cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1077
Views
0
Helpful
3
Replies

Stateful Inspection of UDP

dwalsh
Level 1
Level 1

Hello,

I have an application that uses exclusively UDP (port 25441). I've placed the server on the DMZ, but it initiates a connection back to the internal client that made the request (i.e. out of state). Is there any way I can use a fixup or something to get around this?

Also, I know that the PIX does do stateful inspection of a lot of UDP traffic, but how does it do it since UDP doesn't have a sequence number attached or use a SYN/ACK.

TIA,

Dave

3 Replies 3

l.mourits
Level 5
Level 5

Hi Dave,

Fixup´s are not configurable, they have to be coded into PIX-OS. If this is a standard application, you can always send a feature request to Cisco for the needed fixup. If it is indeed a standard and widely used (or estimated to become such application) they will engineer the new fixup in a major release hopefully.

Fixup´s are only needed if protocols are used where clients initiate traffic on the high level interface traversing to a lower level interface, mostly only for the outside interface. This is ofcourse you case also, but you state that the server resides at your dmz. Why not configure a rule on the access-list bound to that dmz interface which permits that traffic initiated from the server to the inside client? Put the right static command in place and it should work.

About you question about the statefull inspection on UDP I do not know in detail. All I know is that the Adaptive Security Algorithm takes care of response traffic. In my believe it is doen by looking at a mix of IP source & destination address, UDP portnumbers and the associated xlate entrie. But I hope that one of the Cisco guys can tell in more detail how it is done exactly.

Hope this helps,

Leo

Leo,

Thanks for your input. This is about what I've discovered on my own.

As for the rule back in from the DMZ, our preferred approach was to prevent any inbound connections from being initiated from any external (or DMZ) address. However, it would appear as though this will not be possible given the specific applicaiton.

It is however odd why some UDP traffic is "stateful" (for lack of a better word) and others aren't.

I wonder if it has to do with the way the app is written.

Thanks for your response.

Dave.

A UDP state basically means if the PIX sees return traffic using the same addresses and ports within a few seconds it considers that the UDP connection is up. This is very different to TCP as you're aware, and why the UDP connection has such a lower timeout value (2 minutes as opposed to 1 hour).

If the application initiates a connection on a different port back through the PIX than what the original packet was on, then yes, the PIX will block this cause it won't recognise it as part of the original connection.

If you know what port number the app is going to use for this return connection, then you can use the "established" command to allow those back through. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#1028903 for details, and try and make it as secure as possible by using the permitto and permitfrom options.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: