Dropping UDP on incomming calls.

Posted on 2006-04-03
Medium Priority
Last Modified: 2010-04-12
Trouble with VOIP thru Pix506e...Getting the following from Pix.
Deny Udp src outside: dst inside: by access group "svrs_out"
and VOIP giving problems.  Voip supplier requirements and Pix config added....
Where am I going wrong?????

Quote from VOIP Supplier:
The following are the requirements of the firewall protecting the enterprise network where the IP clients are located.
      Dynamic Stateful Packet Filtering (DSPI) should be present.
      Activate "minimally restricted UDP policy". This allows UDP packets into the enterprise, if and only if they are in response to an outgoing UDP packet. Other terms used for this are "UDP conversations" and "Transparent Firewall".
      Firewall must also allow RTP and RTCP packets through. If UDP is allowed, by default RTP/RTCP packets will be allowed through. However, screening on RTP/RTCP packets can be done if so chosen.

More specifically to the above rules, the following tables will indicate which ports need to be opened on the firewall to ensure the correct operation of the OneConnect service.

Enterprise Firewall Egress Policy
Source IP      Source Port       Dest IP                   Dest Port      Protocol       Use         
 Any       5060    - .62       5060       UDP                
Any        5000    - .62       5000       UDP                
Any      5000   - .62      50020      UDP      
Any          >1024    - .62      3090         TCP                       
Any          >1024    - .62      40,000-60,000  UDP                       
 Any          >1024    - .62              80             TCP                       
  Any          >1024    - .62      443            TCP                       

 Also added per instructions:
no fixup sip lines

Current Pix Config with some items removed for clarity:
:  Mar 31, 2006 Mississauga Pix506
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password F1mqABN1rE9hwHjy encrypted
passwd E/Uylb/Ss2iBa1Xg encrypted
hostname testpix
domain-name testpix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name 192.xxx.xxx.205   Web
name 192.xxx.xxx.212 SystemLogging
name 192.xxx.xxx.200 DevelopementSvr
access-list svrs_out permit tcp any host 192.xxx.xxx.180 eq www
access-list svrs_out permit esp any host 192.xxx.xxx.181
access-list svrs_out permit udp any host 192.xxx.xxx.181 eq isakmp
access-list svrs_out permit icmp any any echo-reply
access-list localtovpnclient permit ip 192.xxx.xxx.0 192.xxx.xx1.33.0
access-list nonatinside permit ip any 192.xxx.xx1..0
access-list nonatinside permit ip 192.xxx.xxx.0 192.xxx.xx1..0
access-list nonatinside permit ip 192.xxx.xxx.0 192.xxx.xx2.0
access-list outside_cryptomap_dyn_30 permit ip any 192.xxx.xx1..0
access-list todowntown permit ip 192.xxx.xxx.0 192.xxx.xx2.0
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1..0
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1.33.0
pager lines 24
logging on
logging timestamp
logging console critical
logging trap informational
logging host inside  
logging host inside SystemLogging
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside 192.xxx.xxx.3
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool 192.xxx.xx1..1-192.xxx.xx1..99
ip local pool newvpnpool 192.xxx.xx1..100-192.xxx.xx1..124
ip local pool vpn1clientpool 192.xxx.xx1.33.10-192.xxx.xx1.33.99
pdm location inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 netmask
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0 0
static (inside,outside)   Web netmask 0 0
access-group svrs_out in interface outside
route outside 1
timeout conn 0:05:00 half-closed 0:05:00 udp 0:02:00 rpc 0:00:00 h225 0:00:01
timeout h323 0:05:00 mgcp 0:05:00 sip 0:15:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:01:00 absolute uauth 0:01:00 inactivity
timeout xlate 0:01:30
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.xxx.xx1..0 inside
http Peter inside
http inside
http DevelopementSvr inside
http SystemLogging inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
telnet DevelopementSvr inside
telnet SystemLogging inside
telnet inside
telnet timeout 5
ssh outside
ssh outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Question by:Glen_Sauve
  • 3
  • 3
LVL 36

Expert Comment

ID: 16368402
> Deny Udp src outside: dst inside: by access group "svrs_out"
This is a packet being denied. It is from the normal SIP port on your provider back to your server. It is probably being denied because the udp or xlate session timeout has expired so the PIX has forgotten about the connection.

What are you trying to do?
Generally you are best off using the pix fixup for sip. In your current configuration you have no incoming rules for the RTP voice traffic which could result in no inbound audio in some situations.

Author Comment

ID: 16370536
Voip client required
 no fixup protocol sip 5060
no fixup protocol sip udp 5060
Which have been entered in the config.
What kind of rules for incoming RTP voice traffic?
I do get no inbound audio in some situations.
Also the ip range for the VOIP
Why am I getting deny udp from this range?
Can I use PDM to create a group and the rule required as I am
not 'fluent' in command line but can use it.
How can I increase the udp/xlate session timeout?
LVL 36

Expert Comment

ID: 16370820
What are you using as the client?
Does the client always have a fixed IP address?

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 16370942
Clients are Nortel phones and softclients to sync/manage. [They tell me
the softclient definitely needs the udp port to function.
Phone ip address....gets from dhcp server [I think....checking now]
LVL 36

Accepted Solution

grblades earned 2000 total points
ID: 16371147
To get this working properly with the setup you have been told to use :-
1) Every phone and soft client will have to have a fixed IP address on the network.
2) Every phone/client will have to have a unique range of RTP ports to use assigned to it.
3) Every phone/client will have to be configured to use the public IP address within its SIP messages.
4) You will need the firewall configured to forward the RTP replies back to the clients depending on the destination port.
This is a lot of work and may be impractical or even impossible depending on the configuration options you have on the phones.

These problems arise simply because the SIP protocol is not friendly with NAT devices. There is a service called a STUN (also known as a proxy server) which helps to avoid a lot of these problems.

Or you could make use of the pix's 'fixup protocol sip' which is designed to avoid all these problems alltogether.

As they are telling you to disable the fixup and basically turning the PIX into a dumb firewall as far as SIP is concerned your provider should really tell you how to configure it. The information they have provided is simply inadequate.

Author Comment

ID: 16381596
We've changed the timeout value on the softclient to less than the Pix. [Good observation grblades]. I'm hunching the pix
timesout before the client does and the client is assuming the session is still live but the pix is saying its over.  Seems to work but we'll monitor is for awhile and see.  Apparently is this type of setup the softclient takes over from the phone [hence phone works alone but not with client] and the problem arises when the sync between client/phone tries to take place.


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: user_n
How Sip Phone (User Agent) works and communicates with sip servers 1.  There is a sip server and a sip registrar.  The sip server and sip registrar can be one server or two different servers. The sip registrar is the server on which it is record…
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month16 days, 13 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question