Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
2
Replies

asa ip broacast forwarding question

itdepteva
Level 1
Level 1

‎07-06-2011 07:37 AM - edited ‎03-11-2019 01:55 PM

Hi All,

we have two asa in active/failover mode (routed mode) with different splittet public IP DMZ's. My qestion is related to ip broadcast forwarding in general. In my understanding the asa should deny ip packets witch has broadcast/network destinations of one of our other subnets with public IP's. For example:

a packet which come through the outer inferface (connection to ISP) with as destination address, wich is an broadcast IP of our public DMZ, it should be denied. But it does not, each host in this public dmz gets this packet, because it's the broadcast address for this subnet.

I've read in the documentation that in routed mode broadcasts and multicasts are blocked even if you allowed it with ACL's. We have ACL's with subnet  definitions as destination, but i think the asa should know that there is an network address (first IP subnet) and broadcast address (last IP in subnet) and deny packets with this destinations.

Thank you in advance

Lars

Labels:
0 Helpful
2 Replies 2

andrew.prince
Level 10
Level 10

‎07-06-2011 08:22 AM

Post your config, especially the outside interface acl and the nat statements

Sent from Cisco Technical Support iPad App

0 Helpful

itdepteva
Level 1
Level 1
In response to andrew.prince

‎07-07-2011 02:57 AM

Hi Andrew,

thanks for your fast response.

Here is the extract from my config:

interface GigabitEthernet0/0

description outer interface

nameif outer

security-level 0

ip address 111.111.111.194 255.255.255.224 standby 111.111.11.211

!

interface GigabitEthernet0/3.12

description dmz interface

vlan 11

nameif dmz_tagged

security-level 0

ip address 111.111.111.161 255.255.255.224 standby 111.111.111.186

!

object-group service DM_INLINE_SERVICE_60

service-object icmp echo

service-object tcp destination eq www

service-object tcp destination eq https

access-list outer_access_in extended permit object-group DM_INLINE_SERVICE_60 any 111.111.111.160 255.255.255.224 log warnings

There are no nat statements, because is dynamic routing over interfaces with public ip's (subnets). Translation is not necessary. Or is NAT a must-have on asa for all interface relations?

Short exampel for explanation: When i'am icmp echo ping from outer subnet to 111.111.111.160 (dmz network address) i'll see this packets on a host (e.g.: 111.111.111.165) inside the dmz.

Thanks in advance

Lars

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card