Chapter 13
Identifying Traffic with Access Lists
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can apply the same access lists on multiple interfaces. See
Denying Network Access,"
Note
If you change the access list configuration, and you do not want to wait for existing connections to time
out before the new access list information is used, you can clear the connections using the clear
local-host command.
Allowing Broadcast and Multicast Traffic through the Transparent Firewall
In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.
Because these special types of traffic are connectionless, you need to apply an extended access list to
Note
both interfaces, so returning traffic is allowed through.
Table 13-2
Table 13-2
Traffic Type
DHCP
EIGRP
OSPF
Multicast streams The UDP ports vary depending
RIP (v1 or v2)
Adding an Extended ACE
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list unless you specify the line number.
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
Enter the access list name in upper case letters so the name is easy to see in the configuration. You might
Tip
want to name the access list for the interface (for example, INSIDE), or for the purpose for which it is
created (for example, NO_NAT or VPN).
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
for more information about applying an access list to an interface.
lists common traffic types that you can allow through the transparent firewall.
Transparent Firewall Special Traffic
Protocol or Port
UDP ports 67 and 68
Protocol 88
Protocol 89
on the application.
UDP port 520
Adding an Extended Access List
Chapter 15, "Permitting or
Notes
If you enable the DHCP server, then the FWSM
does not pass DHCP packets.
—
—
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
—
13-7