acl extended deny ip object-group ALL-MCAST any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card