Cisco ASA 5505 Configuration Manual page 637

Chapter 30 Configuring Access Rules
•
Access Rules for Returning Traffic
For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to
allow returning traffic because the adaptive security appliance allows all returning traffic for established,
bidirectional connections.
For connectionless protocols such as ICMP, however, the adaptive security appliance establishes
unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying
access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine.
The ICMP inspection engine treats ICMP sessions as bidirectional connections.
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.
Note Because these special types of traffic are connectionless, you need to apply an extended access list to
both interfaces, so returning traffic is allowed through.
Table 30-1
Table 30-1
Traffic Type
DHCP
EIGRP
OSPF
Multicast streams The UDP ports vary depending
RIP (v1 or v2)
Management Access Rules
You can configure access rules that control management traffic destined to the adaptive security
appliance. Access control rules for to-the-box management traffic (such as HTTP, Telnet, and SSH) have
higher precedence than an management access rule. Therefore, such permitted management traffic will
be allowed to come in even if explicitly denied by the to-the-box access list.
Information About EtherType Rules
This section describes EtherType rules and includes the following topics:
•
OL-20339-01
Management Access Rules, page 30-5
lists common traffic types that you can allow through the transparent firewall.
Transparent Firewall Special Traffic
Protocol or Port
UDP ports 67 and 68
Protocol 88
Protocol 89
on the application.
UDP port 520
Supported EtherTypes, page 30-6
Notes
If you enable the DHCP server, then the adaptive
security appliance does not pass DHCP packets.
—
—
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
—
Cisco ASA 5500 Series Configuration Guide using ASDM
Information About Access Rules
30-5