Solved: Thanks!access-list inside_in

Dru Goradia · ‎05-22-2014

ASA is in transparent mode (5512-X/9.1(5))

Inside network is 10.1.0.0/24. Router 10.1.0.1 is on the outside interface.

Syslog message: Deny inbound UDP from 10.1.0.103/5353 to 224.0.0.251/5353 on interface inside

I have the ASA configured with access-lists when going from outside to inside but no access-lists from inside to outside because I want to permit all traffic from inside to outside.

I believe in routed mode I'd issue same-security-traffic permit intra-interface. How would I go about doing this in transparent mode with out having an inside to outside access-list?

Config:

access-list outside_in extended permit tcp any4 host 10.1.0.46 object-group WEBSERVER_SERVICES log notifications
access-list outside_in extended permit tcp any4 any4 object-group VCENTER
access-list outside_in extended permit tcp any4 any4 object-group VSPHERE inactive
access-list outside_in extended permit tcp any4 any4 eq ssh log notifications
access-list outside_in extended permit tcp any4 any4 object-group RDP
access-list outside_in extended permit udp host 10.1.0.1 host 10.1.0.54 eq syslog
access-list outside_in extended permit udp object-group IMPULSE eq sip host 10.1.0.15 eq sip log notifications
access-list outside_in extended permit icmp host 10.1.0.1 any4 object-group ICMP log notifications

access-group outside_in in interface outside

Juan Ponce Dominguez · ‎05-29-2014

You can apply an input acl, in the inside allowing everything (permit ip any any) and an ACL in the outside only allowing the multicast streams, for example:

access-list OUTSIDE extended permit igmp any any
access-list OUTSIDE extended permit pim any any

access-list OUTSIDE extended permit ip any object-group MCAST

access-list OUTSIDE extended permit ip object-group MCAST any

Where MCAST encompases a group from 224.0.0.0 - 239.255.255.255.

All the traffic in the inside will be allowed and only the returning traffic inspected and multicast traffic will be allowed from the outside.

JJ

View solution in original post

Juan Ponce Dominguez · ‎05-27-2014

My friend, Broadcast and Multicast is not allowed by default in transparent firewall, you will need to use ACL.

That doesn't apply with ARP which is allowed from out to in and from in to out.

JJ

Dru Goradia · ‎05-28-2014

I don't want to have an input access-group for the inside interface as I don't want to explicitly define traffic allowed out of the network. I want all traffic allowed inside to outside.

Is there another way to do it?

Juan Ponce Dominguez · ‎05-29-2014

You can apply an input acl, in the inside allowing everything (permit ip any any) and an ACL in the outside only allowing the multicast streams, for example:

access-list OUTSIDE extended permit igmp any any
access-list OUTSIDE extended permit pim any any

access-list OUTSIDE extended permit ip any object-group MCAST

access-list OUTSIDE extended permit ip object-group MCAST any

Where MCAST encompases a group from 224.0.0.0 - 239.255.255.255.

All the traffic in the inside will be allowed and only the returning traffic inspected and multicast traffic will be allowed from the outside.

JJ

Dru Goradia · ‎05-29-2014

Thanks!

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

These two lines seems to have solved the issue.

Allowing multicast on inside network in transparent mode