Hello.
This is really a question about Cisco’s zone-based firewall, but I am posting it here hoping that someone will have successfully implemented a ZBF with Asterisk.
Background:
Asterisk behind NAT, internal and external SIP phones. All works perfectly with other routers, e.g. Motorola, Netopia. I set nat=yes in sip.conf and Asterisk sends rtp packets to a remote phone’s external IP address.
Problem: when I use a Cisco 877 router and firewall, Asterisk tries to send packets to the internal address of the remote phone, e.g.
Sent RTP packet to 192.168.1.130:13500 (type 18, seq 065426, ts 013760, len 000020)Here 192.168.1.130 is the internal address of the phone on the remote network, so clearly the packets don’t get anywhere. It seems that the Cisco firewall, which is supposed to examine the packets then allow rtp to be exchanged on the negotiated ports, is rewriting the IP address of the remote phone, replacing the external address with the internal one. I can see no way to turn it off - I have tried using “pass” instead of “inspect” in the firewall’s policy-map, but it makes no difference. Everything else - email, http, etc. - works fine.
If anyone has successfully got either ZBF or CBAC working with Asterisk, I would appreciate your help.
Regards
Ian
UPDATE:
From two external phones, I dial 500 for voicemail. On one of the phones, ext 61 I hear nothing and note that the rtp packets are being sent to the phone’s internal address on the remote network. On the other, rtp packets are sent to the external address of the remote network and everything works normally. Here are the phones’ sip information:
Works:
* Name : 50
Secret : <Set>
MD5Secret : <Not set>
Context : phones
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
Mailbox : 81@pc-vm
VM Extension : 500
LastMsgsSent : 32767/65535
Call limit : 0
Dynamic : Yes
Callerid : "" <>
MaxCallBR : 384 kbps
Expire : 32
Insecure : port,invite
Nat : Always
ACL : No
T38 pt UDPTL : Yes
CanReinvite : No
PromiscRedir : No
User=Phone : No
Video Support: No
Text Support : No
Ign SDP ver : No
Trust RPID : Yes
Send RPID : Yes
Subscriptions: Yes
Overlap dial : Yes
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost :
Addr->IP : external.network.address.ip Port 1026
Defaddr->IP : 0.0.0.0 Port 5060
Transport : UDP
Def. Username: 50
SIP Options : (none)
Codecs : 0x100 (g729)
Codec Order : (g729:20)
Auto-Framing : No
100 on REG : No
Status : OK (346 ms)
Useragent : C470IP021910000000
Reg. Contact : sip:50@external.network.address.ip:1026
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secsDoesn’t work
* Name : 61
Secret : <Set>
MD5Secret : <Not set>
Context : phones
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
Mailbox : 81@pc-vm
VM Extension : 500
LastMsgsSent : 32767/65535
Call limit : 0
Dynamic : Yes
Callerid : "" <>
MaxCallBR : 384 kbps
Expire : 3470
Insecure : port,invite
Nat : Always
ACL : No
T38 pt UDPTL : Yes
CanReinvite : No
PromiscRedir : No
User=Phone : No
Video Support: No
Text Support : No
Ign SDP ver : No
Trust RPID : Yes
Send RPID : Yes
Subscriptions: Yes
Overlap dial : Yes
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost :
Addr->IP : external.network.ip.address Port 1027
Defaddr->IP : 0.0.0.0 Port 5060
Transport : UDP
Def. Username: 61
SIP Options : (none)
Codecs : 0x10c (ulaw|alaw|g729)
Codec Order : (ulaw:20,alaw:20,g729:20)
Auto-Framing : No
100 on REG : No
Status : OK (514 ms)
Useragent : (C) RM-333 11.047
Reg. Contact : sip:ROW4WLSivdxhxyBIT1T_@192.168.1.130;transport=UDP
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secsAn obvious difference is that the registered contact for the phone that doesn’t work is using the remote internal address.
Further update:
The difference in the registered contacts may be a red herring, since it’s the same with the Netopia router running, and calls work perfectly.
Sent RTP packet to 74.125.67.10:5010 (type 18, seq 010607, ts 000800, len 0
00020)
Got RTP packet from 74.125.67.10:5010 (type 18, seq 000105, ts 13499360, len
000020)If anyone is interested, here is the IOS configuration.
[code]
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname MyRouterName
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 warnings
!
no aaa new-model
clock timezone EST -5
!
crypto pki trustpoint TP-self-signed-4226416467
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4226416467
revocation-check none
rsakeypair TP-self-signed-4226416467
!
!
crypto pki certificate chain TP-self-signed-4226416467
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
dot11 syslog
no ip source-route
ip cef
!
!
ip domain-lookup
ip dns server
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.71.254
ip dhcp excluded-address 192.168.71.1 192.168.71.150
!
ip dhcp pool dhcp0-pool
import all
network 192.168.71.0 255.255.255.0
default-router 192.168.71.254
lease 0 2
!
!
ip domain list myname.net
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
username admin privilege 15 secret 5 $1$SJDJ$S6hjeztbzMchP05QCHpG7HE1
!
archive
log config
hidekeys
!
class-map type inspect match-any WebTraffic
match protocol http
match protocol https
!
ip port-map ssh port tcp 22003
ip port-map ssh port tcp 22004
ip port-map ssh port tcp 22005
ip port-map ssh port tcp 22006
ip port-map ssh port tcp 22007
ip port-map ssh port tcp 22008
class-map type inspect match-any SSH
match protocol ssh
!
ip port-map smtp port tcp 587
ip port-map smtp port tcp 465
class-map type inspect match-any Email
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imap3
match protocol imaps
class-map type inspect match-any Misc
match protocol ntp
class-map type inspect match-any SIP
match protocol sip
class-map type inspect match-any Access
match access-group name AllowedIn
!
policy-map type inspect In2Out
class class-default
inspect
!
policy-map type inspect Out2In
class type inspect Access
inspect
class type inspect SIP
inspect
class type inspect WebTraffic
inspect
class type inspect Misc
inspect
class type inspect Email
inspect
class type inspect SSH
inspect
class class-default
drop log
!
zone security Inside
description Inside network
zone security Outside
description Outside network
!
zone-pair security Out2In source Outside destination Inside
service-policy type inspect Out2In
!
zone-pair security In2Out source Inside destination Outside
service-policy type inspect In2Out
!
class-map match-any Management-1
match dscp cs2
class-map match-any Routing-1
match dscp cs6
class-map match-any Signaling-1
match dscp cs3
match dscp af31
class-map match-any Voice-1
match dscp ef
class-map match-any Transactional-1
match dscp af21
match dscp af22
match dscp af23
!
!
policy-map QoS-Policy-1
class Voice-1
priority percent 33
class Signaling-1
bandwidth percent 5
class Routing-1
bandwidth percent 5
class Management-1
bandwidth percent 5
class Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Virtual Interface for FastEthernet 0-3
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description Virtual Outside Interface
ip address my.own.ip.address 255.0.0.0
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer string "*99#"
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname myname@bellsouth.net
ppp chap password 7 01475252395A525D
ppp pap sent-username myname@bellsouth.net password 7 13514359598D5078
ppp ipcp dns request
service-policy output QoS-Policy-1
zone-member security Outside
!
interface BVI1
description Bridge-Group Virtual Interface for Bridge Group 1
ip address 192.168.71.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
zone-member security Inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 10.71.42.0 255.255.255.0 192.168.71.6 permanent
!
!
ip http server
ip http port 2420
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.71.7 25 my.own.ip.address 25 extendable
ip nat inside source static tcp 192.168.71.7 80 my.own.ip.address 80 extendable
ip nat inside source static tcp 192.168.71.7 443 my.own.ip.address 443 extendable
ip nat inside source static tcp 192.168.71.7 110 my.own.ip.address 110 extendable
ip nat inside source static tcp 192.168.71.6 123 my.own.ip.address 123 extendable
ip nat inside source static tcp 192.168.71.7 143 my.own.ip.address 143 extendable
ip nat inside source static tcp 192.168.71.7 220 my.own.ip.address 220 extendable
ip nat inside source static tcp 192.168.71.7 465 my.own.ip.address 465 extendable
ip nat inside source static tcp 192.168.71.7 587 my.own.ip.address 587 extendable
ip nat inside source static tcp 192.168.71.7 993 my.own.ip.address 993 extendable
ip nat inside source static tcp 192.168.71.7 995 my.own.ip.address 995 extendable
ip nat inside source static udp 192.168.71.6 1194 my.own.ip.address 1194 extendable
ip nat inside source static udp 192.168.71.8 4569 my.own.ip.address 4569 extendable
ip nat inside source static udp 192.168.71.8 3478 my.own.ip.address 3478 extendable
ip nat inside source static tcp 192.168.71.20 5001 my.own.ip.address 5001 extendable
ip nat inside source static udp 192.168.71.8 5060 my.own.ip.address 5060 extendable
ip nat inside source static tcp 192.168.71.3 22 my.own.ip.address 22003 extendable
ip nat inside source static tcp 192.168.71.4 22 my.own.ip.address 22004 extendable
ip nat inside source static tcp 192.168.71.5 22 my.own.ip.address 22005 extendable
ip nat inside source static tcp 192.168.71.6 22 my.own.ip.address 22006 extendable
ip nat inside source static tcp 192.168.71.7 22 my.own.ip.address 22007 extendable
ip nat inside source static tcp 192.168.71.8 22 my.own.ip.address 22008 extendable
!
logging 192.168.71.6
access-list 1 permit 192.168.71.0 0.0.0.255
ip access-list extended AllowedIn
remark OpenVPN
permit udp any any eq 1194
remark iax2
permit udp any any eq 4569
remark slingbox
permit tcp any any eq 5001
!
dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec
Welcme - Cisco 877 router.
banner login
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175885
ntp server 192.168.71.6
end
[/code][/b]