10-05-2009 11:30 PM - edited 03-11-2019 09:23 AM
Hi,
I have a asa 5500 connected to 3 zones, 1. User access zone, 2. server access zone and 3 the internet zone. Now i need to permit sctp traffic with port 7777 etc... between user access zone to server access zone.
The customer doesnot want any ip-ip based flow, and since sctp neither categorizes as tcp / udp how do i create the acl for this.
I am not able to even group these ports using
"object-group service permit_sctp_ports"
command.
Could you please help me with this.
10-06-2009 05:34 AM
I don't believe the ASA supports SCTP. You'll have to encapsulate it into UDP then ACL and inspect as normal.
10-06-2009 06:37 AM
Hi Collin,
If i am to proceed with your approach of encapsulating the sctp packet into udp in order to permit/restrict/inspect the flow, could you please walk me through the configs required for this .
10-06-2009 06:41 AM
I'm afraid I don't have much experience with SCTP protocol. Once encapsulated into UDP, I can help you get the traffic through the firewall.
10-06-2009 10:03 PM
darn! been struggling with this since quite a while, if its encapsulated into udp i can handle the traffic flow, problem now changes onto " How do i encapsulate a packet (sctp / likewise ) into a udp packet. Is it possible to do the encapsulation on an ASA?
10-07-2009 05:26 AM
Afraid not. I believe it needs to be done on the client side.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide