What are the requirements for allowing IGMP traffic to pass through a transparent ASA 5550?
I have inherited a configuration that is currently configured to alloww IGMP from any to any and would like to restrict this protocol. On the trusted side I ave a single host configured for multicast and on the untrusted side there is a switch and then router. I do not control the router or switch configuration on the untrusted side.
My questions are:
- Is IGMP allowed through by default?
- Are the ACL entrys "access-list outside-in extended permit igmp any any" and "access-list inside-out extended permit igmp any any"
required to allow IGMP join, query, leave etc...?
- If this is required how do I limit the source and destination ip range?
Thanks
Kevin can u please give more clear view of your topology.
As per firewall default policy , every traffic originating from the outside network is denied. Only the traffic from inside is permitted.
And when wew talk about IGMP, it need to be run over end device where our host are connected.
Thanks.
It is really very simple topolgy. single host inside --- my ASA --- other company ASA Outside -- Other company switch then router Inside.
My server acts as both multicast Server and client.
Additional question...
can anyone clarify this statement?
These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
I assume this follows the same rule as anything else and that it only allows these from a higher number interface to a lower number interface...