https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974951#M440119 <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; We have a Mitell Border Gateway in our DMZ configured to accept teleworker connections.&nbsp; I have it all configured, but I get one way com errors on the Mitel border gateway when i try to place a call to a teleworker(phone set up outside the firewall).&nbsp; The teleworker phone cannot hear audio from the internal phone. I was told by vendor all ports need to be open to the border gateway for it to function.&nbsp; It seems that for some reason tcp traffic headed from the dmz to the outside are beng blocked and I dont know why. Should tha traffice be allowed by default?&nbsp; What rule do I need to allow any traffic coming from my MGB IP to use any port to talk to any device on the outside network.&nbsp; I already have a rule allowing all IP traffic in through the nat'd address fo the MBG.</P> Mon, 11 Mar 2019 23:25:29 GMT jasongring 2019-03-11T23:25:29Z https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974951#M440119 <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; We have a Mitell Border Gateway in our DMZ configured to accept teleworker connections.&nbsp; I have it all configured, but I get one way com errors on the Mitel border gateway when i try to place a call to a teleworker(phone set up outside the firewall).&nbsp; The teleworker phone cannot hear audio from the internal phone. I was told by vendor all ports need to be open to the border gateway for it to function.&nbsp; It seems that for some reason tcp traffic headed from the dmz to the outside are beng blocked and I dont know why. Should tha traffice be allowed by default?&nbsp; What rule do I need to allow any traffic coming from my MGB IP to use any port to talk to any device on the outside network.&nbsp; I already have a rule allowing all IP traffic in through the nat'd address fo the MBG.</P> Mon, 11 Mar 2019 23:25:29 GMT https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974951#M440119 jasongring 2019-03-11T23:25:29Z https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974952#M440120 <HTML><HEAD></HEAD><BODY><P> Hi Jason,</P><P></P><P> I already have a rule allowing all IP traffic in through the nat'd address fo the MBG : This rule only allows Internet users to be able to reach MBG.</P><P></P><P>In order for the MBG to go to internet, you may need to create additional access list and apply to DMZ interface.</P><P></P><P>For this, first you need to block the communication from MBG to internal network (for security purposes). </P><P></P><P>Ex: your inside network 192.168.10.0 255.255.255.0</P><P></P><P>!</P><P>access-list DMZ2IN deny ip host <MBG ip=""> 192.1168.10.0 255.255.255.255 </MBG></P><P>access-list DMZ2IN permit ip host <MBG ip=""> any </MBG></P><P>!</P><P>access-group DMZ2IN in interface <NAME of="" your="" dmz="" interface=""></NAME></P><P>!</P><P>If you do not have static NAT for MBG with public IP, you need to add nat(dmz) 1 0 0 as well.</P><P></P><P>Try this and post the results.</P><P></P><P>hth</P><P>MS</P></BODY></HTML> Mon, 02 Jul 2012 20:47:59 GMT https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974952#M440120 mvsheik123 2012-07-02T20:47:59Z https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974953#M440121 <HTML><HEAD></HEAD><BODY><P>The Mitel set up is as this:&nbsp; Teleworker user in remote office with phone plugged into their local internet connection.&nbsp; That phone is programmed to find a Mitel device at a certain routable IP. That IP is the outside nat'd IP of the Mitel Border gateway that sits in our DMZ.&nbsp; That MBG also has to speak to the PBX ( in this case a Mitel 3300) that resides on out internal LAN. Mitel says that we need to the MBG is a firewall and it needs complete access both inside and outside.&nbsp; So adding more security to its ability to get inside to talk to the PBX won't be helpful. If I set up a test "teleworker" in the DMZ it works fine so I know the one way communication is caused by outbound TCP traffice getting blocked from going outside which doesnt make sense to me since any traffice headed to a lesser security network should be allowed by default, correct?</P></BODY></HTML> Mon, 02 Jul 2012 20:55:59 GMT https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974953#M440121 jasongring 2012-07-02T20:55:59Z https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974954#M440122 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>Vendors can say whatever they want but this is the more recomended way to set this up. We looked into similar setup (from Avaya) few minths bacl and&nbsp; worked with no issues in test environment.</P><P></P><P>Yes.. I agree MBG definitely need to communicated with your PBX. You need to open only required ports to PBX IPs.</P><P></P><P>access-list DMZ2IN&nbsp; permit tcp/udp host <MBG ip="">&nbsp; <PBXIP> eq <PORT></PORT></PBXIP></MBG></P><P>access-list DMZ2IN deny ip host <MBG ip=""> 192.1168.10.0 255.255.255.255 </MBG></P><P>access-list DMZ2IN permit ip host <MBG ip=""> any </MBG></P><P>!</P><P></P><P>It is up to you on how you want to proceed but I prefer ASA to handle the security than a PC with some software.</P><P></P><P>hth</P><P>MS</P></BODY></HTML> Mon, 02 Jul 2012 21:04:38 GMT https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974954#M440122 mvsheik123 2012-07-02T21:04:38Z https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974955#M440123 <HTML><HEAD></HEAD><BODY><P>MS,</P><P></P><P>This is pretty much how it is set up...&nbsp; Yet Im still gettting one way com error on the ip phone and when i do test calls i cant seem to trap why they packets are not going outbound from the MBG to the outside. The tcp/udp traceroute on the mbg do come back as a success which makes it a bit more strange.</P><P></P><P>access-list DMZ_access_in line 1 extended permit ip host 172.16.1.2 any (hitcnt=3) 0x822c652c</P><P>access-list DMZ_access_in line 2 extended permit object-group DM_INLINE_PROTOCOL_1 host 172.16.1.2 host 172.16.1.100 eq domain log debugging interval 300 0xddcbe2a8</P><P>&nbsp; access-list DMZ_access_in line 2 extended permit udp host 172.16.1.2 host 172.16.1.100 eq domain log debugging interval 300 (hitcnt=1280) 0x0b8733f2</P><P>access-list DMZ_access_in line 4 extended permit ip host 172.16.1.2 VOIP 255.255.255.0 log debugging interval 300 (hitcnt=13418) 0x9078b3a9</P><P>access-list DMZ_access_in line 5 extended permit ip any any log debugging interval 300 (hitcnt=682664) 0xc651a8ad</P></BODY></HTML> Mon, 02 Jul 2012 21:26:37 GMT https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974955#M440123 jasongring 2012-07-02T21:26:37Z https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974956#M440124 <HTML><HEAD></HEAD><BODY><P>Hello Jason,</P><P></P><P>Hope you are doing great <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>We can see hitcounts from the MBG to the PBX.</P><P></P><P>Now the teleworker is the one that is going to contact the MBG so the ASA is going to build on all of its table a connection for that communication, the ASA should be able to let the reply packets to go out.</P><P></P><P>I would like to see the running configuration ( Please remove the private info such as Ips, passwords,etc)</P><P></P><P>I would like to see the access-list on the outside, the nat statements and the inspections you have on your firewall.</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Tue, 03 Jul 2012 03:12:40 GMT https://community.cisco.com/t5/network-security/help-with-firewall-voip-issue/m-p/1974956#M440124 Julio Carvajal 2012-07-03T03:12:40Z