Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4181
Views
5
Helpful
8
Replies

How to Allow ASA 5506x to Pass UDP port 9 Broadcast

Ro-Lak
Level 1
Level 1

‎09-13-2017 02:09 AM - edited ‎02-21-2020 06:17 AM

Hi

 

We are trying to allow UDP broadcast 9 packets via the firewall. Basically WOL packets needs to be send from one network segment to another. And we are also aware

 

'' In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule, including unsupported dynamic routing protocols and DHCP. You must configure the dynamic routing protocols or DHCP relay to allow this traffic.''

 

We tried the following a blog which mentioned tricking the ASA to capture the broadcast packet, and NAT this as a Unicast to the broadcast address of the destination address.

 

https://**bleep**.technology/forwarding-wake-on-lan-using-a-cisco-asa

 

The above didn't work for us, may be we did it wrong.

Has anybody come accross the above scenario, and manage to  trick the ASA to send broadcast packets. 

 

 

Labels:
0 Helpful
8 Replies 8

Flavio Miranda
VIP
VIP

‎09-13-2017 06:46 AM

Hello,

 WOL uses UDP port 9 and 7. You mention below 9 packets, maybe a typo but just to make sure we are on the same page here.

 I´d say this should pass through ASA. 

 

access-list XXX permit udp host X.X.X.X any eq 7
access-list XXX permit udp host X.X.X.X any eq 9
!
ip forward-protocol udp 7
ip forward-protocol udp 9
!
interface vlan XXX (Source vlan)
 ip helper-address X.X.X.X
!
interface vlan YYY
 ip directed-broadcast YYY (Destination Vlan)
!
 
Hope that help.
0 Helpful

Ro-Lak
Level 1
Level 1
In response to Flavio Miranda

‎09-13-2017 09:20 AM

Hi, Thanks for response.



The WOL packets are sent using UDP/9- that's what the application is configured to



However I don't think the below would work for this situation. As the below commands aren't valid for the ASA. Which is currently running on Routed mode. I did create a sub interface and tried but commands as such. This could work on a layer 3 switch I think.


0 Helpful

Flavio Miranda
VIP
VIP
In response to Ro-Lak

‎09-13-2017 09:25 AM

Which version do you have?

 

0 Helpful

Ro-Lak
Level 1
Level 1
In response to Flavio Miranda

‎09-13-2017 09:32 AM

Its running the latest version Cisco 9.8(1)


0 Helpful

Flavio Miranda
VIP
VIP
In response to Ro-Lak

‎09-13-2017 11:56 AM

Actually, this part is on switch side. Only the access-list is on firewall side.

 

!
ip forward-protocol udp 7
ip forward-protocol udp 9
!
interface vlan XXX (Source vlan)
 ip helper-address X.X.X.X
!
interface vlan YYY
 ip directed-broadcast YYY (Destination Vlan)
!
0 Helpful

Ro-Lak
Level 1
Level 1
In response to Flavio Miranda

‎09-14-2017 12:44 AM

Unfortunately they are using a layer 2 Dlink POE Switch. Nothing fancy.

What I can't understand is it works on another 5506x firewall. In that I only had to insert an ACL to allow UDP 6000 .


0 Helpful

Flavio Miranda
VIP
VIP
In response to Ro-Lak

‎09-14-2017 01:59 AM - edited ‎09-14-2017 02:09 AM

Alright,

One thing you can try is packet inspection. Firewall usually don't like UDP cause have no connection.

 I don't know if WOL exist in the inspection list.

policy-map global_policy class inspection_default

inspect "wol"???

 

Try this and let me know.

Maykol Rojas
Cisco Employee
Cisco Employee

‎09-13-2017 02:06 PM

I dont think this is going to work. The only way to pass that broadcast would be creating a BVI interface and bridging the traffic, but it needs to be on the same Broadcast domain.
Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card