30-5
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 30 Configuring Access Rules
Information About Access Rules
• Management Access Rules, page 30-5
Access Rules for Returning Traffic
For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to
allow returning traffic because the adaptive security appliance allows all returning traffic for established,
bidirectional connections.
For connectionless protocols such as ICMP, however, the adaptive security appliance establishes
unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying
access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine.
The ICMP inspection engine treats ICMP sessions as bidirectional connections.
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.
Note Because these special types of traffic are connectionless, you need to apply an extended access list to
both interfaces, so returning traffic is allowed through.
Table 30-1 lists common traffic types that you can allow through the transparent firewall.
Management Access Rules
You can configure access rules that control management traffic destined to the adaptive security
appliance. Access control rules for to-the-box management traffic (such as HTTP, Telnet, and SSH) have
higher precedence than an management access rule. Therefore, such permitted management traffic will
be allowed to come in even if explicitly denied by the to-the-box access list.
Information About EtherType Rules
This section describes EtherType rules and includes the following topics:
• Supported EtherTypes, page 30-6
Table 30-1 Transparent Firewall Special Traffic
Traffic Type Protocol or Port Notes
DHCP UDP ports 67 and 68 If you enable the DHCP server, then the adaptive
security appliance does not pass DHCP packets.
EIGRP Protocol 88 —
OSPF Protocol 89 —
Multicast streams The UDP ports vary depending
on the application.
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
RIP (v1 or v2) UDP port 520 —
To Next Page
Loading...
Need help?
General
