Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
1
Helpful
8
Replies

C8200-1N-4T Router. ZBFW passing SCTP

Karma0
Level 1
Level 1

‎10-02-2024 05:59 AM

Hello,

Does anybody knows how I can pass/allow just SCTP traffic between two different security zones?

zone security ZONE_OUTSIDE

zone security ZONE_INSIDE

I also have an extended ACL in which it is not possible to allow only the sctp protocol.

I only get it to work if I allow IP traffic in the ACL (it is not feasible to allow all IP traffic for security reasons)

class-map type inspect match-any CMAP_PROTOCOLS_INSPECT_OUTSIDE_TO_IN

    match protocol sctp

ip access-list extended ACL_OUTSIDE_IN

   permit sctp ip_1 ip_2

   permit ip ip_1 ip_2 (This option is not secure)

PD. We are trying with IOS XE 17.12.3a firmware but this does not work. ¿Any workaround?

 

0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎10-02-2024 11:36 AM

This all config ?

Where is config of policy and zone pair?

Check this 

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

MHM

0 Helpful

Karma0
Level 1
Level 1
In response to MHM Cisco World

‎10-03-2024 08:21 AM

Hi MHM, please see the rest of configuration I am posting later.

Checking the arcticle you linked, SCTP is nos mentioned at all, and it states that configuring ZBFW class-maps are specified for layer 4 protocols (TCP UDP and ICMP). No mention for SCTP protocol. 

Karma0_0-1727968409306.png

 

MHM Cisco World
VIP
VIP
In response to Karma0

‎10-03-2024 08:33 AM - edited ‎10-03-2024 08:34 AM

the guide is how you config zone class/policy/pair 
and if your router support match protocol sctp then it can filter it 
what you need is 
1- class match all 

A- match sctp protcol 

B- match acl 

2- policy use class above and action inspect 
3- zone pair from IN to OUT use policy above <<- you can other direction from OUT to IN 
MHM

0 Helpful

paul driver
VIP
VIP

‎10-03-2024 07:34 AM - edited ‎10-03-2024 09:19 AM

Hello
fyi the protocol match needs to before any  match on a acl

can you post the following :
sh policy-firewall config all

Edited - have you checked if sctp is listed as an application protocol ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Karma0
Level 1
Level 1
In response to paul driver

‎10-03-2024 10:17 AM

Hi, the configuration include policy-maps class-maps, zpairs... and it works if matching protocols different than SCTP. Configuration is as follows:

!!!!!!!!!!!ASIGNING INTERFACES TO ZONES !!!!!!!!!!!!!

interface GigabitEthernet0/0/0

      zone-member security ZONE_OUTSIDE

interface GigabitEthernet0/0/1

      zone-member security ZONE_INSIDE

!!!!!!!!!!!!!DEFINING SECURITY ZONES!!!!!!!!!!!!!!!!!!

zone security ZONE_OUTSIDE

zone security ZONE_INSIDE

!!!!!!!!!!!!!DEFINING CLASS-MAP!!!!!!!!!!!!!!!!!!!

class-map type inspect match-any CMAP_PROTOCOLS_INSPECT_INSIDE_TO_OUT

     match protocol h323

     match protocol sctp

class-map type inspect match-any CMAP_PROTOCOLS_INSPECT_OUTSIDE_TO_IN

     match protocol h323

     match protocol sctp

class-map type inspect match-all CMAP_INSIDE_TO_OUT

     match access-group name ACL_INSIDE_OUT

class-map type inspect match-all CMAP_OUTSIDE_TO_IN

     match access-group name ACL_OUTSIDE_IN

 !!!!!!!!!!!!DEFINING POLICY-MAPS!!!!!!!!!!!!!!!!!!!!

policy-map type inspect PMAP_INSIDE_TO_OUT

    class type inspect CMAP_PROTOCOLS_INSPECT_INSIDE_TO_OUT

        pass

    class type inspect CMAP_INSIDE_TO_OUT

       inspect

    class class-default

       drop log

policy-map type inspect PMAP_OUTSIDE_TO_IN

    class type inspect CMAP_PROTOCOLS_INSPECT_OUTSIDE_TO_IN

        inspect

    class type inspect CMAP_OUTSIDE_TO_IN

       inspect

   class class-default

 !!!!!!!! DEFINING ZONE-PAIRS!!!!!!!!!

zone-pair security ZPAIR_OUTSIDE_TO_IN source ZONE_OUTSIDE destination ZONE_INSIDE

      service-policy type inspect PMAP_OUTSIDE_TO_IN

zone-pair security ZPAIR_INSIDE_TO_OUT source ZONE_INSIDE destination ZONE_OUTSIDE

     service-policy type inspect PMAP_INSIDE_TO_OUT

 !!!!!!!! DEFINING ACL!!!!!!!!!

ip access-list standard ACL_INSIDE_OUT

      permit any

ip access-list extended ACL_OUTSIDE_IN

     “Permit only sctp protocol”

0 Helpful

MHM Cisco World
VIP
VIP
In response to Karma0

‎10-03-2024 10:38 AM 

FW#sh policy-map type insp zone-pair PMAP_INSIDE_TO_OUT/PMAP_OUTSIDE_TO_IN

share these output 

MHM 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎10-05-2024 06:55 AM

any update?

MHM

0 Helpful

paul driver
VIP
VIP

‎10-03-2024 01:07 PM - edited ‎10-03-2024 07:29 PM

Hello

@Karma0 wrote:.
and it works if matching protocols different than SCTP.

 No mention for SCTP protocol. 


Apologies for keep asking this, but is sctp actually showing as a application protocol, if it doesn't them you WILL need to used an ACL to specify the port number and obtain a match for it traffic??
Alternatively you could try downloading a newer PDLM for the rtr to see if that includes a SCTP application?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card