cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1697
Views
0
Helpful
5
Replies

Zone-based firewall ISR4331, SIP traffic

leam2
Level 1
Level 1

Hello,
I have set up a zone-based firewall on an ISR4331.

With that zone-based firewall and "debug ccsip message" activated, I observe a lot of "SIP/2.0 488 Not Acceptable Media" or "SIP/2.0 403 Forbidden" messages.

If I add the following configuration:

object-group network IP_SIP_TRUNK_PROVIDER 
 A.B.W.0 255.255.255.0
 A.B.X.0 255.255.255.0
 A.B.Y.0 255.255.255.0
 A.B.Z.0 255.255.255.0

ip access-list extended ACL_TEST
  permit udp object-group IP_SIP_TRUNK_PROVIDER any eq 5060
  permit udp object-group IP_SIP_TRUNK_PROVIDER any eq 8060
  permit udp object-group IP_SIP_TRUNK_PROVIDER any range 35000 64999
  deny   udp any any eq 5060 log
  permit tcp any any
  permit udp any any
  exi

interface Dialer0
  ip access-group ACL_TEST in
  exi

I get rid of all the attempts.

In the logs I can see log lines like:

Sep  3 18:26:34.404 CET: [...] :  list ACL_TEST denied udp 188.165.193.179(50750) -> L.N.M.O(5060), 1 packet

Obviously the zone-based firewall I configured is ill-configured.

How can i fix this?

Best regards.

 

5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

is there a reason why you only allow udp/5060 and not tcp/5060?

 

 

Please remember to rate useful posts, by clicking on the stars below.

Hello.

Only UDP, because that's all the SIP trunk provider was asking for.
This guy has some arguments:
"In short, VoIP traffic is best left as UDP traffic for both server load and call quality reasons."

Source: https://www.onsip.com/blog/sip-via-udp-vs-tcp

But how do this relate to my issue?
It's "more blocking" and "less allowing" that I need in the zone-based firewall...
BR.

yes RTP is UDP, see no need for TCP on that front. looking at the log entry, your acl denies UDP to port 5060. are you allowing that 188. IP address in your object group?  is this expected traffic?

 

 cheers

Please remember to rate useful posts, by clicking on the stars below.

Hello,

 

> looking at the log entry, your acl denies UDP to port 5060.
> are you allowing that 188. IP address in your object group?  

No, I am not allowing that "188." IP address in my object group.
In my object group, are only my SIP provider ranges of IP addresses.

> is this expected traffic?

No, this is not expected traffic.
To me, this ACL is doing a good job.
But my zone-based firewall doesn't do this job.

What I don't know is how to "inject" this ACL in my zone-based firewall.
I would like to get rid of this ACL and fix my zone-based firewall.

BR.

@Dennis Mink

Actually, you were right to ask the question, I also received undesired TCP SIP messages.

So I added the rule "deny tcp any any eq 5060 log" after the rule "deny udp any any eq 5060 log" in the "ACL_TEST" access list.

Still, I don't know how to "inject" the ACL rules into the zone-based firewall so that I can get rid of the ACL "ACL_TEST"...

Best regards.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: