Core issue
PIX/ASA can allow broadcast traffic to pass-through once configured in transparent firewall mode. A transparent firewall is a Layer 2 firewall that acts like a bump in the wire or a stealth firewall and is not seen as a router hop to connected devices.
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. Address Resolution Protocols (ARPs) are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3 traffic, in order to travel from a low to a high security interface, an extended access list is required.
Allowed MAC Addresses
These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
Pv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
BPDU multicast address equal to 0100.0CCC.CCCD
Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Transparent firewall can allow almost any traffic through the use of either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note: The transparent mode security appliance does not pass Cisco Discovery Protocol (CDP) packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600.
Refer to the Transparent Firewall Network section of Firewall Mode Overview for more information.
Resolution
In order to set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode.This example changes the firewall mode to transparent:
hostname(config)#firewall transparent
Refer to the Transparent Firewall Guidelines section of Firewall Mode Overview for more information.
