How to allow UDP broadcast between interfaces on a Cisco ASA 5506-X
I have a CISCO ASA 5506-X with 4 configured interfaces and a set of access-lists etc. It is configured via CLI and is running in routed mode, not transparent. Everything is running well, but now I have a problem I could not yet solve:
One of the interfaces contains a subnet (192.168.2.*) with devices that send out a UDP broadcast to discover another kind of devices. Those other devices are in another subnet in another interface (192.168.3.*). The udp broadcast is global (255.255.255.255) on a certain port.
I want the global UDP broadcast sent out in 192.168.2.* to also be sent to 192.168.3.* - and to allow the way back as well, of course.
On other Cisco devices, I already found out that one can do that with ip helper-address and ip forward-protocol commands - but the ASA models do not support those, as far as I can see.
So, how do I get the global UDP broadcast across the interfaces?
I think the issues here is that you misunderstand what 255.255.255.255 means. Its not a "global Broadcast". The definition from the RFC (https://www.rfc-editor.org/rfc/rfc919):
"The address 255.255.255.255 denotes a broadcast on a local hardware network, which must not be forwarded. This address may be used, for example, by hosts that do not know their network number and are asking some server for it. Thus, a host on net 36, for example, may:
- broadcast to all of its immediate neighbors by using 255.255.255.255
- broadcast to all of net 36 by using 36.255.255.255
In your case a host 192.168.3.0/24 sending a broadcast to 255.255.255.255 is saying is please send this to all hosts in 192.168.3.0/24. This is the same as sending a packet to 192.168.3.255. If a host in .3 wants to send a broadcast to .2 it needs to send a packet to 192.168.2.255. Having broadcasts from .3 rebroadcasted into .2 is essentially saying you want to make them the same subnet whilst keeping them as different subnets. (the common other name for a subnet is a "broadcast domain")
What the ip helper and ip forward-protocol and the ASAs dhcprelay commands do is to capture the broadcast packet and forward it as a unicast packet to a specific host. normally a remote DHCP server but there are other uses. This is explicitly stated in first paragraph of the Checkpoint doc linked in the previous answer. It could be thought of as a kind of NAT. ie the destination address (255.255.255.255) is changed to a specified unicast IP, 192.168.3.10. and then routed as a normal unicast packet. This works great for DHCP and allows the DHCP server to be in a remote network and still receive and respond to DHCP requests but unfortunately even if the ASA supported the ip helper and ip forward-protocol commands it still couldn't solve your problem. What your asking violates the RFC and the definition of what a subnet is.
The easiest solution here is to merge the 2 subnets into 192.168.2.0/23 then bridge the 2 interfaces and use the ASA in transparent mode to filter traffic between the 2 sets of hosts.
If you can't do that that then you need to work out a more scalable way for your devices to find each other. Either sending broadcasts to their subnets respective broadcast addresses (192.168.3.255 and 192.168.2.255) or using some other Discovery method. 255.255.255.255 isn't a scalable or flexible solution.
There is no feature for this in the current version (probably for security reasons). Cisco implemented "dhcprelay" instead and didn't provide a means for more general broadcast forwarding.
I'd suggest adding another device outside the ASA FW that could perform the same role (A Cisco router or a Linux machine perhaps). You will need to allow "directed broadcast" through the ASA.
You might also consider using a different firewall platform which does support broadcast relay, for example a Checkpoint Firewall.
Look here to see how its configured