topic ZBFW passing SCTP in Network Security

ZBFW passing SCTP

Keith McElroy — Mon, 11 Mar 2019 22:31:24 GMT

I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network. My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protcol matching, I can't really get this to pass properly. Does anyone know if the new IOS versions support SCTP? Does anyone know of any options to pass this traffic through the firewall?

ZBFW passing SCTP

Keith McElroy — Tue, 21 Feb 2012 15:46:36 GMT

Just bumping this as I haven't found a fix yet.

ZBFW passing SCTP

Dan-Ciprian Cicioiu — Tue, 21 Feb 2012 16:11:05 GMT

Hi Keith,

Have you tried :

ip access-l ex SCTP

permit 132 any any

I've saw that SCTP is protocol 132, using extended access-list you can match protocol number.Then used in a class map.

Dan

ZBFW passing SCTP

Keith McElroy — Tue, 21 Feb 2012 16:27:59 GMT

Yes, this still won't function. From what I can tell, it still wants the transport layer protocol for session information and it just ends up dropping.

ZBFW passing SCTP

Dan-Ciprian Cicioiu — Tue, 21 Feb 2012 18:02:12 GMT

Keith,

Can you show me your config ( class , acl , policy ) for the SCTP ?

Dan

ZBFW passing SCTP

Keith McElroy — Tue, 21 Feb 2012 19:31:24 GMT

zone-pair security InsideCore source Inside destination Core

description Inside network to Inside Core

service-policy type inspect Inside-to-Core

class-map type inspect match-all Inside-to-Core

match access-group name InsideNet

policy-map type inspect Inside-to-Core

class type inspect Inside-to-Core

inspect

class class-default

drop

ip access-list extended InsideNet

Now, under the ACL, I have tried to match SCTP directly, doesn't work with this code of course. I have tried matching IP protocol 132, issue there being it still looks for a TCP or UDP header or it drops the traffic. SCTP isn't a protcol that can be inspected under the class either, so I am at a standstill. The hosts don't have the ability to encapsulate SCTP in UDP from what I have been told. This seems to be working on the newest IOS XR code, but not the main train of IOS (at least to my knowledge, I haven't checked it on the 15.x release yet.)

Not sure about your familiarity with SCTP, but it being an entirely new transport layer protocol tertiary to UDP and TCP causes a lot of issues with firewalls from what I have found and I am basically just hoping for a work around or a code change to fix this if anyone knows.

ZBFW passing SCTP

Dan-Ciprian Cicioiu — Tue, 21 Feb 2012 19:56:17 GMT

The think is that I do not know if ZBFW inspects SCTP ... I would try to see if the return packet is allowed or not, because this is what I think hapends.

ip inspect log drop-pkt

Even though I do not think that is a long term solution , I would pass un-inspected this traffic ( create a new class-map for SCTP traffic ) also you will have to pass for the return traffic.

Dan

ZBFW passing SCTP

Keith McElroy — Tue, 21 Feb 2012 20:14:36 GMT

It doesn't, that is my problem

I am working on just a pass at this point, but that seems to not be matching either.