https://community.cisco.com/t5/network-security/asa-fails-spank-c-securty-scan/m-p/1137751#M878858 <HTML><HEAD></HEAD><BODY><P>nice one. i put the following in earlier and will wait for the scan tonight. thanks!</P><P></P><P>object-group network ALL-MCAST</P><P> description Full Multicast Block</P><P> network-object 224.0.0.0 240.0.0.0</P><P>!</P><P>access-list outside_acl extended deny ip object-group ALL-MCAST any</P></BODY></HTML> Fri, 12 Dec 2008 20:34:19 GMT Robert Ho 2008-12-12T20:34:19Z https://community.cisco.com/t5/network-security/asa-fails-spank-c-securty-scan/m-p/1137749#M878856 <P>hey all, we have a customer failing the spank.c security scan. there is no multicast enabled on the outside. anyone else have any luck with this?</P><P></P><P><A class="jive-link-custom" href="http://www.securityspace.com/smysecure/catid.html?id=11901" target="_blank">http://www.securityspace.com/smysecure/catid.html?id=11901</A></P><P></P> Mon, 11 Mar 2019 14:25:33 GMT https://community.cisco.com/t5/network-security/asa-fails-spank-c-securty-scan/m-p/1137749#M878856 Robert Ho 2019-03-11T14:25:33Z https://community.cisco.com/t5/network-security/asa-fails-spank-c-securty-scan/m-p/1137750#M878857 <HTML><HEAD></HEAD><BODY><P>Hello Robert,</P><P> Most probably, you have web servers or exchange server that needs a tcp port to be opened in outside interface ACL. Generally the ACE contains</P><P></P><P>permit tcp any host PublicIP eq tcpport</P><P></P><P> That means this ACE also permits traffic from multicast groups 224.0.0.0 subnet, since source is "any.</P><P> Insert an ACE "before" the ACEs that permit from any source, which is like</P><P></P><P>deny ip 224.0.0.0 16.0.0.0 any</P><P>permit tcp any host PublicIP eq tcpport</P><P></P><P>Regards</P></BODY></HTML> Fri, 12 Dec 2008 20:20:22 GMT https://community.cisco.com/t5/network-security/asa-fails-spank-c-securty-scan/m-p/1137750#M878857 Alan Huseyin Kayahan 2008-12-12T20:20:22Z https://community.cisco.com/t5/network-security/asa-fails-spank-c-securty-scan/m-p/1137751#M878858 <HTML><HEAD></HEAD><BODY><P>nice one. i put the following in earlier and will wait for the scan tonight. thanks!</P><P></P><P>object-group network ALL-MCAST</P><P> description Full Multicast Block</P><P> network-object 224.0.0.0 240.0.0.0</P><P>!</P><P>access-list outside_acl extended deny ip object-group ALL-MCAST any</P></BODY></HTML> Fri, 12 Dec 2008 20:34:19 GMT https://community.cisco.com/t5/network-security/asa-fails-spank-c-securty-scan/m-p/1137751#M878858 Robert Ho 2008-12-12T20:34:19Z