03-26-2019 07:57 AM
Hello All,
Please ignore my ignorance as I tried to wrap my head around this question lingering in my mind.
This is more of a query on how the Cisco firewall handles return traffic when an 'any any' policy is in place. The traffic is originating from a higher security known port 5060, 443, 22, 80 to a lower security destination. Based on my understanding, the return traffic should be allowed due to the permit ip any any rule in place.
Thanks
Will
03-26-2019 08:33 AM
Hi,
Where and how to apply this ANY ANY policy? What is your configuration?
Here is the Cisco ASA packet flow:
I hope it will help you to understand.
Regards,
Deepak Kumar
03-26-2019 09:41 AM
03-26-2019 11:59 AM
Hello, Thanks for your detailed reply. Another question I have regarding sip inspection. By default, I can see that
sip is being inspected by the firewall. See global policy-map below.
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sip
inspect sqlnet
inspect tftp
inspect xdmcp
inspect http
Should sip port 5060 be already opened by the firewall based on it's statefullness? Or I still have to open port 5060 to allow sip traffic from the CUCM to the endpoint?
Appreciate, any light that you can shed on this.
03-26-2019 02:59 PM
on your sip question: NO
that is not what sip inspection does. so you would need to explicitly allow SIp based on port 5060. once SIP is permitted, sip inspection will look inside the packet and more specifically in the SDP packet contained within sip. based on this, it will dynamically allow ports for RTP. this way you dont need to open thousands of ports for the purpose of allowing video and voice across your FW
03-26-2019 07:40 PM
03-29-2019 05:23 AM
03-29-2019 12:15 PM
Those are the configurations in relation to SIP and what to do with the SIP traffic once permitted. The ASA inherently blocks traffic, unless no ACL is applied and you are going from a higher security zone to a lower security zone.
If SIP is not explicitly permitted in the ACL then this traffic would not be permitted through the Firewall.
You would need, for example:
access-list INSIDE permit udp any any eq sip
If the INSIDE acl was applied to your Internal segment on the ASA, this would allow SIP traffic from your Internal Segment through the ASA. The other options you see in your output are now how to handle this traffic, such as Idle Timeout or confirming that it is in fact SIP traffic before permitting the traffic etc.
03-29-2019 12:51 PM
Hi,
Check this document: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide