Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3881
Views
0
Helpful
3
Replies

Configuring Zone Based Firewall for VoIP

Austin Rivet
Level 1
Level 1

‎01-24-2015 12:50 PM - edited ‎03-11-2019 10:23 PM

Hello,

I am trying to configure zone based firewall (on a 2911 with the k9 security license) to pass VoIP traffic from my VoIP provider to an internal IP PBX (3CX) and vice versa. The way I have it setup currently is to permit all outgoing traffic from the internal network to the outside. For traffic coming from the WAN (G0/1 “Outside-Frontier” zone) I have allowed all traffic with destination port(s) TCP/UDP 5060 (SIP) and UDP 9001-9049 (RTP). However, even after explicitly allowing this traffic (via class-maps with ACL’s) I cannot seem to get voice traffic to pass through (I get a “no response” when attempting to make a call).

I know that my base configuration is correct because if I disable ZBF then I can make calls just fine and the firewall checker in 3CX passes all of the RTP/SIP ports. As soon as I apply the ZBF config I cannot even connect to my SIP provider/make a call.

I have tried all sorts of combinations of ACLs and class-maps/policy-maps but nothing seems to work other than allowing all IP traffic to pass the inside and outside zones (which defeats the purpose of ZBF).

My LAN diagram, running-config, version info, and PBX port settings are pasted below. I have omitted IP addresses and other unnecessary lines (like VPN configuration). I would really appreciate any and all advise on this.

Thanks!

router#show ver

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2014 by Cisco Systems, Inc.

Compiled Wed 19-Mar-14 19:23 by prod_rel_team

 

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

router#show run

Building configuration...

 

Current configuration : 13497 bytes

!

! Last configuration change at 17:29:45 UTC Sat Jan 24 2015

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

ip cef

!

ip domain name invalid.lan

ip name-server x.x.x.x

ip name-server x.x.x.x

no ipv6 cef

ip ssh version 2

!

class-map type inspect match-any Outgoing-Mail-Class

 match access-group name OUTGOING_MAIL

class-map type inspect match-any Outgoing-FW-Exceptions-Class

 match access-group name OUTGOING_FW_EXCEPTIONS

class-map type inspect match-any Incoming-FW-Exceptions-Class

 match access-group name INCOMING_FW_EXCEPTIONS

class-map type inspect match-any Inside->Outside-Comcast-Class

 match protocol http

 match protocol https

 match protocol dns

 match protocol icmp

 match class-map Outgoing-Mail-Class

!

policy-map type inspect Outside-Frontier->Inside-Policy

 class type inspect Incoming-FW-Exceptions-Class

  pass

 class class-default

  drop

policy-map type inspect Inside->Outside-Comcast-Policy

 class type inspect Inside->Outside-Comcast-Class

  inspect

 class class-default

  drop

policy-map type inspect Inside->Outside-Frontier-Policy

 class type inspect Outgoing-FW-Exceptions-Class

  pass

 class class-default

  drop

!

zone security Inside

zone security Outside-Comcast

zone security Outside-Frontier

zone-pair security Inside->Outside-Frontier source Inside destination Outside-Frontier

 service-policy type inspect Inside->Outside-Frontier-Policy

zone-pair security Inside->Outside-Comcast source Inside destination Outside-Comcast

 service-policy type inspect Inside->Outside-Comcast-Policy

zone-pair security Outside-Frontier->Inside source Outside-Frontier destination Inside

 service-policy type inspect Outside-Frontier->Inside-Policy

!

interface Loopback0

 ip address 192.168.1.1 255.255.255.255

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 description WAN interface (Comcast cable) for data

 ip address x.x.x.x  x.x.x.x

 zone-member security Outside-Comcast

 shutdown

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description WAN interface (Frontier DSL) for voice interface

 ip address x.x.x.x x.x.x.x

 ip nat outside

 ip virtual-reassembly in

 zone-member security Outside-Frontier

 duplex auto

 speed auto

!

interface GigabitEthernet0/2

 description Link to 3560 switch

 ip address 10.10.1.1 255.255.255.252

 ip nat inside

 ip virtual-reassembly in

 zone-member security Inside

 duplex auto

 speed auto

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat pool dsl-nat x.x.x.xx.x.x.xnetmask x.x.x.x

ip nat inside source list DSL_NAT_ACL pool dsl-nat overload

ip nat inside source static tcp 10.10.10.25 5060 x.x.x.x5060 extendable

ip nat inside source static udp 10.10.10.25 5060 x.x.x.x5060 extendable

ip nat inside source static tcp 10.10.10.25 5090 x.x.x.x5090 extendable

ip nat inside source static udp 10.10.10.25 5090 x.x.x.x5090 extendable

ip nat inside source static tcp 10.10.10.25 5901 x.x.x.x5901 extendable

ip nat inside source static udp 10.10.10.25 9000 x.x.x.x9000 extendable

ip nat inside source static udp 10.10.10.25 9001 x.x.x.x9001 extendable

ip nat inside source static udp 10.10.10.25 9002 x.x.x.x9002 extendable

ip nat inside source static udp 10.10.10.25 9003 x.x.x.x9003 extendable

ip nat inside source static udp 10.10.10.25 9004 x.x.x.x9004 extendable

ip nat inside source static udp 10.10.10.25 9005 x.x.x.x9005 extendable

ip nat inside source static udp 10.10.10.25 9006 x.x.x.x9006 extendable

ip nat inside source static udp 10.10.10.25 9007 x.x.x.x9007 extendable

ip nat inside source static udp 10.10.10.25 9008 x.x.x.x9008 extendable

ip nat inside source static udp 10.10.10.25 9009 x.x.x.x9009 extendable

ip nat inside source static udp 10.10.10.25 9010 x.x.x.x9010 extendable

ip nat inside source static udp 10.10.10.25 9011 x.x.x.x9011 extendable

ip nat inside source static udp 10.10.10.25 9012 x.x.x.x9012 extendable

ip nat inside source static udp 10.10.10.25 9013 x.x.x.x9013 extendable

ip nat inside source static udp 10.10.10.25 9014 x.x.x.x9014 extendable

ip nat inside source static udp 10.10.10.25 9015 x.x.x.x9015 extendable

ip nat inside source static udp 10.10.10.25 9016 x.x.x.x9016 extendable

ip nat inside source static udp 10.10.10.25 9017 x.x.x.x9017 extendable

ip nat inside source static udp 10.10.10.25 9018 x.x.x.x9018 extendable

ip nat inside source static udp 10.10.10.25 9019 x.x.x.x9019 extendable

ip nat inside source static udp 10.10.10.25 9020 x.x.x.x9020 extendable

ip nat inside source static udp 10.10.10.25 9021 x.x.x.x9021 extendable

ip nat inside source static udp 10.10.10.25 9022 x.x.x.x9022 extendable

ip nat inside source static udp 10.10.10.25 9023 x.x.x.x9023 extendable

ip nat inside source static udp 10.10.10.25 9024 x.x.x.x9024 extendable

ip nat inside source static udp 10.10.10.25 9025 x.x.x.x9025 extendable

ip nat inside source static udp 10.10.10.25 9026 x.x.x.x9026 extendable

ip nat inside source static udp 10.10.10.25 9027 x.x.x.x9027 extendable

ip nat inside source static udp 10.10.10.25 9028 x.x.x.x9028 extendable

ip nat inside source static udp 10.10.10.25 9029 x.x.x.x9029 extendable

ip nat inside source static udp 10.10.10.25 9030 x.x.x.x9030 extendable

ip nat inside source static udp 10.10.10.25 9031 x.x.x.x9031 extendable

ip nat inside source static udp 10.10.10.25 9032 x.x.x.x9032 extendable

ip nat inside source static udp 10.10.10.25 9033 x.x.x.x9033 extendable

ip nat inside source static udp 10.10.10.25 9034 x.x.x.x9034 extendable

ip nat inside source static udp 10.10.10.25 9035 x.x.x.x9035 extendable

ip nat inside source static udp 10.10.10.25 9036 x.x.x.x9036 extendable

ip nat inside source static udp 10.10.10.25 9037 x.x.x.x9037 extendable

ip nat inside source static udp 10.10.10.25 9038 x.x.x.x9038 extendable

ip nat inside source static udp 10.10.10.25 9039 x.x.x.x9039 extendable

ip nat inside source static udp 10.10.10.25 9040 x.x.x.x9040 extendable

ip nat inside source static udp 10.10.10.25 9041 x.x.x.x9041 extendable

ip nat inside source static udp 10.10.10.25 9042 x.x.x.x9042 extendable

ip nat inside source static udp 10.10.10.25 9043 x.x.x.x9043 extendable

ip nat inside source static udp 10.10.10.25 9044 x.x.x.x9044 extendable

ip nat inside source static udp 10.10.10.25 9045 x.x.x.x9045 extendable

ip nat inside source static udp 10.10.10.25 9046 x.x.x.x9046 extendable

ip nat inside source static udp 10.10.10.25 9047 x.x.x.x9047 extendable

ip nat inside source static udp 10.10.10.25 9048 x.x.x.x9048 extendable

ip nat inside source static udp 10.10.10.25 9049 x.x.x.x9049 extendable

ip route 10.10.0.0 255.255.0.0 10.10.1.2

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip access-list standard DSL_NAT_ACL

 remark Perform PAT from inside to the DSL interface

 permit 10.10.0.0 0.0.255.255

!

ip access-list extended INCOMING_FW_EXCEPTIONS

 remark Allow SIP and RTP from from any source to any destination

 permit tcp any any eq 5060

 permit udp any any eq 5060

 permit udp any any eq 9000

 permit udp any any eq 9001

 permit udp any any eq 9002

 permit udp any any eq 9003

 permit udp any any eq 9004

 permit udp any any eq 9005

 permit udp any any eq 9006

 permit udp any any eq 9007

 permit udp any any eq 9008

 permit udp any any eq 9009

 permit udp any any eq 9010

 permit udp any any eq 9011

 permit udp any any eq 9012

 permit udp any any eq 9013

 permit udp any any eq 9014

 permit udp any any eq 9015

 permit udp any any eq 9016

 permit udp any any eq 9017

 permit udp any any eq 9018

 permit udp any any eq 9019

 permit udp any any eq 9020

 permit udp any any eq 9021

 permit udp any any eq 9022

 permit udp any any eq 9023

 permit udp any any eq 9024

 permit udp any any eq 9025

 permit udp any any eq 9026

 permit udp any any eq 9027

 permit udp any any eq 9028

 permit udp any any eq 9029

 permit udp any any eq 9030

 permit udp any any eq 9031

 permit udp any any eq 9032

 permit udp any any eq 9033

 permit udp any any eq 9034

 permit udp any any eq 9035

 permit udp any any eq 9036

 permit udp any any eq 9037

 permit udp any any eq 9038

 permit udp any any eq 9039

 permit udp any any eq 9040

 permit udp any any eq 9041

 permit udp any any eq 9042

 permit udp any any eq 9043

 permit udp any any eq 9044

 permit udp any any eq 9045

 permit udp any any eq 9046

 permit udp any any eq 9047

 permit udp any any eq 9048

 permit udp any any eq 9049

ip access-list extended OUTGOING_FW_EXCEPTIONS

 remark Allow all outgoing IP traffic

permit ip any any

ip access-list extended OUTGOING_MAIL

 remark Allow any internal host to send outgoing mail over TCP 8889

 permit tcp any eq 8889 any

!

control-plane

!

end

 

3CX IP PBX port settings

 

3CX firewall checker

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Andre Neethling
Level 4
Level 4

‎01-25-2015 02:05 AM

Hi. Try to add the following to your "Outgoing-FW-Exceptions-Class" class map

match protocol skinny

match protocol sip (or sip-tls)

 

0 Helpful

paddi1972
Level 1
Level 1

‎04-25-2016 04:19 AM

Hi,

i know this is an old thread but just wondering how you resolved this austin ,  having the same issues here

Paddi

0 Helpful

Austin Rivet
Level 1
Level 1
In response to paddi1972

‎04-25-2016 04:39 PM

Hi,

I did end up figuring this out, though we no longer use this phone system... hopefully I can help you out anyway.

There were a few issues specific to my deployment / environment:

1. ZBF was blocking outgoing UDP traffic from my PBX

2. ZBF was blocking incoming RTP traffic from my VoIP provider

Starting with issue one, my PBX seemed to be sending traffic on random UDP ports, so ZBF was blocking the outgoing traffic from my PBX. I created a rule allowing any UDP traffic from my PBX to any external address. Once I did this calls started coming through. However, I was having one-way audio issues. This brings me to issue number two.

Some VoIP providers have media proxies (used for RTP traffic) that you can whitelist the IP. Other VoIP providers do not, so there is no way to whitelist RTP traffic from specific IPs. In my case, the VoIP provider was not using media proxies, so there was no way to permit RTP from only specific IPs. Once I allowed RTP traffic from any external IP to my PBX I started getting audio both ways, and the firewall checker passed.

So in summary, what worked for me:

-Allow all outbound UDP traffic from my PBX to any external address

-Allow inbound RTP from any external to my PBX.

My recommendation to you is to do the following:

  1. Lock down SIP - if at all possible, only allow SIP from the IP address(es) of your VoIP provider. Leaving SIP open to anyone on the Internet is a sure way for your system to be compromised.
  2. Adjust your RTP rules per your VoIP provider's documentation - if they have media gateway's/proxies, then only allow RTP from the IP of those proxies/gateway's. If they do not have media gateway's/proxies or you have external VoIP extensions, then you will need to open up RTP to your PBX from any external IP.
  3. Allow UDP from your PBX to any external - I don't necessarily recommend this, but if you are having trouble even after adjusting your SIP and RTP rules then you might need to look at the traffic coming from your PBX to see if it is sending UDP traffic on random or unusual ports that is being blocked by ZBF. Wireshark might be useful here.

Below is a sample config that might be a good starting place for you.

# ZBF Config

zone security Inside
zone security Outside-Frontier
!
ip access-list extended INCOMING_FW_EXCEPTIONS
remark Pass (without inspection) any traffic defined in this ACL from the outside to the inside
permit tcp host xx.xx.xx.xx host 10.10.10.25 eq 5060 
permit udp host xx.xx.xx.xx host 10.10.10.25 eq 5060
permit udp any host 10.10.10.25 range 9000 9049
exit
!
ip access-list extended OUTGOING_FW_EXCEPTIONS
remark Pass (without inspection) any traffic defined in this ACL from the inside to the outside
permit tcp any host xx.xx.xx.xx
permit udp any host xx.xx.xx.xx
permit udp host 10.10.10.25 any
exit
!
class-map type inspect match-any Inside->Outside-Frontier-Class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ssh
match protocol pop3
match protocol pop3s
exit
class-map type inspect match-any Outgoing-FW-Exceptions-Class
match access-group name OUTGOING_FW_EXCEPTIONS
exit
class-map type inspect match-any Incoming-FW-Exceptions-Class
match access-group name INCOMING_FW_EXCEPTIONS
exit
!
policy-map type inspect Inside->Outside-Frontier-Policy
class type inspect Inside->Outside-Frontier-Class
inspect
exit
class type inspect Outgoing-FW-Exceptions-Class
pass
exit

exit
policy-map type inspect Outside-Frontier->Inside-Policy
class type inspect Incoming-FW-Exceptions-Class
no drop
pass
exit
!
zone-pair security Inside->Outside-Frontier source Inside destination Outside-Frontier
service-policy type inspect Inside->Outside-Frontier-Policy
exit
zone-pair security Outside-Frontier->Inside source Outside-Frontier destination Inside
service-policy type inspect Outside-Frontier->Inside-Policy
exit
!
interface g0/1
zone-member security Outside-Frontier
interface g0/2
zone-member security Inside
exit
!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card