permitting sctp traffic on a asa 5500

Unanswered Question
Oct 5th, 2009

Hi,

I have a asa 5500 connected to 3 zones, 1. User access zone, 2. server access zone and 3 the internet zone. Now i need to permit sctp traffic with port 7777 etc... between user access zone to server access zone.

The customer doesnot want any ip-ip based flow, and since sctp neither categorizes as tcp / udp how do i create the acl for this.

I am not able to even group these ports using

"object-group service permit_sctp_ports"

command.

Could you please help me with this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 10/06/2009 - 05:34

I don't believe the ASA supports SCTP. You'll have to encapsulate it into UDP then ACL and inspect as normal.

uzair syed naveed Tue, 10/06/2009 - 06:37

Hi Collin,

If i am to proceed with your approach of encapsulating the sctp packet into udp in order to permit/restrict/inspect the flow, could you please walk me through the configs required for this .

Collin Clark Tue, 10/06/2009 - 06:41

I'm afraid I don't have much experience with SCTP protocol. Once encapsulated into UDP, I can help you get the traffic through the firewall.

uzair syed naveed Tue, 10/06/2009 - 22:03

darn! been struggling with this since quite a while, if its encapsulated into udp i can handle the traffic flow, problem now changes onto " How do i encapsulate a packet (sctp / likewise ) into a udp packet. Is it possible to do the encapsulation on an ASA?

Actions

This Discussion