PIX – Allow UDP replies in.

pts.
Tags:
Administration
Cisco
Firewalls
Forensics
Incident response
Installation
Intrusion management
Network protocols
Network security
VPN
Wireless
Hi All, The president of my company has started to use skype (www.skype.com). There is a function in the program to do file transfers. When we try that the program show that it has to relay the transfer and when it does that it limits the bandwith to 0.5kB/second. I've pasted the documentation that skype provides on their page, but I don't fully understand what changes I have to do to my PIX to fix the problem. Any help is very much appreciated. Thanks, Magnus Andersen. From Skype's website: What is a relayed transfer? A relayed transfer means that you are unable to make a direct connection to the other party because of your firewall or NAT (Network Address Translation / router) configuration or that of the remote party. In this case, the file transfer is relayed though other peers on the network. When a transfer is relayed, Skype will limit the file transfer speed to 0.5 kB/second. Only peers with plenty of available bandwidth are used for relay purposes.Note that if you were using another non-p2p application to attempt the transfer, it's not likely you would be able to transfer anything at all! We feel that a slower transfer is better than no transfer! You can read more information below for technical tips on how to avoid relayed transfers (or find a techie friend to help you). What can I do to avoid a relayed transfer? (Techies only!) There is no simple answer to this question since there are so many different types of network configurations. However, there are several things you can do to ensure or at least improve the likelihood that you will have a direct (and probably faster) transfer. Relayed transfers are usually caused by the firewall/NAT/router not allowing UDP packets out and their replies back in. Opening ports is usually not necessary, but it can help in some cases, depending on the firewall/NAT/router. It may help to consult your firewall/NAT vendor or documentation to find out whether this is possible or how to configure you firewall/NAT to allow UDP replies in (usually in the advanced settings). About 75% of firewall/NAT/router's are "p2p-friendly" which means that they are configured by default to let this traffic through in a special way (technically, they allow "UDP Consistent Translation"). If you are buying a new firewall/NAT/router, you should look for one that is "p2p-friendly". You can also find out if your firewall/NAT/router is "p2p friendly" by consulting the following list: http://bgp.lcs.mit.edu/~dga/view.cgi. A "Yes" in the "UDP Consistent Translation" column indicates that the firewall/NAT is "p2p-friendly" and will allow high-speed transfers. If your device isn't listed, you can also run a program called NATcheck which can be found at http://midcom-p2p.sourceforge.net/. Please help us and future users by submitting the results of your test to our forums. Note that Skype cannot take any responsibility for the content on non-Skype pages!

Answer Wiki

Thanks. We'll let you know when a new response is added.

Does the President of your company even care about Security. Skype is basically telling you to open holes in your Firewall to allow UDP and all the nasty stuff that brings with it.

Skype actually port scans the Internet looking for machines to communicate with. It then establishes connections with them to relay your sessions. It uses all 65,535 ports to communicate. It is a proprietary protocol, so very little is known about it’s security. Be afraid, be very afraid! This software was designed by the makers of KaZaa.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following