02-17-2012 07:22 AM - edited 03-11-2019 03:31 PM
I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network. My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protcol matching, I can't really get this to pass properly. Does anyone know if the new IOS versions support SCTP? Does anyone know of any options to pass this traffic through the firewall?
02-21-2012 07:46 AM
Just bumping this as I haven't found a fix yet.
02-21-2012 08:11 AM
Hi Keith,
Have you tried :
ip access-l ex SCTP
permit 132 any any
I've saw that SCTP is protocol 132, using extended access-list you can match protocol number.Then used in a class map.
Dan
02-21-2012 08:27 AM
Yes, this still won't function. From what I can tell, it still wants the transport layer protocol for session information and it just ends up dropping.
02-21-2012 10:02 AM
Keith,
Can you show me your config ( class , acl , policy ) for the SCTP ?
Dan
02-21-2012 11:31 AM
zone-pair security InsideCore source Inside destination Core
description Inside network to Inside Core
service-policy type inspect Inside-to-Core
class-map type inspect match-all Inside-to-Core
match access-group name InsideNet
policy-map type inspect Inside-to-Core
class type inspect Inside-to-Core
inspect
class class-default
drop
ip access-list extended InsideNet
Now, under the ACL, I have tried to match SCTP directly, doesn't work with this code of course. I have tried matching IP protocol 132, issue there being it still looks for a TCP or UDP header or it drops the traffic. SCTP isn't a protcol that can be inspected under the class either, so I am at a standstill. The hosts don't have the ability to encapsulate SCTP in UDP from what I have been told. This seems to be working on the newest IOS XR code, but not the main train of IOS (at least to my knowledge, I haven't checked it on the 15.x release yet.)
Not sure about your familiarity with SCTP, but it being an entirely new transport layer protocol tertiary to UDP and TCP causes a lot of issues with firewalls from what I have found and I am basically just hoping for a work around or a code change to fix this if anyone knows.
02-21-2012 11:56 AM
The think is that I do not know if ZBFW inspects SCTP ... I would try to see if the return packet is allowed or not, because this is what I think hapends.
ip inspect log drop-pkt
Even though I do not think that is a long term solution , I would pass un-inspected this traffic ( create a new class-map for SCTP traffic ) also you will have to pass for the return traffic.
Dan
02-21-2012 12:14 PM
It doesn't, that is my problem
I am working on just a pass at this point, but that seems to not be matching either.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide