Re: IGMP settings on transparent firewall.

kwaltersITT · ‎01-07-2014

What are the requirements for allowing IGMP traffic to pass through a transparent ASA 5550?

I have inherited a configuration that is currently configured to alloww IGMP from any to any and would like to restrict this protocol. On the trusted side I ave a single host configured for multicast and on the untrusted side there is a switch and then router. I do not control the router or switch configuration on the untrusted side.

My questions are:

- Is IGMP allowed through by default?

- Are the ACL entrys "access-list outside-in extended permit igmp any any" and "access-list inside-out extended permit igmp any any"

required to allow IGMP join, query, leave etc...?

- If this is required how do I limit the source and destination ip range?

Thanks

vishaw jasrotia · ‎01-07-2014

Kevin can u please give more clear view of your topology.

As per firewall default policy , every traffic originating from the outside network is denied. Only the traffic from inside is permitted.

And when wew talk about IGMP, it need to be run over end device where our host are connected.

Thanks.

kwaltersITT · ‎01-08-2014

It is really very simple topolgy. single host inside --- my ASA --- other company ASA Outside -- Other company switch then router Inside.

My server acts as both multicast Server and client.

Additional question...

can anyone clarify this statement?

These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.

IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF

I assume this follows the same rule as anything else and that it only allows these from a higher number interface to a lower number interface...