Allowing Special Ip Traffic Through The Transparent Firewall - Cisco FirePOWER ASA 5500 series Configuration Manual

Adding an Extended Access List
For TCP and UDP connections, you do not need an access list to allow returning traffic, because the
FWSM allows all returning traffic for established, bidirectional connections. For connectionless
protocols such as ICMP, however, the security appliance establishes unidirectional sessions, so you
either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine
treats ICMP sessions as bidirectional connections.
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can apply the same access lists on multiple interfaces. See
Denying Network Access,"
If you change the access list configuration, and you do not want to wait for existing connections to time
Note
out before the new access list information is used, you can clear the connections using the clear
local-host command.

Allowing Special IP Traffic through the Transparent Firewall

In routed firewall mode, some types of IP traffic are blocked even if you allow them in an access list,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. Because these special types of traffic are
connectionless, you need to apply an extended access list to both interfaces, so returning traffic is
allowed through.
Table 16-2
Table 16-2
Traffic Type
BGP
DHCP
EIGRP
OSPF
Multicast streams The UDP ports vary depending
RIP (v1 or v2)
Adding an Extended ACE
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list unless you specify the line number.
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
Cisco Security Appliance Command Line Configuration Guide
16-6
for more information about applying an access list to an interface.
lists common traffic types that you can allow through the transparent firewall.
Transparent Firewall Special Traffic
Protocol or Port
TCP port 179
UDP ports 67 and 68
Protocol 88
Protocol 89
on the application.
UDP port 520
Chapter 16 Identifying Traffic with Access Lists
Chapter 18, "Permitting or
Notes
—
If you enable the DHCP server, then the security
appliance does not pass DHCP packets.
—
—
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
—
OL-10088-01