topic ZBF Problems with IP Phone in Network Security

ZBF Problems with IP Phone

William Pearson — Tue, 12 Mar 2019 03:35:54 GMT

I am using a Cisco 2821 with IOS 12.4(22)YB8. I have a pretty simple ZBF setup. All TCP, UDP, and ICMP from the internal LAN is inspected to the Internet. My problem is with my IP phone, which connects to an Asterisk Server on the Internet. I can call out, but the call will drop everytime after about 10 minutes. Also, incoming calls do not work. If I disable the ZBF, everything works fine. Calls do not drop, and incoming calls work fine. Anyone have any ideas? Here is a scrubbed config to the relevants parts.

class-map type inspect match-any CLASS_IN_OUT
match protocol icmp
match protocol tcp
match protocol udp

policy-map type inspect POLICY_IN_OUT

class type inspect CLASS_IN_OUT

inspect

class class-default

drop

policy-map type inspect POLICY_OUT_IN

class class-default

drop

zone security INSIDE

zone security OUTSIDE

zone-pair security ZONE_PAIR_IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect POLICY_IN_OUT

zone-pair security ZONE_PAIR_OUT_IN source OUTSIDE destination INSIDE

service-policy type inspect POLICY_OUT_IN

interface GigabitEthernet0/0

description WAN Interface

bandwidth 20000

ip address dhcp

ip nat outside

ip virtual-reassembly

zone-member security OUTSIDE

duplex auto

speed auto

interface GigabitEthernet0/1

description LAN Interface

ip address 192.168.1.1 255.255.255.128

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

zone-member security INSIDE

duplex auto

speed auto

ip nat inside source list NATHOST interface GigabitEthernet0/0 overload

ip access-list standard NATHOST

permit 192.168.1.0 0.0.0.127

ZBF Problems with IP Phone

jshojayi — Thu, 06 Feb 2014 08:19:53 GMT

I'm not a voice expert, but I do inspect the traffic going from the outside zone to the inside when using ZBF. ZBF is application aware. This probably doesn't answer the reason it times out after 10 minutes. But when you say incoming calls don't work on an iphone, but do when you disable the ZBF, this could be a reason. Let me know if you try this and if it works for you.

Thank you.

Joe

ZBF Problems with IP Phone

William Pearson — Fri, 07 Feb 2014 14:12:21 GMT

I seem to have fixed the problem. My phone registers to the phone server on port 5060. So I did this.

ip access-list extended VOIP

permit udp host X.X.X.X any eq 5060

class-map type inspect match-any VOIP

match access-group name VOIP

policy-map type inspect POLICY_OUT_IN

class type inspect VOIP

pass

class class-default

drop

So after passing UDP 5060 from the phone server to the inside, I was able to receive incoming calls and I have not had any further drops. From the way I understand this phone works, you typically don't have to open up anything from the outside. It works from the inside out, opening a connection with the phone server when it boots. All I can figure is the ZBF has some kind of security timeout on those connections after a period of ten minutes or so. So the phone was opening a connection with the server, but the firewall was closing the connection after ten minutes.