How to forward UDP broadcasts through a FWSM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2011 08:05 AM - edited 03-11-2019 01:30 PM
Scenario:
I have a badly design application (which can't be changed) which broadcasts snmp-trap packets from the client device to try and find the application server. This works fine on my current network where i have (DMZ with clients) Cat6500 MSFC - Checkpoint Firewall - Cat6500 MSFC (Internal with App Server) where i use IP helpers to forward the SNMP UDP packets. However we are re-designing the network so instead of the above (expensive) topology we will simply have (DMZ) FWSM (Internal) MSFC (so all on a single 6500). So i need to forward 162/udp broadcast 255.255.255.255 through the FWSM to the Internal network.
The only way i can think of is doing the following but am unsure if it will work:
access-list dmz_access_in permit udp host DMZ_HOST host 255.255.255.255
static (inside,dmz) 255.255.255.255 192.x.x.10 netmask 255.255.255.255
So the client sends a broadcast to 255.255.255.255 the FWSM which is the client's gateway permits the traffic and NATs the destination from 255.255.255.255 to the actual IP address of the server. Would this work or is there a better way of forwarding UDP broadcasts through and FWSM?
Note. I don't have the FWSM to try the above configuration hence why i'm asking before i procure it
thanks Alex
CCSP - CCNA - DCASI
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2011 11:17 PM
You can only forward broadcast or multicast traffic on FWSM when it's in transparent mode (acting as a Layer 2 firewall).
If FWSM is in routed mode, it only forwards unicast traffic (neither broadcast nor multicast traffic will be forwarded).
Here is more information on the 2 different modes for your reference:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2011 12:41 AM
Thanks for the response and clarification Although i believe multicast routing is possible in routed mode.
So plan B, i use a pair of cisco ASA5520 to replace the Checkpoint firewalls and use VRFs to seperate the DMZ and Internal network which means i can use ip helper-addresses on both the DMZ and Internal network as they will have their own routing table and the switch is the VLAN gateway not the firewall.
I was looking forward to using the FWSM, so maybe in future releases they could have something similar to IP helper-address to forward traffic (other than DHCP relay). I understand the security implications but sometimes this type of functionality is required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2011 01:36 AM
Multicast routing is possible in routed mode, you are right. But not just forwarding multicast traffic in routed mode