Allowing Broadcast And Multicast Traffic Through The Transparent Firewall; Adding An Extended Ace - Cisco PIX 500 Series Configuration Manual

Adding an Extended Access List
For information about logging options that you can add to the end of the ACE, see the
List Activity" section on page
Extended Access List Activation" section on page
For TCP and UDP connections for both routed and transparent mode, you do not need an access list to
allow returning traffic, because the security appliance allows all returning traffic for established,
bidirectional connections. For connectionless protocols such as ICMP, however, the security appliance
establishes unidirectional sessions, so you either need access lists to allow ICMP in both directions (by
applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection
engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections.
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can apply the same access lists on multiple interfaces. See
Denying Network Access,"
If you change the access list configuration, and you do not want to wait for existing connections to time
Note
out before the new access list information is used, you can clear the connections using the clear
local-host command.

Allowing Broadcast and Multicast Traffic through the Transparent Firewall

In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.
Note Because these special types of traffic are connectionless, you need to apply an extended access list to
both interfaces, so returning traffic is allowed through.
Table 16-2
Table 16-2
Traffic Type
DHCP
EIGRP
OSPF
Multicast streams The UDP ports vary depending
RIP (v1 or v2)

Adding an Extended ACE

When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list unless you specify the line number.
Cisco Security Appliance Command Line Configuration Guide
16-6
16-19. For information about time range options, see
for more information about applying an access list to an interface.
lists common traffic types that you can allow through the transparent firewall.
Transparent Firewall Special Traffic
Protocol or Port
UDP ports 67 and 68
Protocol 88
Protocol 89
on the application.
UDP port 520
Chapter 16 Identifying Traffic with Access Lists
16-18.
Chapter 18, "Permitting or
Notes
If you enable the DHCP server, then the security
appliance does not pass DHCP packets.
—
—
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
—
"Logging Access
"Scheduling
OL-12172-03