Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Fails spank.c securty scan

hey all, we have a customer failing the spank.c security scan. there is no multicast enabled on the outside. anyone else have any luck with this?

http://www.securityspace.com/smysecure/catid.html?id=11901

2 REPLIES

Re: ASA Fails spank.c securty scan

Hello Robert,

Most probably, you have web servers or exchange server that needs a tcp port to be opened in outside interface ACL. Generally the ACE contains

permit tcp any host PublicIP eq tcpport

That means this ACE also permits traffic from multicast groups 224.0.0.0 subnet, since source is "any.

Insert an ACE "before" the ACEs that permit from any source, which is like

deny ip 224.0.0.0 16.0.0.0 any

permit tcp any host PublicIP eq tcpport

Regards

Community Member

Re: ASA Fails spank.c securty scan

nice one. i put the following in earlier and will wait for the scan tonight. thanks!

object-group network ALL-MCAST

description Full Multicast Block

network-object 224.0.0.0 240.0.0.0

!

access-list outside_acl extended deny ip object-group ALL-MCAST any

774
Views
0
Helpful
2
Replies
CreatePlease to create content