05-22-2014 02:53 PM - edited 03-11-2019 09:14 PM
ASA is in transparent mode (5512-X/9.1(5))
Inside network is 10.1.0.0/24. Router 10.1.0.1 is on the outside interface.
Syslog message: Deny inbound UDP from 10.1.0.103/5353 to 224.0.0.251/5353 on interface inside
I have the ASA configured with access-lists when going from outside to inside but no access-lists from inside to outside because I want to permit all traffic from inside to outside.
I believe in routed mode I'd issue same-security-traffic permit intra-interface. How would I go about doing this in transparent mode with out having an inside to outside access-list?
Config:
access-list outside_in extended permit tcp any4 host 10.1.0.46 object-group WEBSERVER_SERVICES log notifications
access-list outside_in extended permit tcp any4 any4 object-group VCENTER
access-list outside_in extended permit tcp any4 any4 object-group VSPHERE inactive
access-list outside_in extended permit tcp any4 any4 eq ssh log notifications
access-list outside_in extended permit tcp any4 any4 object-group RDP
access-list outside_in extended permit udp host 10.1.0.1 host 10.1.0.54 eq syslog
access-list outside_in extended permit udp object-group IMPULSE eq sip host 10.1.0.15 eq sip log notifications
access-list outside_in extended permit icmp host 10.1.0.1 any4 object-group ICMP log notifications
access-group outside_in in interface outside
Solved! Go to Solution.
05-29-2014 05:29 AM
You can apply an input acl, in the inside allowing everything (permit ip any any) and an ACL in the outside only allowing the multicast streams, for example:
access-list OUTSIDE extended permit igmp any any access-list OUTSIDE extended permit pim any any
access-list OUTSIDE extended permit ip any object-group MCAST
access-list OUTSIDE extended permit ip object-group MCAST any
Where MCAST encompases a group from 224.0.0.0 - 239.255.255.255.
All the traffic in the inside will be allowed and only the returning traffic inspected and multicast traffic will be allowed from the outside.
JJ
05-27-2014 09:22 AM
My friend, Broadcast and Multicast is not allowed by default in transparent firewall, you will need to use ACL.
That doesn't apply with ARP which is allowed from out to in and from in to out.
JJ
05-28-2014 05:13 PM
I don't want to have an input access-group for the inside interface as I don't want to explicitly define traffic allowed out of the network. I want all traffic allowed inside to outside.
Is there another way to do it?
05-29-2014 05:29 AM
You can apply an input acl, in the inside allowing everything (permit ip any any) and an ACL in the outside only allowing the multicast streams, for example:
access-list OUTSIDE extended permit igmp any any access-list OUTSIDE extended permit pim any any
access-list OUTSIDE extended permit ip any object-group MCAST
access-list OUTSIDE extended permit ip object-group MCAST any
Where MCAST encompases a group from 224.0.0.0 - 239.255.255.255.
All the traffic in the inside will be allowed and only the returning traffic inspected and multicast traffic will be allowed from the outside.
JJ
05-29-2014 01:35 PM
Thanks!
access-list inside_in extended permit ip any any
access-group inside_in in interface inside
These two lines seems to have solved the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide