Re: permit rip/eigrp on inside interface of ASA?

Dear Ajay

Unicast traffic is allowed from higher to lower by default (in transparent
mode).

This is how the transparent firewall works, you need to specifically permit
the routing protocol multicast traffic, in fact you need to do it on both
interfaces. In some OSPF network types you need to permit unicast between
the neighbors as well (on the outside interface). For RIP just permit the
multicast address.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/traffic.html#wp1074608

Regards

Farrukh

On Tue, Jun 23, 2009 at 9:28 AM, Ajay mehra <ajaymehra01_at_gmail.com> wrote:

> Hi Mujtaba,
>
> Inside interface has security level of 100 and it should allow any traffic
> from inside to outside and also create a connection entry in the connection
> table so that reverse traffic is also allowed. UDP traffic is inspected by
> default and so should be the RIP .
>
> Thanks,
> Ajay
> 2009/6/23 Mujtaba Bashir <oldzarix_at_hotmail.com>
>
> > hi Ajay, The security appliance does not allow any traffic unless it is
> > explicitly permitted by an extended access list.
> >
> > --Mujtaba Bashir
> >
> > > Date: Tue, 23 Jun 2009 11:20:22 +0530
> > > Subject: permit rip/eigrp on inside interface of ASA?
> > > From: ajaymehra01_at_gmail.com
> > > To: ccielab_at_groupstudy.com
> >
> > >
> > > Hi,
> > >
> > > Is this a known issue with ASA? Eigrp and rip packets are not allowed
> to
> > > enter inside interface of Transparent Firewall until explicitly
> > permitted.
> > >
> > > %ASA-3-106010: Deny inbound protocol 88 src inside:150.100.3.254 dst
> > > outside:224
> > > .0.0.10
> > >
> > > %ASA-2-106006: Deny inbound UDP from 150.100.1.254/520 to
> 224.0.0.9/520on
> > > inter
> > > face inside
> > >
> > >
> > > After I enable "access-list INSIDE per ip an an" everything worked.
> > >
> > > Although I have not got a chance to test this with Routed firewall but
> I
> > see
> > > this problem always with Transparent firewall.
> > >
> > >
> > >
> > > Thanks
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > ------------------------------
> > Hotmail. has ever-growing storage! Don t worry about storage limits.
> Check
> > it
> out.<
> http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tut
> orial_Storage_062009>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 23 2009 - 09:32:26 ART