cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

SXP through a Cisco ASA Firewall

1965
Views
7
Helpful
2
Comments

Many times, SXP connections must be established between devices through a firewall. A perfect example is when building a connection between Network Devices such as access switches and the Cisco Identity Services Engine. In order to configure this, a custom inspection must be defined as well as allowing the SXP TCP connection using port 64999 through the firewall.

This example ASA configuration will allow SXP connections to be established through the firewall:

access-list SXP-MD5-ACL extended permit tcp host <IP1> host <IP2> eq 64999

access-list SXP-MD5-ACL extended permit tcp host <IP2> host <IP1> eq 64999

tcp-map SXP-MD5-OPTION-ALLOW

tcp-options md5 allow

class-map SXP-MD5-CLASSMAP

match access-list SXP-MD5-ACL

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class SXP-MD5-CLASSMAP

set connection random-sequence-number disable

set connection advanced-options SXP-MD5-OPTION-ALLOW

NOTE:

If the command <tcp-options> does not support the keyword "md5" this command may be substituted. <tcp-options range 19 19 allow> Note that option 19 (TCP port for MD5) with the keyword "md5" in ASA/FTD firewalls.

I would like to thank Mr. Shaun White for this sample configuration.

Comments
Community Member

Works perfectly, saved me after 2 days of tshooting

Beginner

Yes, thank you. SXP connection came up after one day of troubleshooting after applying this .
No log statement in the ASA to indicate where the problem where...

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here