Glen_Sauve
asked on
Dropping UDP on incomming calls.
Trouble with VOIP thru Pix506e...Getting the following from Pix.
Deny Udp src outside: 225.225.241.22/5060 dst inside:10.0.0.181/35087 by access group "svrs_out"
and VOIP giving problems. Voip supplier requirements and Pix config added....
Where am I going wrong?????
Tks
Glen
Quote from VOIP Supplier:
The following are the requirements of the firewall protecting the enterprise network where the IP clients are located.
Dynamic Stateful Packet Filtering (DSPI) should be present.
Activate "minimally restricted UDP policy". This allows UDP packets into the enterprise, if and only if they are in response to an outgoing UDP packet. Other terms used for this are "UDP conversations" and "Transparent Firewall".
Firewall must also allow RTP and RTCP packets through. If UDP is allowed, by default RTP/RTCP packets will be allowed through. However, screening on RTP/RTCP packets can be done if so chosen.
More specifically to the above rules, the following tables will indicate which ports need to be opened on the firewall to ensure the correct operation of the OneConnect service.
Enterprise Firewall Egress Policy
Source IP Source Port Dest IP Dest Port Protocol Use
Any 5060 225.225.241.1 - .62 5060 UDP
Any 5000 225.225.241.1 - .62 5000 UDP
Any 5000 225.225.241.1 - .62 50020 UDP
Any >1024 225.225.241.1 - .62 3090 TCP
Any >1024 225.225.241.1 - .62 40,000-60,000 UDP
Any >1024 225.225.241.1 - .62 80 TCP
Any >1024 225.225.231.1 - .62 443 TCP
Also added per instructions:
no fixup sip lines
Current Pix Config with some items removed for clarity:
: Mar 31, 2006 Mississauga Pix506
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password F1mqABN1rE9hwHjy encrypted
passwd E/Uylb/Ss2iBa1Xg encrypted
hostname testpix
domain-name testpix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.xxx.xxx.205 Web
name 192.xxx.xxx.212 SystemLogging
name 192.xxx.xxx.200 DevelopementSvr
access-list svrs_out permit tcp any host 192.xxx.xxx.180 eq www
access-list svrs_out permit esp any host 192.xxx.xxx.181
access-list svrs_out permit udp any host 192.xxx.xxx.181 eq isakmp
access-list svrs_out permit icmp any any echo-reply
access-list localtovpnclient permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx1.33.0 255.255.255.0
access-list nonatinside permit ip any 192.xxx.xx1..0 255.255.255.128
access-list nonatinside permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx1..0 255.255.255.0
access-list nonatinside permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx2.0 255.255.255.0
access-list outside_cryptomap_dyn_30 permit ip any 192.xxx.xx1..0 255.255.255.128
access-list todowntown permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1..0 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1.33.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console critical
logging trap informational
logging host inside
logging host inside SystemLogging
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.181 255.255.255.248
ip address inside 192.xxx.xxx.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool 192.xxx.xx1..1-192.xxx.xx1
ip local pool newvpnpool 192.xxx.xx1..100-192.xxx.x
ip local pool vpn1clientpool 192.xxx.xx1.33.10-192.xxx.
pdm location 0.0.0.0 255.255.255.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 10.0.0.178-10.0.0.179 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.0.180 Web netmask 255.255.255.255 0 0
access-group svrs_out in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.182 1
timeout conn 0:05:00 half-closed 0:05:00 udp 0:02:00 rpc 0:00:00 h225 0:00:01
timeout h323 0:05:00 mgcp 0:05:00 sip 0:15:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:01:00 absolute uauth 0:01:00 inactivity
timeout xlate 0:01:30
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.xxx.xx1..0 255.255.255.0 inside
http Peter 255.255.255.255 inside
http 255.255.255.255 inside
http DevelopementSvr 255.255.255.255 inside
http SystemLogging 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
telnet DevelopementSvr 255.255.255.255 inside
telnet SystemLogging 255.255.255.255 inside
telnet 255.255.255.255 inside
telnet timeout 5
ssh 200.9.49.66 255.255.255.255 outside
ssh 196.40.16.135 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Deny Udp src outside: 225.225.241.22/5060 dst inside:10.0.0.181/35087 by access group "svrs_out"
and VOIP giving problems. Voip supplier requirements and Pix config added....
Where am I going wrong?????
Tks
Glen
Quote from VOIP Supplier:
The following are the requirements of the firewall protecting the enterprise network where the IP clients are located.
Dynamic Stateful Packet Filtering (DSPI) should be present.
Activate "minimally restricted UDP policy". This allows UDP packets into the enterprise, if and only if they are in response to an outgoing UDP packet. Other terms used for this are "UDP conversations" and "Transparent Firewall".
Firewall must also allow RTP and RTCP packets through. If UDP is allowed, by default RTP/RTCP packets will be allowed through. However, screening on RTP/RTCP packets can be done if so chosen.
More specifically to the above rules, the following tables will indicate which ports need to be opened on the firewall to ensure the correct operation of the OneConnect service.
Enterprise Firewall Egress Policy
Source IP Source Port Dest IP Dest Port Protocol Use
Any 5060 225.225.241.1 - .62 5060 UDP
Any 5000 225.225.241.1 - .62 5000 UDP
Any 5000 225.225.241.1 - .62 50020 UDP
Any >1024 225.225.241.1 - .62 3090 TCP
Any >1024 225.225.241.1 - .62 40,000-60,000 UDP
Any >1024 225.225.241.1 - .62 80 TCP
Any >1024 225.225.231.1 - .62 443 TCP
Also added per instructions:
no fixup sip lines
Current Pix Config with some items removed for clarity:
: Mar 31, 2006 Mississauga Pix506
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password F1mqABN1rE9hwHjy encrypted
passwd E/Uylb/Ss2iBa1Xg encrypted
hostname testpix
domain-name testpix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.xxx.xxx.205 Web
name 192.xxx.xxx.212 SystemLogging
name 192.xxx.xxx.200 DevelopementSvr
access-list svrs_out permit tcp any host 192.xxx.xxx.180 eq www
access-list svrs_out permit esp any host 192.xxx.xxx.181
access-list svrs_out permit udp any host 192.xxx.xxx.181 eq isakmp
access-list svrs_out permit icmp any any echo-reply
access-list localtovpnclient permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx1.33.0 255.255.255.0
access-list nonatinside permit ip any 192.xxx.xx1..0 255.255.255.128
access-list nonatinside permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx1..0 255.255.255.0
access-list nonatinside permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx2.0 255.255.255.0
access-list outside_cryptomap_dyn_30 permit ip any 192.xxx.xx1..0 255.255.255.128
access-list todowntown permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xx2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1..0 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1.33.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console critical
logging trap informational
logging host inside
logging host inside SystemLogging
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.181 255.255.255.248
ip address inside 192.xxx.xxx.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool 192.xxx.xx1..1-192.xxx.xx1
ip local pool newvpnpool 192.xxx.xx1..100-192.xxx.x
ip local pool vpn1clientpool 192.xxx.xx1.33.10-192.xxx.
pdm location 0.0.0.0 255.255.255.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 10.0.0.178-10.0.0.179 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.0.180 Web netmask 255.255.255.255 0 0
access-group svrs_out in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.182 1
timeout conn 0:05:00 half-closed 0:05:00 udp 0:02:00 rpc 0:00:00 h225 0:00:01
timeout h323 0:05:00 mgcp 0:05:00 sip 0:15:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:01:00 absolute uauth 0:01:00 inactivity
timeout xlate 0:01:30
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.xxx.xx1..0 255.255.255.0 inside
http Peter 255.255.255.255 inside
http 255.255.255.255 inside
http DevelopementSvr 255.255.255.255 inside
http SystemLogging 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
telnet DevelopementSvr 255.255.255.255 inside
telnet SystemLogging 255.255.255.255 inside
telnet 255.255.255.255 inside
telnet timeout 5
ssh 200.9.49.66 255.255.255.255 outside
ssh 196.40.16.135 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
ASKER
Voip client required
no fixup protocol sip 5060
and
no fixup protocol sip udp 5060
Which have been entered in the config.
What kind of rules for incoming RTP voice traffic?
I do get no inbound audio in some situations.
Also the ip range for the VOIP 225.225.241.1-.62
Why am I getting deny udp from this range?
Can I use PDM to create a group and the rule required as I am
not 'fluent' in command line but can use it.
How can I increase the udp/xlate session timeout?
Tks
Glen
no fixup protocol sip 5060
and
no fixup protocol sip udp 5060
Which have been entered in the config.
What kind of rules for incoming RTP voice traffic?
I do get no inbound audio in some situations.
Also the ip range for the VOIP 225.225.241.1-.62
Why am I getting deny udp from this range?
Can I use PDM to create a group and the rule required as I am
not 'fluent' in command line but can use it.
How can I increase the udp/xlate session timeout?
Tks
Glen
What are you using as the client?
Does the client always have a fixed IP address?
Does the client always have a fixed IP address?
ASKER
Clients are Nortel phones and softclients to sync/manage. [They tell me
the softclient definitely needs the udp port to function.
Phone ip address....gets from dhcp server [I think....checking now]
Tks
Glen
the softclient definitely needs the udp port to function.
Phone ip address....gets from dhcp server [I think....checking now]
Tks
Glen
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We've changed the timeout value on the softclient to less than the Pix. [Good observation grblades]. I'm hunching the pix
timesout before the client does and the client is assuming the session is still live but the pix is saying its over. Seems to work but we'll monitor is for awhile and see. Apparently is this type of setup the softclient takes over from the phone [hence phone works alone but not with client] and the problem arises when the sync between client/phone tries to take place.
timesout before the client does and the client is assuming the session is still live but the pix is saying its over. Seems to work but we'll monitor is for awhile and see. Apparently is this type of setup the softclient takes over from the phone [hence phone works alone but not with client] and the problem arises when the sync between client/phone tries to take place.
This is a packet being denied. It is from the normal SIP port on your provider back to your server. It is probably being denied because the udp or xlate session timeout has expired so the PIX has forgotten about the connection.
What are you trying to do?
Generally you are best off using the pix fixup for sip. In your current configuration you have no incoming rules for the RTP voice traffic which could result in no inbound audio in some situations.