Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

20-6

Cisco ASDM User Guide

OL-16647-01

Chapter 20 Configuring Access Rules and EtherType Rules

Information About Access Rules and EtherType Rules

Access Rules for Returning Traffic

For TCP and UDP connections for both routed and transparent mode, you do not need an access list to

allow returning traffic, because the security appliance allows all returning traffic for established,

bidirectional connections. For connectionless protocols such as ICMP, however, the security appliance

establishes unidirectional sessions, so you either need access lists to allow ICMP in both directions (by

applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection

engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections.

Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules

In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule,

including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).

Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple

context mode, which does not allow dynamic routing, for example.

Note Because these special types of traffic are connectionless, you need to apply an extended access list to

both interfaces, so returning traffic is allowed through.

Table 20-1 lists common traffic types that you can allow through the transparent firewall.

Information About EtherType Rules

This section describes EtherType rules, and includes the following topics:

• Supported EtherTypes, page 20-6

• Implicit Permit of IP and ARPs Only, page 20-7

• Using Access Rules and EtherType Rules on the Same Interface, page 20-2

• Allowing MPLS, page 20-7

Supported EtherTypes

An EtherType rule controls any EtherType identified by a 16-bit hexadecimal number.

EtherType rules support Ethernet V2 frames.

Ta b l e 20-1 Transparent Firewall Special Traffic

Traffic Type Protocol or Port Notes

DHCP UDP ports 67 and 68 If you enable the DHCP server, then the security

appliance does not pass DHCP packets.

EIGRP Protocol 88 —

OSPF Protocol 89 —

Multicast streams The UDP ports vary depending

on the application.

Multicast streams are always destined to a

Class

D address (224.0.0.0 to 239.x.x.x).

RIP (v1 or v2) UDP port 520 —

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-16647-01 Network Router User Manual