Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ZBFW passing SCTP

I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network. My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protcol matching, I can't really get this to pass properly. Does anyone know if the new IOS versions support SCTP? Does anyone know of any options to pass this traffic through the firewall?

7 REPLIES
New Member

ZBFW passing SCTP

Just bumping this as I haven't found a fix yet.

ZBFW passing SCTP

Hi Keith,

Have you tried :

ip access-l ex SCTP

permit 132 any any

I've saw that SCTP is protocol 132, using extended access-list you can match protocol number.Then used in a class map.

Dan

New Member

ZBFW passing SCTP

Yes, this still won't function. From what I can tell, it still wants the transport layer protocol for session information and it just ends up dropping.

ZBFW passing SCTP

Keith,

Can you show me your config ( class , acl , policy ) for the SCTP ?

Dan

New Member

ZBFW passing SCTP

zone-pair security InsideCore source Inside destination Core

description Inside network to Inside Core

service-policy type inspect Inside-to-Core

class-map type inspect match-all Inside-to-Core

match access-group name InsideNet

policy-map type inspect Inside-to-Core

class type inspect Inside-to-Core

  inspect

class class-default

  drop

  ip access-list extended InsideNet

Now, under the ACL, I have tried to match SCTP directly, doesn't work with this code of course. I have tried matching IP protocol 132, issue there being it still looks for a TCP or UDP header or it drops the traffic. SCTP isn't a protcol that can be inspected under the class either, so I am at a standstill. The hosts don't have the ability to encapsulate SCTP in UDP from what I have been told. This seems to be working on the newest IOS XR code, but not the main train of IOS (at least to my knowledge, I haven't checked it on the 15.x release yet.)

Not sure about your familiarity with SCTP, but it being an entirely new transport layer protocol tertiary to UDP and TCP causes a lot of issues with firewalls from what I have found and I am basically just hoping for a work around or a code change to fix this if anyone knows.

ZBFW passing SCTP

The think is that I do not know if ZBFW inspects SCTP ... I would try to see if the return packet is allowed or not, because this is what I think hapends.

ip inspect log drop-pkt

Even though I do not think that is a long term solution , I would pass un-inspected this traffic ( create a new class-map for SCTP traffic ) also you will have to pass for the return traffic.

Dan

New Member

ZBFW passing SCTP

It doesn't, that is my problem

I am working on just a pass at this point, but that seems to not be matching either.

397
Views
0
Helpful
7
Replies
CreatePlease login to create content