Dropping UDP on incomming calls.

Posted on 2006-04-03
Last Modified: 2010-04-12
Trouble with VOIP thru Pix506e...Getting the following from Pix.
Deny Udp src outside: dst inside: by access group "svrs_out"
and VOIP giving problems.  Voip supplier requirements and Pix config added....
Where am I going wrong?????

Quote from VOIP Supplier:
The following are the requirements of the firewall protecting the enterprise network where the IP clients are located.
      Dynamic Stateful Packet Filtering (DSPI) should be present.
      Activate "minimally restricted UDP policy". This allows UDP packets into the enterprise, if and only if they are in response to an outgoing UDP packet. Other terms used for this are "UDP conversations" and "Transparent Firewall".
      Firewall must also allow RTP and RTCP packets through. If UDP is allowed, by default RTP/RTCP packets will be allowed through. However, screening on RTP/RTCP packets can be done if so chosen.

More specifically to the above rules, the following tables will indicate which ports need to be opened on the firewall to ensure the correct operation of the OneConnect service.

Enterprise Firewall Egress Policy
Source IP      Source Port       Dest IP                   Dest Port      Protocol       Use         
 Any       5060    - .62       5060       UDP                
Any        5000    - .62       5000       UDP                
Any      5000   - .62      50020      UDP      
Any          >1024    - .62      3090         TCP                       
Any          >1024    - .62      40,000-60,000  UDP                       
 Any          >1024    - .62              80             TCP                       
  Any          >1024    - .62      443            TCP                       

 Also added per instructions:
no fixup sip lines

Current Pix Config with some items removed for clarity:
:  Mar 31, 2006 Mississauga Pix506
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password F1mqABN1rE9hwHjy encrypted
passwd E/Uylb/Ss2iBa1Xg encrypted
hostname testpix
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name   Web
name SystemLogging
name DevelopementSvr
access-list svrs_out permit tcp any host eq www
access-list svrs_out permit esp any host
access-list svrs_out permit udp any host eq isakmp
access-list svrs_out permit icmp any any echo-reply
access-list localtovpnclient permit ip
access-list nonatinside permit ip any
access-list nonatinside permit ip
access-list nonatinside permit ip
access-list outside_cryptomap_dyn_30 permit ip any
access-list todowntown permit ip
access-list outside_cryptomap_dyn_20 permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
logging on
logging timestamp
logging console critical
logging trap informational
logging host inside  
logging host inside SystemLogging
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool
ip local pool newvpnpool
ip local pool vpn1clientpool
pdm location inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 netmask
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0 0
static (inside,outside)   Web netmask 0 0
access-group svrs_out in interface outside
route outside 1
timeout conn 0:05:00 half-closed 0:05:00 udp 0:02:00 rpc 0:00:00 h225 0:00:01
timeout h323 0:05:00 mgcp 0:05:00 sip 0:15:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:01:00 absolute uauth 0:01:00 inactivity
timeout xlate 0:01:30
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http Peter inside
http inside
http DevelopementSvr inside
http SystemLogging inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
telnet DevelopementSvr inside
telnet SystemLogging inside
telnet inside
telnet timeout 5
ssh outside
ssh outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Question by:Glen_Sauve
    LVL 36

    Expert Comment

    > Deny Udp src outside: dst inside: by access group "svrs_out"
    This is a packet being denied. It is from the normal SIP port on your provider back to your server. It is probably being denied because the udp or xlate session timeout has expired so the PIX has forgotten about the connection.

    What are you trying to do?
    Generally you are best off using the pix fixup for sip. In your current configuration you have no incoming rules for the RTP voice traffic which could result in no inbound audio in some situations.

    Author Comment

    Voip client required
     no fixup protocol sip 5060
    no fixup protocol sip udp 5060
    Which have been entered in the config.
    What kind of rules for incoming RTP voice traffic?
    I do get no inbound audio in some situations.
    Also the ip range for the VOIP
    Why am I getting deny udp from this range?
    Can I use PDM to create a group and the rule required as I am
    not 'fluent' in command line but can use it.
    How can I increase the udp/xlate session timeout?
    LVL 36

    Expert Comment

    What are you using as the client?
    Does the client always have a fixed IP address?

    Author Comment

    Clients are Nortel phones and softclients to sync/manage. [They tell me
    the softclient definitely needs the udp port to function.
    Phone ip address....gets from dhcp server [I think....checking now]
    LVL 36

    Accepted Solution

    To get this working properly with the setup you have been told to use :-
    1) Every phone and soft client will have to have a fixed IP address on the network.
    2) Every phone/client will have to have a unique range of RTP ports to use assigned to it.
    3) Every phone/client will have to be configured to use the public IP address within its SIP messages.
    4) You will need the firewall configured to forward the RTP replies back to the clients depending on the destination port.
    This is a lot of work and may be impractical or even impossible depending on the configuration options you have on the phones.

    These problems arise simply because the SIP protocol is not friendly with NAT devices. There is a service called a STUN (also known as a proxy server) which helps to avoid a lot of these problems.

    Or you could make use of the pix's 'fixup protocol sip' which is designed to avoid all these problems alltogether.

    As they are telling you to disable the fixup and basically turning the PIX into a dumb firewall as far as SIP is concerned your provider should really tell you how to configure it. The information they have provided is simply inadequate.

    Author Comment

    We've changed the timeout value on the softclient to less than the Pix. [Good observation grblades]. I'm hunching the pix
    timesout before the client does and the client is assuming the session is still live but the pix is saying its over.  Seems to work but we'll monitor is for awhile and see.  Apparently is this type of setup the softclient takes over from the phone [hence phone works alone but not with client] and the problem arises when the sync between client/phone tries to take place.


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    In my office we had 10 Cisco 7940G IP phones that were useless as they were showing PROTOCOL APPLICATION INVALID when started. I searched through Google and worked for a week continuously on those phones, and finally got them working. This is a di…
    Every year the snow affects people and businesses. According to the Federation of Small Businesses (FSB), in 2009, UK businesses lost an estimated £1.2bn ( because of bad weather. This article was c…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now