ZBFW and SIP problems

glebpe185 — Tue, 12 Mar 2019 02:07:14 GMT

Hi GUYS,

Please help me..

I have experiencing problems with SIP phones behind firewall running on CIsco 887 VA-M.

I got these messages :

5 02:43:37.439: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Mandatory header field missing) - dropping udp session 192.168.33.120:5061 203.111.37.20:5060 on zone-pair in-out-zone class cmap-in-out-base

Jul 5 02:43:40.035: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Mandatory header field missing) - dropping udp session 192.168.33.117:5060 203.111.37.20:5060 on zone-pair in-out-zone class cmap-in-out-base

I have downgraded software to 151-4.M6 and greated the policy to skip those checkings but no any improvements

My config is

boot-start-marker

boot system flash:c880data-universalk9-mz.151-4.M6.bin

boot-end-marker

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

ip source-route

ip dhcp excluded-address 192.168.33.1 192.168.33.99

ip dhcp excluded-address 192.168.33.150 192.168.33.254

ip dhcp pool 1

network 192.168.33.0 255.255.255.0

default-router 192.168.33.1

dns-server 8.8.8.8

ip dhcp pool `

ip cef

ip domain name ues

ip name-server 8.8.8.8

no ipv6 cef

license udi pid CISCO887VA-M-K9 sn FGL171725DT

controller VDSL 0

class-map type inspect match-all cmap-manage

match access-group 23

class-map type inspect match-any cmap-in-out-ALL_allowed

match access-group 150

class-map type inspect match-any cmap-in-out-base

match protocol https

match protocol http

match protocol dns

match protocol ftp

match protocol pop3

match protocol citrix

match protocol citriximaclient

match protocol icmp

match protocol smtp

match protocol pptp

match protocol gopher

match protocol sip

match protocol h323

match protocol sip-tls

policy-map type inspect allow_all

class type inspect cmap-in-out-ALL_allowed

pass

class class-default

drop

policy-map type inspect pmap-out-in-manage

class type inspect cmap-manage

pass

class class-default

drop

policy-map type inspect pmap-in-out

class type inspect cmap-in-out-base

inspect

class type inspect cmap-in-out-ALL_allowed

pass

class class-default

drop

zone security in

zone security out

zone-pair security in-out-zone source in destination out

service-policy type inspect pmap-in-out

zone-pair security out-self-zone source out destination self

service-policy type inspect pmap-out-in-manage

zone-pair security out-in-zone source out destination in

service-policy type inspect allow_all

interface Ethernet0

no ip address

shutdown

no fair-queue

interface ATM0

no ip address

no ip route-cache

load-interval 30

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

interface FastEthernet0

switchport access vlan 100

no ip address

interface FastEthernet1

switchport access vlan 100

no ip address

interface FastEthernet2

switchport access vlan 100

no ip address

interface FastEthernet3

switchport access vlan 100

no ip address

interface Vlan1

no ip address

interface Vlan100

ip address 192.168.33.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out

encapsulation ppp

ip tcp adjust-mss 1350

dialer pool 1

ppp authentication chap pap callin

ppp chap hostname

ppp chap password 0 673569

ppp pap sent-username

no cdp enable

ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat inside source list FOR_NAT interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip access-list extended FOR_NAT

permit ip 192.168.33.0 0.0.0.255 any

ip access-list extended KILL-TFTP

deny udp any eq tftp any

permit ip any any

access-list 150 permit ip any any

access-list 150 remark TEMP

line con 0

no modem enable

line aux 0

line vty 0 4

transport input ssh

end

Thanks a lot!

Re: ZBFW and SIP problems

Andrew Phirsov — Fri, 05 Jul 2013 05:28:05 GMT

Try to do disable inspection of protocol-violation for sip, using this config:

class-map type inspect sip SIP_VIOLATION_CLASS

match protocol-violation

policy-map type inspect sip SIP_VIOLATION_POLICY

class type inspect sip SIP_VIOLATION_CLASS

allow

policy-map type inspect pmap-in-out

class type inspect cmap-in-out-base

inspect

service-policy sip SIP_VIOLATION_POLICY

Re: ZBFW and SIP problems

glebpe185 — Fri, 05 Jul 2013 06:56:52 GMT

Thanks Andrew - unfortunately cannot to try it now we have desided to turn inspection off and it works fine now for SIP phones.

topic Re: ZBFW and SIP problems in Network Security

ZBFW and SIP problems

Re: ZBFW and SIP problems

Re: ZBFW and SIP problems