01-07-2014 10:18 AM - edited 03-11-2019 08:26 PM
What are the requirements for allowing IGMP traffic to pass through a transparent ASA 5550?
I have inherited a configuration that is currently configured to alloww IGMP from any to any and would like to restrict this protocol. On the trusted side I ave a single host configured for multicast and on the untrusted side there is a switch and then router. I do not control the router or switch configuration on the untrusted side.
My questions are:
- Is IGMP allowed through by default?
- Are the ACL entrys "access-list outside-in extended permit igmp any any" and "access-list inside-out extended permit igmp any any"
required to allow IGMP join, query, leave etc...?
- If this is required how do I limit the source and destination ip range?
Thanks
01-07-2014 11:54 PM
Kevin can u please give more clear view of your topology.
As per firewall default policy , every traffic originating from the outside network is denied. Only the traffic from inside is permitted.
And when wew talk about IGMP, it need to be run over end device where our host are connected.
Thanks.
01-08-2014 07:46 AM
It is really very simple topolgy. single host inside --- my ASA --- other company ASA Outside -- Other company switch then router Inside.
My server acts as both multicast Server and client.
Additional question...
can anyone clarify this statement?
These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
I assume this follows the same rule as anything else and that it only allows these from a higher number interface to a lower number interface...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide