I have an application that uses exclusively UDP (port 25441). I've placed the server on the DMZ, but it initiates a connection back to the internal client that made the request (i.e. out of state). Is there any way I can use a fixup or something to get around this?
Also, I know that the PIX does do stateful inspection of a lot of UDP traffic, but how does it do it since UDP doesn't have a sequence number attached or use a SYN/ACK.
Fixup´s are not configurable, they have to be coded into PIX-OS. If this is a standard application, you can always send a feature request to Cisco for the needed fixup. If it is indeed a standard and widely used (or estimated to become such application) they will engineer the new fixup in a major release hopefully.
Fixup´s are only needed if protocols are used where clients initiate traffic on the high level interface traversing to a lower level interface, mostly only for the outside interface. This is ofcourse you case also, but you state that the server resides at your dmz. Why not configure a rule on the access-list bound to that dmz interface which permits that traffic initiated from the server to the inside client? Put the right static command in place and it should work.
About you question about the statefull inspection on UDP I do not know in detail. All I know is that the Adaptive Security Algorithm takes care of response traffic. In my believe it is doen by looking at a mix of IP source & destination address, UDP portnumbers and the associated xlate entrie. But I hope that one of the Cisco guys can tell in more detail how it is done exactly.
Thanks for your input. This is about what I've discovered on my own.
As for the rule back in from the DMZ, our preferred approach was to prevent any inbound connections from being initiated from any external (or DMZ) address. However, it would appear as though this will not be possible given the specific applicaiton.
It is however odd why some UDP traffic is "stateful" (for lack of a better word) and others aren't.
I wonder if it has to do with the way the app is written.
A UDP state basically means if the PIX sees return traffic using the same addresses and ports within a few seconds it considers that the UDP connection is up. This is very different to TCP as you're aware, and why the UDP connection has such a lower timeout value (2 minutes as opposed to 1 hour).
If the application initiates a connection on a different port back through the PIX than what the original packet was on, then yes, the PIX will block this cause it won't recognise it as part of the original connection.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :