permitting sctp traffic on a asa 5500

uzair syed naveed · ‎10-05-2009

Hi,

I have a asa 5500 connected to 3 zones, 1. User access zone, 2. server access zone and 3 the internet zone. Now i need to permit sctp traffic with port 7777 etc... between user access zone to server access zone.

The customer doesnot want any ip-ip based flow, and since sctp neither categorizes as tcp / udp how do i create the acl for this.

I am not able to even group these ports using

"object-group service permit_sctp_ports"

command.

Could you please help me with this.

Collin Clark · ‎10-06-2009

I don't believe the ASA supports SCTP. You'll have to encapsulate it into UDP then ACL and inspect as normal.

uzair syed naveed · ‎10-06-2009

Hi Collin,

If i am to proceed with your approach of encapsulating the sctp packet into udp in order to permit/restrict/inspect the flow, could you please walk me through the configs required for this .

Collin Clark · ‎10-06-2009

I'm afraid I don't have much experience with SCTP protocol. Once encapsulated into UDP, I can help you get the traffic through the firewall.

uzair syed naveed · ‎10-06-2009

darn! been struggling with this since quite a while, if its encapsulated into udp i can handle the traffic flow, problem now changes onto " How do i encapsulate a packet (sctp / likewise ) into a udp packet. Is it possible to do the encapsulation on an ASA?

Collin Clark · ‎10-07-2009

Afraid not. I believe it needs to be done on the client side.