permitting sctp traffic on a asa 5500

Unanswered Question
Oct 5th, 2009
User Badges:


I have a asa 5500 connected to 3 zones, 1. User access zone, 2. server access zone and 3 the internet zone. Now i need to permit sctp traffic with port 7777 etc... between user access zone to server access zone.

The customer doesnot want any ip-ip based flow, and since sctp neither categorizes as tcp / udp how do i create the acl for this.

I am not able to even group these ports using

"object-group service permit_sctp_ports"


Could you please help me with this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 10/06/2009 - 05:34
User Badges:
  • Purple, 4500 points or more

I don't believe the ASA supports SCTP. You'll have to encapsulate it into UDP then ACL and inspect as normal.

uzair syed naveed Tue, 10/06/2009 - 06:37
User Badges:

Hi Collin,

If i am to proceed with your approach of encapsulating the sctp packet into udp in order to permit/restrict/inspect the flow, could you please walk me through the configs required for this .

Collin Clark Tue, 10/06/2009 - 06:41
User Badges:
  • Purple, 4500 points or more

I'm afraid I don't have much experience with SCTP protocol. Once encapsulated into UDP, I can help you get the traffic through the firewall.

uzair syed naveed Tue, 10/06/2009 - 22:03
User Badges:

darn! been struggling with this since quite a while, if its encapsulated into udp i can handle the traffic flow, problem now changes onto " How do i encapsulate a packet (sctp / likewise ) into a udp packet. Is it possible to do the encapsulation on an ASA?

Collin Clark Wed, 10/07/2009 - 05:26
User Badges:
  • Purple, 4500 points or more

Afraid not. I believe it needs to be done on the client side.


This Discussion