12-12-2008 11:37 AM - edited 03-11-2019 07:25 AM
hey all, we have a customer failing the spank.c security scan. there is no multicast enabled on the outside. anyone else have any luck with this?
12-12-2008 12:20 PM
Hello Robert,
Most probably, you have web servers or exchange server that needs a tcp port to be opened in outside interface ACL. Generally the ACE contains
permit tcp any host PublicIP eq tcpport
That means this ACE also permits traffic from multicast groups 224.0.0.0 subnet, since source is "any.
Insert an ACE "before" the ACEs that permit from any source, which is like
deny ip 224.0.0.0 16.0.0.0 any
permit tcp any host PublicIP eq tcpport
Regards
12-12-2008 12:34 PM
nice one. i put the following in earlier and will wait for the scan tonight. thanks!
object-group network ALL-MCAST
description Full Multicast Block
network-object 224.0.0.0 240.0.0.0
!
access-list outside_acl extended deny ip object-group ALL-MCAST any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide