Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
7
Replies

ZBFW passing SCTP

Keith McElroy
Level 1
Level 1

‎02-17-2012 07:22 AM - edited ‎03-11-2019 03:31 PM

I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network. My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protcol matching, I can't really get this to pass properly. Does anyone know if the new IOS versions support SCTP? Does anyone know of any options to pass this traffic through the firewall?

Labels:
0 Helpful
7 Replies 7

Keith McElroy
Level 1
Level 1

‎02-21-2012 07:46 AM

Just bumping this as I haven't found a fix yet.

0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to Keith McElroy

‎02-21-2012 08:11 AM

Hi Keith,

Have you tried :

ip access-l ex SCTP

permit 132 any any

I've saw that SCTP is protocol 132, using extended access-list you can match protocol number.Then used in a class map.

Dan

0 Helpful

Keith McElroy
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎02-21-2012 08:27 AM

Yes, this still won't function. From what I can tell, it still wants the transport layer protocol for session information and it just ends up dropping.

0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to Keith McElroy

‎02-21-2012 10:02 AM

Keith,

Can you show me your config ( class , acl , policy ) for the SCTP ?

Dan

0 Helpful

Keith McElroy
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎02-21-2012 11:31 AM

zone-pair security InsideCore source Inside destination Core

description Inside network to Inside Core

service-policy type inspect Inside-to-Core

class-map type inspect match-all Inside-to-Core

match access-group name InsideNet

policy-map type inspect Inside-to-Core

class type inspect Inside-to-Core

  inspect

class class-default

  drop

  ip access-list extended InsideNet

Now, under the ACL, I have tried to match SCTP directly, doesn't work with this code of course. I have tried matching IP protocol 132, issue there being it still looks for a TCP or UDP header or it drops the traffic. SCTP isn't a protcol that can be inspected under the class either, so I am at a standstill. The hosts don't have the ability to encapsulate SCTP in UDP from what I have been told. This seems to be working on the newest IOS XR code, but not the main train of IOS (at least to my knowledge, I haven't checked it on the 15.x release yet.)

Not sure about your familiarity with SCTP, but it being an entirely new transport layer protocol tertiary to UDP and TCP causes a lot of issues with firewalls from what I have found and I am basically just hoping for a work around or a code change to fix this if anyone knows.

0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to Keith McElroy

‎02-21-2012 11:56 AM

The think is that I do not know if ZBFW inspects SCTP ... I would try to see if the return packet is allowed or not, because this is what I think hapends.

ip inspect log drop-pkt

Even though I do not think that is a long term solution , I would pass un-inspected this traffic ( create a new class-map for SCTP traffic ) also you will have to pass for the return traffic.

Dan

0 Helpful

Keith McElroy
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎02-21-2012 12:14 PM

It doesn't, that is my problem

I am working on just a pass at this point, but that seems to not be matching either.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card