cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1793
Views
0
Helpful
3
Replies
Alex Fray
Beginner

How to forward UDP broadcasts through a FWSM

Scenario:

I have a badly design application (which can't be changed) which broadcasts snmp-trap packets from the client device to try and find the application server. This works fine on my current network where i have (DMZ with clients) Cat6500 MSFC - Checkpoint Firewall - Cat6500 MSFC  (Internal with App Server) where i use IP helpers to forward the SNMP UDP packets. However we are re-designing the network so instead of the above (expensive) topology we will simply have (DMZ) FWSM (Internal) MSFC (so all on a single 6500). So i need to forward 162/udp broadcast 255.255.255.255 through the FWSM to the Internal network.

The only way i can think of is doing the following but am unsure if it will work:

access-list dmz_access_in permit udp host DMZ_HOST host 255.255.255.255

static (inside,dmz) 255.255.255.255 192.x.x.10 netmask 255.255.255.255

So the client sends a broadcast to 255.255.255.255 the FWSM which is the client's gateway permits the traffic and NATs the destination from 255.255.255.255 to the actual IP address of the server. Would this work or is there a better way of forwarding UDP broadcasts through and FWSM?

Note. I don't have the FWSM to try the above configuration hence why i'm asking before i procure it

thanks Alex

CCSP - CCNA - DCASI

3 REPLIES 3
Jennifer Halim
Cisco Employee

You can only forward broadcast or multicast traffic on FWSM when it's in transparent mode (acting as a Layer 2 firewall).

If FWSM is in routed mode, it only forwards unicast traffic (neither broadcast nor multicast traffic will be forwarded).

Here is more information on the 2 different modes for your reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html

Hope that helps.

Thanks for the response and clarification Although i believe multicast routing is possible in routed mode.

So plan B, i use a pair of cisco ASA5520 to replace the Checkpoint firewalls and use VRFs to seperate the DMZ and Internal network which means i can use ip helper-addresses on both the DMZ and Internal network as they will have their own routing table and the switch is the VLAN gateway not the firewall.

I was looking forward to using the FWSM, so maybe in future releases they could have something similar to IP helper-address to forward traffic (other than DHCP relay). I understand the security implications but sometimes this type of functionality is required.

Multicast routing is possible in routed mode, you are right. But not just forwarding multicast traffic in routed mode