Re: ASA5520 can not support stun protocal

00u1aoou0j8E6Uxmk5d7 · ‎07-21-2021

I have one customer, which use cisco ASA5520 , and after testing, I found that only stun protocol is not supported in their network. classic-stun can work functionally, but only stun can not work,

I am not sure why, anybody can give some advice?

stun only can see binding request, but has no binding response,

for example, customer computer is A, my machine is B, using wireshark in A, we can see A send udp stun package to B,

I can not catch udp package at machine B with tcpdump.

Giuseppe Larosa · ‎07-21-2021

Hello @00u1aoou0j8E6Uxmk5d7 ,

see the following thread

https://community.cisco.com/t5/network-security/vidyo-and-stun-protocol-on-asa/m-p/1853039

you should match the protocol based on UDP or TCP port(s) you cannot inspect STUN on the ASA.

so find out used TCP/UDP ports at the sender and allows them reversed from the outside to the inside.

Hope to help

Giuseppe

00u1aoou0j8E6Uxmk5d7 · ‎07-23-2021

Thanks for you reply.

Stun is a udp protocol , all other UDP package can work,

So seems it is not due to port limit.

According to another reply,

Maybe due to ASA5520 version is too early and it can not support stun,

But I am not sure if ASA can not support stun,

it will forbid the package or just ignore it and let it go.

Giuseppe Larosa · ‎07-23-2021

Hello @00u1aoou0j8E6Uxmk5d7 ,

what I mean is that you need to ensure the ASA will not try to inspect STUN traffic, you should exlcude it from the policy inspect type global applied at global level.

Hope to help

Giuseppe

00u1aoou0j8E6Uxmk5d7 · ‎07-28-2021

thanks for your advice . I am not familiar with ASA . I will provide such info to our customer.