topic ZBFW with SIP in Network Security

ZBFW with SIP

Keith McElroy — Tue, 12 Mar 2019 00:51:50 GMT

Hope this is the right spot for this. I am running an 891W with a ZBFW setup as the CPE, software c890-universalk9-mz.150-1.M4.bin. The issue I am working with is we are using a hosted platform for SIP and trying to register a phone through the SBC. I control the ISP side, this is a test with a customer that we have access to the CPE on. The phone registers fine, I can see the SIP pinhole being made and packets flowing. The problem seems to be when the SBC relays the 401 unauthorized to challenge the authentication, it never gets through the firewall. When we checked with a sniffer, we see the packet going out the SBC and the port matches the pinhole on the firewall including the port info, but no packets ever get to the phone. Does anyone know why this would happen?

Also, the phone is sending out PRACK messages, but they never are seen on the SBC side, it seems like they are not flowing through for some reason.

ZBFW with SIP

Julio Carvajal — Thu, 24 Jan 2013 17:43:49 GMT

Hello,

Can you check what you have configured for this,

Also enable the logs,

ip inspect log drop-pkt

try to register and do

show logging | include x.x.x.x ( Call manager or host where the phones will register)

Regards

ZBFW with SIP

Keith McElroy — Thu, 24 Jan 2013 19:58:05 GMT

Well, I found the work around. I found the errors for invalid SIP headers, so I ran the "match protocol-violation" bypass and it seems to work. Sort of worries me that there is a problem in the SIP header, but I don't think there is much I can change since it is Polycom phones going to a Broadsoft platform.

ZBFW with SIP

Julio Carvajal — Thu, 24 Jan 2013 20:21:28 GMT

Hello Keith,

Thanks for the explanation.

Would you mind to show the community the exact commands you run so we can learn from you .

Also please mark the question as answered so future users can learn from this,

5 stars for you

ZBFW with SIP

Keith McElroy — Thu, 24 Jan 2013 20:43:00 GMT

class-map type inspect sip match-any SIP

match protocol-violation

class-map type inspect match-any SIP1

match protocol sip

policy-map type inspect Out

class type inspect SIP1

inspect

service-policy sip SIP1

There is the basic config I tossed into my outbound policy along with my other config to allow other traffic for users. I am still confused why Polycom has a header failure, but I will have to see if that is something we can have fixed.

ZBFW with SIP

Julio Carvajal — Thu, 24 Jan 2013 20:49:15 GMT

Hello Keith,

Exactly, great to have that info,

Thanks.