topic IOS ZBF - VoIP Traffic in Network Security

IOS ZBF - VoIP Traffic

PauloHirakawa — Tue, 12 Mar 2019 01:06:15 GMT

Hello,

I'm implementing a project where will have a DMVPN in a hub-spoke topology with ZBF on spoke ISR G2 routers. The CUCM will be in Data Center behind Hub Router.

I tried to configure ZBF in spoke routers allowing just signaling protocols to CUCM like sccp, mgcp, sip and h323 expecting that pinholes would be opened for RTP ports but it doesn't work. The source LAN RTP packet in spoke router was dropped and I needed to open the RTP UDP range ports to have VoIP comunication between two spoke sites.

Anyone have an experience with this kind of scenario or have any idea if this ZBF config should work in this implementation?

crypto keyring DMVPN

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco@123

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

crypto ipsec security-association replay window-size 1024

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

mode transport

crypto ipsec profile DMVPN

set transform-set 3DES-SHA

class-map type inspect match-any VPN-PROT

match protocol ftp

match protocol tftp

match protocol skinny

match protocol sip

match protocol h323

match protocol mgcp

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all IN-VPN

match access-group name IN-VPN

class-map type inspect match-all IN-VPN-POLICY

match class-map VPN-PROT

match class-map IN-VPN

class-map type inspect match-all VPN-IN

match access-group name VPN-IN

class-map type inspect match-all VPN-IN-POLICY

match class-map VPN-PROT

match class-map VPN-IN

class-map type inspect match-any VOICE-PROT

match protocol skinny

match protocol sip

match protocol h323

match protocol mgcp

match protocol icmp

match protocol user-rtp

class-map type inspect match-all IN-VOICE

match access-group name IN-VOICE

class-map type inspect match-all IN-VOICE-POLICY

match class-map VOICE-PROT

match class-map IN-VOICE

class-map type inspect match-all VOICE-IN

match access-group name VOICE-IN

class-map type inspect match-all VOICE-IN-POLICY

match class-map VOICE-PROT

match class-map VOICE-IN

policy-map type inspect IN-VPN-POLICY

class type inspect IN-VOICE-POLICY

inspect

class type inspect IN-VPN-POLICY

inspect

class class-default

drop log

policy-map type inspect VPN-IN-POLICY

class type inspect VOICE-IN-POLICY

inspect

class type inspect VPN-IN-POLICY

inspect

class class-default

drop log

zone security INSIDE

zone security MPLS

zone-pair security IN-VPN source INSIDE destination MPLS

service-policy type inspect IN-VPN-POLICY

zone-pair security VPN-IN source MPLS destination INSIDE

service-policy type inspect VPN-IN-POLICY

interface Tunnel10

ip address 10.255.255.2 255.255.255.0

no ip redirects

ip mtu 1408

ip hold-time eigrp 1 35

no ip next-hop-self eigrp 1

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp map multicast 192.168.100.2

ip nhrp map 10.255.255.1 192.168.100.2

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.255.255.1

ip nhrp registration no-unique

zone-member security MPLS

ip tcp adjust-mss 1368

no ip split-horizon eigrp 1

tunnel source 192.168.101.2

tunnel mode gre multipoint

tunnel key 1

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN shared

interface FastEthernet0/0

ip address 192.168.101.2 255.255.255.252

zone-member security MPLS

speed 100

full-duplex

interface FastEthernet0/1

ip address 192.168.10.1 255.255.255.0

zone-member security INSIDE

duplex auto

speed auto

router eigrp 1

network 10.255.255.0 0.0.0.255

network 192.168.10.0

no auto-summary

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.101.1

no ip http server

no ip http secure-server

ip access-list extended IN-VOICE

permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255

ip access-list extended IN-VPN

permit ip 192.168.10.0 0.0.0.255 10.123.45.0 0.0.0.255

ip access-list extended VOICE-IN

permit ip 192.168.0.0 0.0.255.255 192.168.10.0 0.0.0.255

ip access-list extended VPN-IN

permit ip 10.123.45.0 0.0.0.255 192.168.10.0 0.0.0.255

IOS ZBF - VoIP Traffic

jocamare — Tue, 26 Feb 2013 21:31:38 GMT

Can you specify the signaling protocol and the IOS code version on the router?

Also, can you provide the logs you get from the ASA?

Make sure the "ip inspect log drop-pkt" is applied before getting'em.

IOS ZBF - VoIP Traffic

PauloHirakawa — Wed, 27 Feb 2013 13:05:27 GMT

The signaling protocol is skinny and the IOS version is 15.2(4)M2 with data, sec and uc license.

There is no ASA in topology, I have just made the tests with IOS zone based firewall in two spoke routers with IP phones in each LAN. The log message that appears in the router is a drop log of RTP packets on inside interface.

The signaling is ok, the phone rings on the other phone through VPN but when complete the call, there is no voice. Since the router is inspecting skinny, my thought was that the IOS ZBF would open dinamically the RTP ports.

phone1----IOS ZBF R1----VPN----HUB-ROUTER----CUCM----HUB-ROUTER----VPN----IOS ZBF R2----phone2----signaling ok

phone1----IOS ZBF R1----VPN----IOS ZBF R2----phone2---- RTP nok

IOS ZBF - VoIP Traffic

Henrik Grankvist — Wed, 27 Feb 2013 15:28:11 GMT

Can you add this to the class-map?

"match protocol rtp audio"

A while ago I had the same problem as you and I couldn't match RTP Audio on that router so i thought it wasn't possible. But later on another router I could do it...

IOS ZBF - VoIP Traffic

PauloHirakawa — Wed, 27 Feb 2013 16:44:41 GMT

Hi,

Since it's a class-map type inspect, I have no option to include rtp audio into class-map. I configure a port-map including the rtp range, but I think in this situation all these ports will be open on IOS ZBF. The idea was that IOS ZBF recognized the signaling protocol and opened the RTP ports dinamically.

IOS ZBF - VoIP Traffic

jocamare — Wed, 27 Feb 2013 18:26:21 GMT

Yeah, sorry about the ASA thing, i'm used to work with'em.

Can you provide the logs you get from the router?

IOS ZBF - VoIP Traffic

PauloHirakawa — Thu, 28 Feb 2013 13:34:10 GMT

I haven't saved this log, but it seems like this...

%Fg W-6-DROP_PKT: DroppinOther session 192.168.10.5:21388 192.168.20.5:19544 on zone-pair IN-VPN class class-default due to DROP action found in policy-map with ip ident 486

IOS ZBF - VoIP Traffic

jocamare — Fri, 01 Mar 2013 23:15:50 GMT

Try this:

class-map type inspect match-any VPN-PROT

match protocol rtsp

IOS ZBF - VoIP Traffic

PauloHirakawa — Mon, 04 Mar 2013 17:18:12 GMT

Thank you but it does not work. The problem is the same, RTSP Real Time Streaming Protocol does not work in RTP udp range 16384 - 32767 for voice communication that is being blocked by zone based firewall.

IOS ZBF - VoIP Traffic

jocamare — Mon, 04 Mar 2013 19:58:03 GMT

Ok, this is weird.

Let's try this:

class-map type inspect match-any VPN-PROT

match protocol ssp

Also, do you see any logs or information refering to this problem on the CUCM?

What are the phones and CUCM versions?

IOS ZBF - VoIP Traffic

PauloHirakawa — Mon, 04 Mar 2013 20:36:02 GMT

Nothing yet. CUCM is running 8.6.2 version.

The signaling through CUCM is ok, both phones register and rings when making the test calls, just the voice packets are dropped by ZBF.

When configuring a port-map with rtp in class-map it works normally.

ip port-map user-rtp port udp from 16384 to 32768

class-map type inspect match-any VOICE-PROT

match protocol user-rtp

IOS ZBF - VoIP Traffic

jocamare — Mon, 04 Mar 2013 22:01:04 GMT

Can you share the output of the " show policy-map type inspect IN-VPN-POLICY zone-pair sessions" while testing?

IOS ZBF - VoIP Traffic

PauloHirakawa — Wed, 06 Mar 2013 17:31:45 GMT

Sorry, the devices that I used to do the lab are not available anymore.

Thanks for your help, I'll post again when I do the implementation on the customer.