topic Hi, in Network Security

Configuring Zone Based Firewall for VoIP

Austin Rivet — Tue, 12 Mar 2019 05:23:22 GMT

Hello,

I am trying to configure zone based firewall (on a 2911 with the k9 security license) to pass VoIP traffic from my VoIP provider to an internal IP PBX (3CX) and vice versa. The way I have it setup currently is to permit all outgoing traffic from the internal network to the outside. For traffic coming from the WAN (G0/1 “Outside-Frontier” zone) I have allowed all traffic with destination port(s) TCP/UDP 5060 (SIP) and UDP 9001-9049 (RTP). However, even after explicitly allowing this traffic (via class-maps with ACL’s) I cannot seem to get voice traffic to pass through (I get a “no response” when attempting to make a call).

I know that my base configuration is correct because if I disable ZBF then I can make calls just fine and the firewall checker in 3CX passes all of the RTP/SIP ports. As soon as I apply the ZBF config I cannot even connect to my SIP provider/make a call.

I have tried all sorts of combinations of ACLs and class-maps/policy-maps but nothing seems to work other than allowing all IP traffic to pass the inside and outside zones (which defeats the purpose of ZBF).

My LAN diagram, running-config, version info, and PBX port settings are pasted below. I have omitted IP addresses and other unnecessary lines (like VPN configuration). I would really appreciate any and all advise on this.

Thanks!

router#show ver

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 19-Mar-14 19:23 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

router#show run

Building configuration...

Current configuration : 13497 bytes

! Last configuration change at 17:29:45 UTC Sat Jan 24 2015

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname router

boot-start-marker

boot-end-marker

ip cef

ip domain name invalid.lan

ip name-server x.x.x.x

no ipv6 cef

ip ssh version 2

class-map type inspect match-any Outgoing-Mail-Class

match access-group name OUTGOING_MAIL

class-map type inspect match-any Outgoing-FW-Exceptions-Class

match access-group name OUTGOING_FW_EXCEPTIONS

class-map type inspect match-any Incoming-FW-Exceptions-Class

match access-group name INCOMING_FW_EXCEPTIONS

class-map type inspect match-any Inside->Outside-Comcast-Class

match protocol http

match protocol https

match protocol dns

match protocol icmp

match class-map Outgoing-Mail-Class

policy-map type inspect Outside-Frontier->Inside-Policy

class type inspect Incoming-FW-Exceptions-Class

pass

class class-default

drop

policy-map type inspect Inside->Outside-Comcast-Policy

class type inspect Inside->Outside-Comcast-Class

inspect

class class-default

drop

policy-map type inspect Inside->Outside-Frontier-Policy

class type inspect Outgoing-FW-Exceptions-Class

pass

class class-default

drop

zone security Inside

zone security Outside-Comcast

zone security Outside-Frontier

zone-pair security Inside->Outside-Frontier source Inside destination Outside-Frontier

service-policy type inspect Inside->Outside-Frontier-Policy

zone-pair security Inside->Outside-Comcast source Inside destination Outside-Comcast

service-policy type inspect Inside->Outside-Comcast-Policy

zone-pair security Outside-Frontier->Inside source Outside-Frontier destination Inside

service-policy type inspect Outside-Frontier->Inside-Policy

interface Loopback0

ip address 192.168.1.1 255.255.255.255

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

description WAN interface (Comcast cable) for data

ip address x.x.x.x x.x.x.x

zone-member security Outside-Comcast

shutdown

duplex auto

speed auto

interface GigabitEthernet0/1

description WAN interface (Frontier DSL) for voice interface

ip address x.x.x.x x.x.x.x

ip nat outside

ip virtual-reassembly in

zone-member security Outside-Frontier

duplex auto

speed auto

interface GigabitEthernet0/2

description Link to 3560 switch

ip address 10.10.1.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

zone-member security Inside

duplex auto

speed auto

no ip http server

ip http authentication local

ip http secure-server

ip nat pool dsl-nat x.x.x.xx.x.x.xnetmask x.x.x.x

ip nat inside source list DSL_NAT_ACL pool dsl-nat overload

ip nat inside source static tcp 10.10.10.25 5060 x.x.x.x5060 extendable

ip nat inside source static udp 10.10.10.25 5060 x.x.x.x5060 extendable

ip nat inside source static tcp 10.10.10.25 5090 x.x.x.x5090 extendable

ip nat inside source static udp 10.10.10.25 5090 x.x.x.x5090 extendable

ip nat inside source static tcp 10.10.10.25 5901 x.x.x.x5901 extendable

ip nat inside source static udp 10.10.10.25 9000 x.x.x.x9000 extendable

ip nat inside source static udp 10.10.10.25 9001 x.x.x.x9001 extendable

ip nat inside source static udp 10.10.10.25 9002 x.x.x.x9002 extendable

ip nat inside source static udp 10.10.10.25 9003 x.x.x.x9003 extendable

ip nat inside source static udp 10.10.10.25 9004 x.x.x.x9004 extendable

ip nat inside source static udp 10.10.10.25 9005 x.x.x.x9005 extendable

ip nat inside source static udp 10.10.10.25 9006 x.x.x.x9006 extendable

ip nat inside source static udp 10.10.10.25 9007 x.x.x.x9007 extendable

ip nat inside source static udp 10.10.10.25 9008 x.x.x.x9008 extendable

ip nat inside source static udp 10.10.10.25 9009 x.x.x.x9009 extendable

ip nat inside source static udp 10.10.10.25 9010 x.x.x.x9010 extendable

ip nat inside source static udp 10.10.10.25 9011 x.x.x.x9011 extendable

ip nat inside source static udp 10.10.10.25 9012 x.x.x.x9012 extendable

ip nat inside source static udp 10.10.10.25 9013 x.x.x.x9013 extendable

ip nat inside source static udp 10.10.10.25 9014 x.x.x.x9014 extendable

ip nat inside source static udp 10.10.10.25 9015 x.x.x.x9015 extendable

ip nat inside source static udp 10.10.10.25 9016 x.x.x.x9016 extendable

ip nat inside source static udp 10.10.10.25 9017 x.x.x.x9017 extendable

ip nat inside source static udp 10.10.10.25 9018 x.x.x.x9018 extendable

ip nat inside source static udp 10.10.10.25 9019 x.x.x.x9019 extendable

ip nat inside source static udp 10.10.10.25 9020 x.x.x.x9020 extendable

ip nat inside source static udp 10.10.10.25 9021 x.x.x.x9021 extendable

ip nat inside source static udp 10.10.10.25 9022 x.x.x.x9022 extendable

ip nat inside source static udp 10.10.10.25 9023 x.x.x.x9023 extendable

ip nat inside source static udp 10.10.10.25 9024 x.x.x.x9024 extendable

ip nat inside source static udp 10.10.10.25 9025 x.x.x.x9025 extendable

ip nat inside source static udp 10.10.10.25 9026 x.x.x.x9026 extendable

ip nat inside source static udp 10.10.10.25 9027 x.x.x.x9027 extendable

ip nat inside source static udp 10.10.10.25 9028 x.x.x.x9028 extendable

ip nat inside source static udp 10.10.10.25 9029 x.x.x.x9029 extendable

ip nat inside source static udp 10.10.10.25 9030 x.x.x.x9030 extendable

ip nat inside source static udp 10.10.10.25 9031 x.x.x.x9031 extendable

ip nat inside source static udp 10.10.10.25 9032 x.x.x.x9032 extendable

ip nat inside source static udp 10.10.10.25 9033 x.x.x.x9033 extendable

ip nat inside source static udp 10.10.10.25 9034 x.x.x.x9034 extendable

ip nat inside source static udp 10.10.10.25 9035 x.x.x.x9035 extendable

ip nat inside source static udp 10.10.10.25 9036 x.x.x.x9036 extendable

ip nat inside source static udp 10.10.10.25 9037 x.x.x.x9037 extendable

ip nat inside source static udp 10.10.10.25 9038 x.x.x.x9038 extendable

ip nat inside source static udp 10.10.10.25 9039 x.x.x.x9039 extendable

ip nat inside source static udp 10.10.10.25 9040 x.x.x.x9040 extendable

ip nat inside source static udp 10.10.10.25 9041 x.x.x.x9041 extendable

ip nat inside source static udp 10.10.10.25 9042 x.x.x.x9042 extendable

ip nat inside source static udp 10.10.10.25 9043 x.x.x.x9043 extendable

ip nat inside source static udp 10.10.10.25 9044 x.x.x.x9044 extendable

ip nat inside source static udp 10.10.10.25 9045 x.x.x.x9045 extendable

ip nat inside source static udp 10.10.10.25 9046 x.x.x.x9046 extendable

ip nat inside source static udp 10.10.10.25 9047 x.x.x.x9047 extendable

ip nat inside source static udp 10.10.10.25 9048 x.x.x.x9048 extendable

ip nat inside source static udp 10.10.10.25 9049 x.x.x.x9049 extendable

ip route 10.10.0.0 255.255.0.0 10.10.1.2

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip access-list standard DSL_NAT_ACL

remark Perform PAT from inside to the DSL interface

permit 10.10.0.0 0.0.255.255

ip access-list extended INCOMING_FW_EXCEPTIONS

remark Allow SIP and RTP from from any source to any destination

permit tcp any any eq 5060

permit udp any any eq 5060

permit udp any any eq 9000

permit udp any any eq 9001

permit udp any any eq 9002

permit udp any any eq 9003

permit udp any any eq 9004

permit udp any any eq 9005

permit udp any any eq 9006

permit udp any any eq 9007

permit udp any any eq 9008

permit udp any any eq 9009

permit udp any any eq 9010

permit udp any any eq 9011

permit udp any any eq 9012

permit udp any any eq 9013

permit udp any any eq 9014

permit udp any any eq 9015

permit udp any any eq 9016

permit udp any any eq 9017

permit udp any any eq 9018

permit udp any any eq 9019

permit udp any any eq 9020

permit udp any any eq 9021

permit udp any any eq 9022

permit udp any any eq 9023

permit udp any any eq 9024

permit udp any any eq 9025

permit udp any any eq 9026

permit udp any any eq 9027

permit udp any any eq 9028

permit udp any any eq 9029

permit udp any any eq 9030

permit udp any any eq 9031

permit udp any any eq 9032

permit udp any any eq 9033

permit udp any any eq 9034

permit udp any any eq 9035

permit udp any any eq 9036

permit udp any any eq 9037

permit udp any any eq 9038

permit udp any any eq 9039

permit udp any any eq 9040

permit udp any any eq 9041

permit udp any any eq 9042

permit udp any any eq 9043

permit udp any any eq 9044

permit udp any any eq 9045

permit udp any any eq 9046

permit udp any any eq 9047

permit udp any any eq 9048

permit udp any any eq 9049

ip access-list extended OUTGOING_FW_EXCEPTIONS

remark Allow all outgoing IP traffic

permit ip any any

ip access-list extended OUTGOING_MAIL

remark Allow any internal host to send outgoing mail over TCP 8889

permit tcp any eq 8889 any

control-plane

end

3CX IP PBX port settings

3CX firewall checker

Hi. Try to add the following

Andre Neethling — Sun, 25 Jan 2015 10:05:26 GMT

Hi. Try to add the following to your "Outgoing-FW-Exceptions-Class" class map

match protocol skinny

match protocol sip (or sip-tls)

Hi,

paddi1972 — Mon, 25 Apr 2016 11:19:00 GMT

Hi,

i know this is an old thread but just wondering how you resolved this austin , having the same issues here

Paddi

Hi,

Austin Rivet — Mon, 25 Apr 2016 23:39:25 GMT

Hi,

I did end up figuring this out, though we no longer use this phone system... hopefully I can help you out anyway.

There were a few issues specific to my deployment / environment:

1. ZBF was blocking outgoing UDP traffic from my PBX

2. ZBF was blocking incoming RTP traffic from my VoIP provider

Starting with issue one, my PBX seemed to be sending traffic on random UDP ports, so ZBF was blocking the outgoing traffic from my PBX. I created a rule allowing any UDP traffic from my PBX to any external address. Once I did this calls started coming through. However, I was having one-way audio issues. This brings me to issue number two.

Some VoIP providers have media proxies (used for RTP traffic) that you can whitelist the IP. Other VoIP providers do not, so there is no way to whitelist RTP traffic from specific IPs. In my case, the VoIP provider was not using media proxies, so there was no way to permit RTP from only specific IPs. Once I allowed RTP traffic from any external IP to my PBX I started getting audio both ways, and the firewall checker passed.

So in summary, what worked for me:

-Allow all outbound UDP traffic from my PBX to any external address

-Allow inbound RTP from any external to my PBX.

My recommendation to you is to do the following:

Lock down SIP - if at all possible, only allow SIP from the IP address(es) of your VoIP provider. Leaving SIP open to anyone on the Internet is a sure way for your system to be compromised.
Adjust your RTP rules per your VoIP provider's documentation - if they have media gateway's/proxies, then only allow RTP from the IP of those proxies/gateway's. If they do not have media gateway's/proxies or you have external VoIP extensions, then you will need to open up RTP to your PBX from any external IP.
Allow UDP from your PBX to any external - I don't necessarily recommend this, but if you are having trouble even after adjusting your SIP and RTP rules then you might need to look at the traffic coming from your PBX to see if it is sending UDP traffic on random or unusual ports that is being blocked by ZBF. Wireshark might be useful here.

Below is a sample config that might be a good starting place for you.

# ZBF Config

zone security Inside
zone security Outside-Frontier
!
ip access-list extended INCOMING_FW_EXCEPTIONS
remark Pass (without inspection) any traffic defined in this ACL from the outside to the inside
permit tcp host xx.xx.xx.xx host 10.10.10.25 eq 5060
permit udp host xx.xx.xx.xx host 10.10.10.25 eq 5060
permit udp any host 10.10.10.25 range 9000 9049
exit
!
ip access-list extended OUTGOING_FW_EXCEPTIONS
remark Pass (without inspection) any traffic defined in this ACL from the inside to the outside
permit tcp any host xx.xx.xx.xx
permit udp any host xx.xx.xx.xx
permit udp host 10.10.10.25 any
exit
!
class-map type inspect match-any Inside->Outside-Frontier-Class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ssh
match protocol pop3
match protocol pop3s
exit
class-map type inspect match-any Outgoing-FW-Exceptions-Class
match access-group name OUTGOING_FW_EXCEPTIONS
exit
class-map type inspect match-any Incoming-FW-Exceptions-Class
match access-group name INCOMING_FW_EXCEPTIONS
exit
!
policy-map type inspect Inside->Outside-Frontier-Policy
class type inspect Inside->Outside-Frontier-Class
inspect
exit
class type inspect Outgoing-FW-Exceptions-Class
pass
exit

exit
policy-map type inspect Outside-Frontier->Inside-Policy
class type inspect Incoming-FW-Exceptions-Class
no drop
pass
exit
!
zone-pair security Inside->Outside-Frontier source Inside destination Outside-Frontier
service-policy type inspect Inside->Outside-Frontier-Policy
exit
zone-pair security Outside-Frontier->Inside source Outside-Frontier destination Inside
service-policy type inspect Outside-Frontier->Inside-Policy
exit
!
interface g0/1
zone-member security Outside-Frontier
interface g0/2
zone-member security Inside
exit
!