Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

UDP port 0 block by PIX 515 ver 7


I have a problem with a udp packet with source port 0.

It is a snmptrap packet:

Source port 0 and Destination pot 162

The pix 515 version 7 always blocks this packet with source port 0.

It is not an access-list who block it. The packet is block and the pix produce no log at all for this block.

Does anyone had experience this problem ?

And what is the solution ?

Thanks in advance


Re: UDP port 0 block by PIX 515 ver 7

Dropping packets with UDP port 0 is normal behaviour because firewall products treat this as a security violation, and drop the packet. You may try to configure the traffic to use some other port or you may permit the UDP port 0 by applying an access-list.

New Member

Re: UDP port 0 block by PIX 515 ver 7

Something like that happen to me in the past with OS 6.X with a Solaris box. When users try to established an Exceed session the PIX block the traffic. The X Windows use ports 0 and 1 for the displays. I had to call the TAC and it took 2 days to figure it out. The command that fix the problem was the established.

established command?This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

This was the command I used:

established tcp 0 6000 permitto tcp 6000 permitfrom tcp 1024-65535

Still I don't know if it will resolve your issue because your traffic it's UDP.

Good Luck


New Member

Re: UDP port 0 block by PIX 515 ver 7

I check and the established command supports udp. You can try this,

established udp 0 162 permitto udp snmptrap permitfrom udp 1024-65535

The caveat by using this command if I remember

right is that it will open those ports for any.