how-to block ads
|
|
Uniqs:
4269 |
Share Topic
 |
 |
|
|
|
pmlco
join:2009-09-04
Palm Coast, FL | [Config] CBAC/Zone Based Firewall and SIP (Astersisk)Hello. I have an 877 running 12.4(15)T9. Inside, in what will be the DMZ if I ever get it to work, I have an Asterisk PBX and a mail server. To keep things simple to start with, I have only two zones, Inside and Outside. Most of it - email, ssh, OpenVPN, works ok, and Asterisk half-works, by which I mean extenal SIP devices can register, but the media stream (rtp) is not getting set up properly. Sometimes it works, and although I don't have conclusive evidence, calls initiated from Inside seem to work, whereas calls initiated from an outside device are set up but have no audio. I suspect the Cisco firewall is trying to do something with the destination address of the RTP stream, Asterisk is trying to send RTP packets to the private (behind NAT) address of the phone, and not the public address (when I run it with my cheapo Netopia router it works perfectly and Asterisks sends rtp packets to the remote phone's external address.) I also tried using CBAC, and the results were exactly the same. Anyway, if anyone can offer any suggestions, they will be appreciated.
Ian
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname MyRouterName
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 warnings
!
no aaa new-model
clock timezone EST -5
!
crypto pki trustpoint TP-self-signed-4226416467
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4226416467
revocation-check none
rsakeypair TP-self-signed-4226416467
!
!
crypto pki certificate chain TP-self-signed-4226416467
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
dot11 syslog
no ip source-route
ip cef
!
!
ip domain-lookup
ip dns server
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.71.254
ip dhcp excluded-address 192.168.71.1 192.168.71.150
!
ip dhcp pool dhcp0-pool
import all
network 192.168.71.0 255.255.255.0
default-router 192.168.71.254
lease 0 2
!
!
ip domain list myname.net
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
username admin privilege 15 secret 5 $1$SJDJ$S6tLtbzMchP05QCHpG7HE1
username ian privilege 15 secret 5 $1$zLaw$pAvLLShdYLXaBfmdgHPPE1
!
!
archive
log config
hidekeys
!
class-map type inspect match-any WebTraffic
match protocol http
match protocol https
!
ip port-map ssh port tcp 22003
ip port-map ssh port tcp 22004
ip port-map ssh port tcp 22005
ip port-map ssh port tcp 22006
ip port-map ssh port tcp 22007
ip port-map ssh port tcp 22008
class-map type inspect match-any SSH
match protocol ssh
!
ip port-map smtp port tcp 587
ip port-map smtp port tcp 465
class-map type inspect match-any Email
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imap3
match protocol imaps
class-map type inspect match-any Misc
match protocol ntp
class-map type inspect match-any SIP
match protocol sip
class-map type inspect match-any Access
match access-group name AllowedIn
!
policy-map type inspect In2Out
class class-default
inspect
!
policy-map type inspect Out2In
class type inspect Access
pass
class type inspect SIP
inspect
class type inspect Misc
inspect
class type inspect Email
inspect
class type inspect SSH
inspect
class class-default
drop log
!
zone security Inside
description Inside network
zone security Outside
description Outside network
!
zone-pair security Out2In source Outside destination Inside
service-policy type inspect Out2In
!
zone-pair security In2Out source Inside destination Outside
service-policy type inspect In2Out
!
class-map match-any Management-1
match dscp cs2
class-map match-any Routing-1
match dscp cs6
class-map match-any Signaling-1
match dscp cs3
match dscp af31
class-map match-any Voice-1
match dscp ef
class-map match-any Transactional-1
match dscp af21
match dscp af22
match dscp af23
!
!
policy-map QoS-Policy-1
class Voice-1
priority percent 33
class Signaling-1
bandwidth percent 5
class Routing-1
bandwidth percent 5
class Management-1
bandwidth percent 5
class Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Virtual Interface for FastEthernet 0-3
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description Virtual Outside Interface
ip address my.own.ip.address 255.0.0.0
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer string "*99#"
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname myname@bellsouth.net
ppp chap password 7 01475252095A525D
ppp pap sent-username myname@bellsouth.net password 7 13514344595D5078
ppp ipcp dns request
service-policy output QoS-Policy-1
zone-member security Outside
!
interface BVI1
description Bridge-Group Virtual Interface for Bridge Group 1
ip address 192.168.71.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
zone-member security Inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 10.71.42.0 255.255.255.0 192.168.71.6 permanent
!
!
ip http server
ip http port 2420
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.71.7 25 my.own.ip.address 25 extendable
ip nat inside source static tcp 192.168.71.7 80 my.own.ip.address 80 extendable
ip nat inside source static tcp 192.168.71.7 443 my.own.ip.address 443 extendable
ip nat inside source static tcp 192.168.71.7 110 my.own.ip.address 110 extendable
ip nat inside source static tcp 192.168.71.6 123 my.own.ip.address 123 extendable
ip nat inside source static tcp 192.168.71.7 143 my.own.ip.address 143 extendable
ip nat inside source static tcp 192.168.71.7 220 my.own.ip.address 220 extendable
ip nat inside source static tcp 192.168.71.7 465 my.own.ip.address 465 extendable
ip nat inside source static tcp 192.168.71.7 587 my.own.ip.address 587 extendable
ip nat inside source static tcp 192.168.71.7 993 my.own.ip.address 993 extendable
ip nat inside source static tcp 192.168.71.7 995 my.own.ip.address 995 extendable
ip nat inside source static udp 192.168.71.6 1194 my.own.ip.address 1194 extendable
ip nat inside source static udp 192.168.71.8 4569 my.own.ip.address 4569 extendable
ip nat inside source static udp 192.168.71.8 3478 my.own.ip.address 3478 extendable
ip nat inside source static tcp 192.168.71.20 5001 my.own.ip.address 5001 extendable
ip nat inside source static udp 192.168.71.8 5060 my.own.ip.address 5060 extendable
ip nat inside source static tcp 192.168.71.3 22 my.own.ip.address 22003 extendable
ip nat inside source static tcp 192.168.71.4 22 my.own.ip.address 22004 extendable
ip nat inside source static tcp 192.168.71.5 22 my.own.ip.address 22005 extendable
ip nat inside source static tcp 192.168.71.6 22 my.own.ip.address 22006 extendable
ip nat inside source static tcp 192.168.71.7 22 my.own.ip.address 22007 extendable
ip nat inside source static tcp 192.168.71.8 22 my.own.ip.address 22008 extendable
!
logging 192.168.71.6
access-list 1 permit 192.168.71.0 0.0.0.255
ip access-list extended AllowedIn
remark OpenVPN
permit udp any any eq 1194
remark iax2
permit udp any any eq 4569
remark slingbox
permit tcp any any eq 5001
!
dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec
Welcme - Cisco 877 router.
-----------------------------------------------------------------------
banner login
-----------------------------------------------------------------------
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175885
ntp server 192.168.71.6
end
| |
1 edit | I will look through the config some more, but the first thing i notice is your class AllowedIn being a pass. ZBFW doesnt seem to like having an inspect one way and a pass the other way. You either need to have it be an inspect also, or change everything to pass (including intoout class default). This may or may not be causing you any problems, but it has to me in the past.
Since you have a drop log, are you seeing anything being dropped that could be causing the problem? | |
| reply to pmlco
please explain this bit in more detail,
Asterisk is trying to send RTP packets to the private (behind NAT) address of the phone, and not the public address (when I run it with my cheapo Netopia router it works perfectly and Asterisks sends rtp packets to the remote phone's external address.) I also tried using CBAC, and the results were exactly the same. Anyway, if anyone can offer any suggestions, they will be appreciated.
Where is the phone? What ip does it have?(rough idea).
If the phone is on the same interface and has a 192.xxx ip, then yes it will send it to the internal ip address, because both devices are on the same "ip nat inside" interface. In this case they would actually arp for each other and talk direct. | |
pmlco
join:2009-09-04
Palm Coast, FL | said by cooldude9919:please explain this bit in more detail, The phone is on an external network (internal phones work fine.) Asterisk normally sends rtp packets to the remote phone's external address on the appropriate negotiated ports, e.g.
Sent RTP packet to 81.49.22.60:13500 (type 18, seq 016586, ts 097416, len 000020)
Sent RTP packet to 81.49.22.60:13500 (type 18, seq 016587, ts 097576, len 000020)
However, with the Cisco router running, I got
Sent RTP packet to 192.168.1.105:13500 (type 18, seq 016586, ts 097416, len 000020)
Sent RTP packet to 192.168.1.105:13500 (type 18, seq 016587, ts 097576, len 000020)
Where 192.1681.105 is the phone's address on the remote local network.
An interesting observation - the problem seems to be dependent on the phone. The above was observed when using a Nokia N85 with a SIP client. When I tried another phone (Siemens C470 IP) the rtp packets were routed correctly.
said by cooldude9919:Since you have a drop log, are you seeing anything being dropped that could be causing the problem? There's nothing in the log now. However, when I was using CBAC, I was getting "access denied" messages. See »[HELP] 877 BVI question
said by cooldude9919:You either need to have it be an inspect also, or change everything to pass (including intoout class default). This may or may not be causing you any problems, but it has to me in the past. Thanks for the suggestion - I will try that.
Regards
Ian | |
pmlco
join:2009-09-04
Palm Coast, FL | An update:
I have tried changing everything to 'inspect', and also everything to 'pass', it makes no difference.
My observation about the Siemens phone working and the Nokia not working remains, but it's not just the Nokia that has problems. If I try to initiate a call from Asterisk to a Siemens phone, I get the same problem - Asterisk tries to send rtp packets to the phone's internal address on the remote network.
Sent RTP packet to 192.168.1.7:13500 (type 18, seq 065427, ts 013920, len 000020)
Sent RTP packet to 192.168.1.7:13500 (type 18, seq 065428, ts 014080, len 000020)
Exactly the same scenario using a Netopia router shows Asterisk sending packets to the remote phone's external IP address, and the call succeeds. It looks like the ZBF, and CBAC too, is rewriting the packets replacing the source IP address with the internal address on the remote network. Is there some way of verifying this, or turning it off?
Regards
Ian
p.s. I also have problems with email, but at least I get a log entry:
Sep 13 02:57:58 192.168.71.254 42: Sep 13 01:57:57: %FW-3-SMTP_INVALID_COMMAND: (target:class)-(Out2In:Email):Invalid SMTP command (x16x03x01x00x01x00x00x8Cx03)
I get pick up email but not send using Thunderbird SMTP over SSL on port 465. This however is a low-priority problem - the SIP issue is far more serious. | |
| said by pmlco:An update: I have tried changing everything to 'inspect', and also everything to 'pass', it makes no difference. My observation about the Siemens phone working and the Nokia not working remains, but it's not just the Nokia that has problems. If I try to initiate a call from Asterisk to a Siemens phone, I get the same problem - Asterisk tries to send rtp packets to the phone's internal address on the remote network. Sent RTP packet to 192.168.1.7:13500 (type 18, seq 065427, ts 013920, len 000020)
Sent RTP packet to 192.168.1.7:13500 (type 18, seq 065428, ts 014080, len 000020)
Exactly the same scenario using a Netopia router shows Asterisk sending packets to the remote phone's external IP address, and the call succeeds. It looks like the ZBF, and CBAC too, is rewriting the packets replacing the source IP address with the internal address on the remote network. Is there some way of verifying this, or turning it off? Regards Ian p.s. I also have problems with email, but at least I get a log entry: Sep 13 02:57:58 192.168.71.254 42: Sep 13 01:57:57: %FW-3-SMTP_INVALID_COMMAND: (target:class)-(Out2In:Email):Invalid SMTP command (x16x03x01x00x01x00x00x8Cx03)
I get pick up email but not send using Thunderbird SMTP over SSL on port 465. This however is a low-priority problem - the SIP issue is far more serious. How the hell does it know that internal ip address on the remote network? Do they share a dns server or something and it is telling asterisk the internal IP? | |
pmlco
join:2009-09-04
Palm Coast, FL | said by cooldude9919:How the hell does it know that internal ip address on the remote network? Do they share a dns server or something and it is telling asterisk the internal IP? The networks are entirely separate, they are even in different countries. The remote address is in the SIP and SDP headers. Setting nat=yes in the Asterisk SIP configuration tells Asterisk to ignore the SIP and SDP return addresses and use the one in the IP header. This normally works, which is why I think the router is changing the IP header address. However, it occurs to me that the router might be swapping the addresses, and the correct one is now in the SIP header, in which case I should set nat=never in Asterisk. I will try this at the weekend and report back.
Ian | |
| said by pmlco:said by cooldude9919:How the hell does it know that internal ip address on the remote network? Do they share a dns server or something and it is telling asterisk the internal IP? The networks are entirely separate, they are even in different countries. The remote address is in the SIP and SDP headers. Setting nat=yes in the Asterisk SIP configuration tells Asterisk to ignore the SIP and SDP return addresses and use the one in the IP header. This normally works, which is why I think the router is changing the IP header address. However, it occurs to me that the router might be swapping the addresses, and the correct one is now in the SIP header, in which case I should set nat=never in Asterisk. I will try this at the weekend and report back. Ian NAT would do this on this router, but of course you have no static nat entry for 192.168.1.7 since it is on the other network. | |
pmlco
join:2009-09-04
Palm Coast, FL | I will try this at the weekend and report back.
No improvement. The NAT translation shows that both the outside local and the outside global addresses are the same - the outside local address.
Pro Inside global Inside local Outside local Outside global
udp my.ip.address:5060 192.168.71.8:5060 192.168.1.105:5060 192.168.1.105:5060
| |
2 edits | You could try the following SIP command
!
sip-ua
nat symmetric role passive
!
| | |
|
pmlco
join:2009-09-04
Palm Coast, FL | Thanks ladino, an interesting suggestion. I will certainly try it, but it will be sometime before I get the chance as I had to abandon the Cisco router and I won't be back on site to try it again for several weeks. I'll let you know though.
For those (like me) who are not familiar with this:
nat symmetric role
To define endpoint settings to initiate or accept a connection for symmetric Network Address Translation (NAT) configuration, use the nat symmetric role command in SIP user agent configuration mode. To disable the nat symmetric role configuration, use the no form of this command.
nat symmetric role {active | passive}
no nat symmetric role {active | passive}
Syntax Description
active
Sets the symmetric NAT endpoint role to active, originating an outgoing connection.
passive
Sets the symmetric NAT endpoint role to passive, accepting an incoming connection to the port number on the m=line of the Session Description Protocol (SDP) body sent from the SDP body to the other endpoint.
Command Default
The endpoint settings to initiate or accept connections for NAT configuration are not defined..
Command Modes
SIP user agent configuration (sip-ua)
Command History
Release
Modification
12.2(13)T
This command was introduced.
Usage Guidelines
This command provides the ability to specify symmetric NAT endpoint settings for the SIP user agent. If the gateway does not receive the direction role, use the nat symmetric role command to define endpoint settings to initiate or accept a connection for symmetric NAT configuration. This is achieved by setting the symmetric NAT endpoint role to active or passive, respectively. Cisco recommends that you use the nat symmetric role command under the following conditions:
•Endpoints are aware of their presence inside or outside of NAT
•Endpoints parse and process direction: in SDP
If the endpoints conditions are not satisfied, you may not achieve the desired results when you configure the nat symmetric role command.
Examples
The following example shows how to set the endpoint role in connection setup to active:
Router(config)# sip-ua
Router(config-sip-ua)# nat symmetric role active
| |
|
