Many times, SXP connections must be established between devices through a firewall. A perfect example is when building a connection between Network Devices such as access switches and the Cisco Identity Services Engine. In order to configure this, a custom inspection must be defined as well as allowing the SXP TCP connection using port 64999 through the firewall.

This example ASA configuration will allow SXP connections to be established through the firewall:

access-list SXP-MD5-ACL extended permit tcp host <IP1> host <IP2> eq 64999

access-list SXP-MD5-ACL extended permit tcp host <IP2> host <IP1> eq 64999

tcp-map SXP-MD5-OPTION-ALLOW

tcp-options md5 allow

class-map SXP-MD5-CLASSMAP

match access-list SXP-MD5-ACL

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class SXP-MD5-CLASSMAP

set connection random-sequence-number disable

set connection advanced-options SXP-MD5-OPTION-ALLOW

NOTE:

If the command <tcp-options> does not support the keyword "md5" this command may be substituted. <tcp-options range 19 19 allow> Note that option 19 (TCP port for MD5) with the keyword "md5" in ASA/FTD firewalls.

I would like to thank Mr. Shaun White for this sample configuration.