Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Allowing multicast on inside network in transparent mode

ASA is in transparent mode (5512-X/9.1(5))

Inside network is 10.1.0.0/24. Router 10.1.0.1 is on the outside interface.

Syslog message: Deny inbound UDP from 10.1.0.103/5353 to 224.0.0.251/5353 on interface inside

I have the ASA configured with access-lists when going from outside to inside but no access-lists from inside to outside because I want to permit all traffic from inside to outside.

I believe in routed mode I'd issue same-security-traffic permit intra-interface. How would I go about doing this in transparent mode with out having an inside to outside access-list?

 

Config:

access-list outside_in extended permit tcp any4 host 10.1.0.46 object-group WEBSERVER_SERVICES log notifications
access-list outside_in extended permit tcp any4 any4 object-group VCENTER
access-list outside_in extended permit tcp any4 any4 object-group VSPHERE inactive
access-list outside_in extended permit tcp any4 any4 eq ssh log notifications
access-list outside_in extended permit tcp any4 any4 object-group RDP
access-list outside_in extended permit udp host 10.1.0.1 host 10.1.0.54 eq syslog
access-list outside_in extended permit udp object-group IMPULSE eq sip host 10.1.0.15 eq sip log notifications
access-list outside_in extended permit icmp host 10.1.0.1 any4 object-group ICMP log notifications

access-group outside_in in interface outside

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

You can apply an input acl,

You can apply an input acl, in the inside allowing everything (permit ip any any) and an ACL in the outside only allowing the multicast streams, for example:

access-list OUTSIDE extended permit igmp any any
access-list OUTSIDE extended permit pim any any
access-list OUTSIDE extended permit ip any object-group MCAST
access-list OUTSIDE extended permit ip object-group MCAST any

Where MCAST encompases a group from 224.0.0.0 - 239.255.255.255.

 

All the traffic in the inside will be allowed and only the returning traffic inspected and multicast traffic will be allowed from the outside.

 

 

JJ

4 REPLIES
Cisco Employee

My friend, Broadcast and

My friend, Broadcast and Multicast is not allowed by default in transparent firewall, you will need to use ACL.

 

That doesn't apply with ARP which is allowed from out to in and from in to out.

 

JJ

New Member

I don't want to have an input

I don't want to have an input access-group for the inside interface as I don't want to explicitly define traffic allowed out of the network. I want all traffic allowed inside to outside.

Is there another way to do it?

Cisco Employee

You can apply an input acl,

You can apply an input acl, in the inside allowing everything (permit ip any any) and an ACL in the outside only allowing the multicast streams, for example:

access-list OUTSIDE extended permit igmp any any
access-list OUTSIDE extended permit pim any any
access-list OUTSIDE extended permit ip any object-group MCAST
access-list OUTSIDE extended permit ip object-group MCAST any

Where MCAST encompases a group from 224.0.0.0 - 239.255.255.255.

 

All the traffic in the inside will be allowed and only the returning traffic inspected and multicast traffic will be allowed from the outside.

 

 

JJ

New Member

Thanks!access-list inside_in

Thanks!

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

These two lines seems to have solved the issue.

188
Views
0
Helpful
4
Replies
CreatePlease to create content