01-24-2015 12:50 PM - edited 03-11-2019 10:23 PM
Hello,
I am trying to configure zone based firewall (on a 2911 with the k9 security license) to pass VoIP traffic from my VoIP provider to an internal IP PBX (3CX) and vice versa. The way I have it setup currently is to permit all outgoing traffic from the internal network to the outside. For traffic coming from the WAN (G0/1 “Outside-Frontier” zone) I have allowed all traffic with destination port(s) TCP/UDP 5060 (SIP) and UDP 9001-9049 (RTP). However, even after explicitly allowing this traffic (via class-maps with ACL’s) I cannot seem to get voice traffic to pass through (I get a “no response” when attempting to make a call).
I know that my base configuration is correct because if I disable ZBF then I can make calls just fine and the firewall checker in 3CX passes all of the RTP/SIP ports. As soon as I apply the ZBF config I cannot even connect to my SIP provider/make a call.
I have tried all sorts of combinations of ACLs and class-maps/policy-maps but nothing seems to work other than allowing all IP traffic to pass the inside and outside zones (which defeats the purpose of ZBF).
My LAN diagram, running-config, version info, and PBX port settings are pasted below. I have omitted IP addresses and other unnecessary lines (like VPN configuration). I would really appreciate any and all advise on this.
Thanks!
router#show ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 19-Mar-14 19:23 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
router#show run
Building configuration...
Current configuration : 13497 bytes
!
! Last configuration change at 17:29:45 UTC Sat Jan 24 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
ip cef
!
ip domain name invalid.lan
ip name-server x.x.x.x
ip name-server x.x.x.x
no ipv6 cef
ip ssh version 2
!
class-map type inspect match-any Outgoing-Mail-Class
match access-group name OUTGOING_MAIL
class-map type inspect match-any Outgoing-FW-Exceptions-Class
match access-group name OUTGOING_FW_EXCEPTIONS
class-map type inspect match-any Incoming-FW-Exceptions-Class
match access-group name INCOMING_FW_EXCEPTIONS
class-map type inspect match-any Inside->Outside-Comcast-Class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match class-map Outgoing-Mail-Class
!
policy-map type inspect Outside-Frontier->Inside-Policy
class type inspect Incoming-FW-Exceptions-Class
pass
class class-default
drop
policy-map type inspect Inside->Outside-Comcast-Policy
class type inspect Inside->Outside-Comcast-Class
inspect
class class-default
drop
policy-map type inspect Inside->Outside-Frontier-Policy
class type inspect Outgoing-FW-Exceptions-Class
pass
class class-default
drop
!
zone security Inside
zone security Outside-Comcast
zone security Outside-Frontier
zone-pair security Inside->Outside-Frontier source Inside destination Outside-Frontier
service-policy type inspect Inside->Outside-Frontier-Policy
zone-pair security Inside->Outside-Comcast source Inside destination Outside-Comcast
service-policy type inspect Inside->Outside-Comcast-Policy
zone-pair security Outside-Frontier->Inside source Outside-Frontier destination Inside
service-policy type inspect Outside-Frontier->Inside-Policy
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN interface (Comcast cable) for data
ip address x.x.x.x x.x.x.x
zone-member security Outside-Comcast
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN interface (Frontier DSL) for voice interface
ip address x.x.x.x x.x.x.x
ip nat outside
ip virtual-reassembly in
zone-member security Outside-Frontier
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Link to 3560 switch
ip address 10.10.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
zone-member security Inside
duplex auto
speed auto
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat pool dsl-nat x.x.x.xx.x.x.xnetmask x.x.x.x
ip nat inside source list DSL_NAT_ACL pool dsl-nat overload
ip nat inside source static tcp 10.10.10.25 5060 x.x.x.x5060 extendable
ip nat inside source static udp 10.10.10.25 5060 x.x.x.x5060 extendable
ip nat inside source static tcp 10.10.10.25 5090 x.x.x.x5090 extendable
ip nat inside source static udp 10.10.10.25 5090 x.x.x.x5090 extendable
ip nat inside source static tcp 10.10.10.25 5901 x.x.x.x5901 extendable
ip nat inside source static udp 10.10.10.25 9000 x.x.x.x9000 extendable
ip nat inside source static udp 10.10.10.25 9001 x.x.x.x9001 extendable
ip nat inside source static udp 10.10.10.25 9002 x.x.x.x9002 extendable
ip nat inside source static udp 10.10.10.25 9003 x.x.x.x9003 extendable
ip nat inside source static udp 10.10.10.25 9004 x.x.x.x9004 extendable
ip nat inside source static udp 10.10.10.25 9005 x.x.x.x9005 extendable
ip nat inside source static udp 10.10.10.25 9006 x.x.x.x9006 extendable
ip nat inside source static udp 10.10.10.25 9007 x.x.x.x9007 extendable
ip nat inside source static udp 10.10.10.25 9008 x.x.x.x9008 extendable
ip nat inside source static udp 10.10.10.25 9009 x.x.x.x9009 extendable
ip nat inside source static udp 10.10.10.25 9010 x.x.x.x9010 extendable
ip nat inside source static udp 10.10.10.25 9011 x.x.x.x9011 extendable
ip nat inside source static udp 10.10.10.25 9012 x.x.x.x9012 extendable
ip nat inside source static udp 10.10.10.25 9013 x.x.x.x9013 extendable
ip nat inside source static udp 10.10.10.25 9014 x.x.x.x9014 extendable
ip nat inside source static udp 10.10.10.25 9015 x.x.x.x9015 extendable
ip nat inside source static udp 10.10.10.25 9016 x.x.x.x9016 extendable
ip nat inside source static udp 10.10.10.25 9017 x.x.x.x9017 extendable
ip nat inside source static udp 10.10.10.25 9018 x.x.x.x9018 extendable
ip nat inside source static udp 10.10.10.25 9019 x.x.x.x9019 extendable
ip nat inside source static udp 10.10.10.25 9020 x.x.x.x9020 extendable
ip nat inside source static udp 10.10.10.25 9021 x.x.x.x9021 extendable
ip nat inside source static udp 10.10.10.25 9022 x.x.x.x9022 extendable
ip nat inside source static udp 10.10.10.25 9023 x.x.x.x9023 extendable
ip nat inside source static udp 10.10.10.25 9024 x.x.x.x9024 extendable
ip nat inside source static udp 10.10.10.25 9025 x.x.x.x9025 extendable
ip nat inside source static udp 10.10.10.25 9026 x.x.x.x9026 extendable
ip nat inside source static udp 10.10.10.25 9027 x.x.x.x9027 extendable
ip nat inside source static udp 10.10.10.25 9028 x.x.x.x9028 extendable
ip nat inside source static udp 10.10.10.25 9029 x.x.x.x9029 extendable
ip nat inside source static udp 10.10.10.25 9030 x.x.x.x9030 extendable
ip nat inside source static udp 10.10.10.25 9031 x.x.x.x9031 extendable
ip nat inside source static udp 10.10.10.25 9032 x.x.x.x9032 extendable
ip nat inside source static udp 10.10.10.25 9033 x.x.x.x9033 extendable
ip nat inside source static udp 10.10.10.25 9034 x.x.x.x9034 extendable
ip nat inside source static udp 10.10.10.25 9035 x.x.x.x9035 extendable
ip nat inside source static udp 10.10.10.25 9036 x.x.x.x9036 extendable
ip nat inside source static udp 10.10.10.25 9037 x.x.x.x9037 extendable
ip nat inside source static udp 10.10.10.25 9038 x.x.x.x9038 extendable
ip nat inside source static udp 10.10.10.25 9039 x.x.x.x9039 extendable
ip nat inside source static udp 10.10.10.25 9040 x.x.x.x9040 extendable
ip nat inside source static udp 10.10.10.25 9041 x.x.x.x9041 extendable
ip nat inside source static udp 10.10.10.25 9042 x.x.x.x9042 extendable
ip nat inside source static udp 10.10.10.25 9043 x.x.x.x9043 extendable
ip nat inside source static udp 10.10.10.25 9044 x.x.x.x9044 extendable
ip nat inside source static udp 10.10.10.25 9045 x.x.x.x9045 extendable
ip nat inside source static udp 10.10.10.25 9046 x.x.x.x9046 extendable
ip nat inside source static udp 10.10.10.25 9047 x.x.x.x9047 extendable
ip nat inside source static udp 10.10.10.25 9048 x.x.x.x9048 extendable
ip nat inside source static udp 10.10.10.25 9049 x.x.x.x9049 extendable
ip route 10.10.0.0 255.255.0.0 10.10.1.2
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list standard DSL_NAT_ACL
remark Perform PAT from inside to the DSL interface
permit 10.10.0.0 0.0.255.255
!
ip access-list extended INCOMING_FW_EXCEPTIONS
remark Allow SIP and RTP from from any source to any destination
permit tcp any any eq 5060
permit udp any any eq 5060
permit udp any any eq 9000
permit udp any any eq 9001
permit udp any any eq 9002
permit udp any any eq 9003
permit udp any any eq 9004
permit udp any any eq 9005
permit udp any any eq 9006
permit udp any any eq 9007
permit udp any any eq 9008
permit udp any any eq 9009
permit udp any any eq 9010
permit udp any any eq 9011
permit udp any any eq 9012
permit udp any any eq 9013
permit udp any any eq 9014
permit udp any any eq 9015
permit udp any any eq 9016
permit udp any any eq 9017
permit udp any any eq 9018
permit udp any any eq 9019
permit udp any any eq 9020
permit udp any any eq 9021
permit udp any any eq 9022
permit udp any any eq 9023
permit udp any any eq 9024
permit udp any any eq 9025
permit udp any any eq 9026
permit udp any any eq 9027
permit udp any any eq 9028
permit udp any any eq 9029
permit udp any any eq 9030
permit udp any any eq 9031
permit udp any any eq 9032
permit udp any any eq 9033
permit udp any any eq 9034
permit udp any any eq 9035
permit udp any any eq 9036
permit udp any any eq 9037
permit udp any any eq 9038
permit udp any any eq 9039
permit udp any any eq 9040
permit udp any any eq 9041
permit udp any any eq 9042
permit udp any any eq 9043
permit udp any any eq 9044
permit udp any any eq 9045
permit udp any any eq 9046
permit udp any any eq 9047
permit udp any any eq 9048
permit udp any any eq 9049
ip access-list extended OUTGOING_FW_EXCEPTIONS
remark Allow all outgoing IP traffic
permit ip any any
ip access-list extended OUTGOING_MAIL
remark Allow any internal host to send outgoing mail over TCP 8889
permit tcp any eq 8889 any
!
control-plane
!
end
3CX IP PBX port settings
3CX firewall checker
01-25-2015 02:05 AM
Hi. Try to add the following to your "Outgoing-FW-Exceptions-Class" class map
match protocol skinny
match protocol sip (or sip-tls)
04-25-2016 04:19 AM
Hi,
i know this is an old thread but just wondering how you resolved this austin , having the same issues here
Paddi
04-25-2016 04:39 PM
Hi,
I did end up figuring this out, though we no longer use this phone system... hopefully I can help you out anyway.
There were a few issues specific to my deployment / environment:
1. ZBF was blocking outgoing UDP traffic from my PBX
2. ZBF was blocking incoming RTP traffic from my VoIP provider
Starting with issue one, my PBX seemed to be sending traffic on random UDP ports, so ZBF was blocking the outgoing traffic from my PBX. I created a rule allowing any UDP traffic from my PBX to any external address. Once I did this calls started coming through. However, I was having one-way audio issues. This brings me to issue number two.
Some VoIP providers have media proxies (used for RTP traffic) that you can whitelist the IP. Other VoIP providers do not, so there is no way to whitelist RTP traffic from specific IPs. In my case, the VoIP provider was not using media proxies, so there was no way to permit RTP from only specific IPs. Once I allowed RTP traffic from any external IP to my PBX I started getting audio both ways, and the firewall checker passed.
So in summary, what worked for me:
-Allow all outbound UDP traffic from my PBX to any external address
-Allow inbound RTP from any external to my PBX.
My recommendation to you is to do the following:
Below is a sample config that might be a good starting place for you.
# ZBF Config
zone security Inside
zone security Outside-Frontier
!
ip access-list extended INCOMING_FW_EXCEPTIONS
remark Pass (without inspection) any traffic defined in this ACL from the outside to the inside
permit tcp host xx.xx.xx.xx host 10.10.10.25 eq 5060
permit udp host xx.xx.xx.xx host 10.10.10.25 eq 5060
permit udp any host 10.10.10.25 range 9000 9049
exit
!
ip access-list extended OUTGOING_FW_EXCEPTIONS
remark Pass (without inspection) any traffic defined in this ACL from the inside to the outside
permit tcp any host xx.xx.xx.xx
permit udp any host xx.xx.xx.xx
permit udp host 10.10.10.25 any
exit
!
class-map type inspect match-any Inside->Outside-Frontier-Class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ssh
match protocol pop3
match protocol pop3s
exit
class-map type inspect match-any Outgoing-FW-Exceptions-Class
match access-group name OUTGOING_FW_EXCEPTIONS
exit
class-map type inspect match-any Incoming-FW-Exceptions-Class
match access-group name INCOMING_FW_EXCEPTIONS
exit
!
policy-map type inspect Inside->Outside-Frontier-Policy
class type inspect Inside->Outside-Frontier-Class
inspect
exit
class type inspect Outgoing-FW-Exceptions-Class
pass
exit
exit
policy-map type inspect Outside-Frontier->Inside-Policy
class type inspect Incoming-FW-Exceptions-Class
no drop
pass
exit
!
zone-pair security Inside->Outside-Frontier source Inside destination Outside-Frontier
service-policy type inspect Inside->Outside-Frontier-Policy
exit
zone-pair security Outside-Frontier->Inside source Outside-Frontier destination Inside
service-policy type inspect Outside-Frontier->Inside-Policy
exit
!
interface g0/1
zone-member security Outside-Frontier
interface g0/2
zone-member security Inside
exit
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide