Cisco router zone based firewall

wayne loh · ‎04-24-2017

Hi All,

Could anyone advise on the configuration of the port range port forwarding for the cisco zone based firewall? In face I have the sip trunk that required the range of port forwarding (16000-16511) to internal pabx system.

Many thanks.

Dennis Mink · ‎04-24-2017

Wayne typically RTP uses UDP on high ports 16384 - 32767, SIP and SIP_TLS use 5060 and 5061 respectively.

Cisco ASA can be configured to use SIP inspection, which means that the high ports do not have to be explicitly opened, but the ASA will open them dynamically, by inspecting the SIP signalling (at least that is the theory).

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

Mohammed al Baqari · ‎04-24-2017

Hi,

This is a sample. In your ACLs you can specify the ports you are looking for. Seems that you are running on non-standard SIP.

ip access-list extended IN-OUT
permit ip object-group TRUSTED-SUNBETS object-group TRUSTED-SUNBETS
!
ip access-list extended OUT-IN
permit ip object-group TRUSTED-SUNBETS object-group TRUSTED-SUNBETS

class-map type inspect match-all IN-OUT
match access-group name IN-OUT
class-map type inspect match-all OUT-IN
match access-group name OUT-IN
!
policy-map type inspect IN-OUT
class type inspect IN-OUT
pass
class class-default
!
policy-map type inspect OUT-IN
class type inspect OUT-IN
pass
class class-default

!

zone security OUT
zone security IN

zone-pair security IN-OUT source IN destination OUT
service-policy type inspect IN-OUT
zone-pair security OUT-IN source OUT destination IN
service-policy type inspect OUT-IN

int g0/0
zone security member IN
int g0/1
zone security member OUT