Showing results for 
Search instead for 
Did you mean: 

How to allow broadcast traffic through the PIX/ASA firewall


Core issue

PIX/ASA can allow broadcast traffic to pass-through once configured in transparent firewall mode. A transparent firewall is a Layer 2 firewall that acts like a bump in the wire or a stealth firewall and is not seen as a router hop to connected devices.

IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. Address Resolution Protocols (ARPs) are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3 traffic, in order to travel from a low to a high security interface, an extended access list is required.

Allowed MAC Addresses

These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.

  • TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
  • Pv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
  • IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
  • BPDU multicast address equal to 0100.0CCC.CCCD
  • Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Transparent firewall can allow almost any traffic through the use of either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).

Note: The transparent mode security appliance does not pass Cisco Discovery Protocol (CDP) packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600.

Refer to the Transparent Firewall Network section of Firewall Mode Overview for more information.


In order to set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode.This example changes the firewall mode to transparent:

         hostname(config)#firewall transparent

Refer to the Transparent Firewall Guidelines section of Firewall Mode Overview for more information.