Re: Newly upgaded to V7 Pix in test : Strange Log MSGS

tjgli · ‎06-09-2005

Hello everyone

I have just upgraded one of my Pix to V7 and discover ASDM ,)

Now i start to check the logs for potential problems.

It's quite difficult because i'm flooded with Broadcast

Errors from PC on my inside Zone ....

710003 errors saying UDP access denied by acl from all of my Inside PCS to inside broadcast adress.

Must be DHCP related or something.

I hadn't set any ACL for inside yet cause i wanted to stay on the "no ACL so PIX way of using security Priorities still works" way. If i understand well if no ACL Is set for Inside i have no problem accesing any other zones as inside is 100 security here.

If i make an ACL-ACL Group to allow udp i will be forced to open IP any nay in inside so i have the same accesibility to the other zone ?

pradeepde · ‎06-15-2005

Yes, by default all packets can pass through the inside interface. If you write ACL to allow UDP from inside, by default, all the rest of the traffic cannot pass, unless you explictly enable "ip any any" line on the ACL. But just these two lines are as good as not having the acl at all on the inside interface. You are not blcoking anyting by just these two lines of ACL.

mostiguy · ‎06-15-2005

I believe PIX os < 7 drops all broadcast traffic automatically, regardless of ACL configuration, so it would not surprise me if pix os 7 does so as well. You are right that it is likely dhcp broadcast traffic. You might want to track down the event reference for 7.0, and determine if 710003 is used only for logging dropped broadcast traffic - if so, you could selectively disable that event's generation. Or, work up a solution to parse your logs for the events you want to see