02-26-2013 01:02 PM - edited 03-11-2019 06:06 PM
Hello,
I'm implementing a project where will have a DMVPN in a hub-spoke topology with ZBF on spoke ISR G2 routers. The CUCM will be in Data Center behind Hub Router.
I tried to configure ZBF in spoke routers allowing just signaling protocols to CUCM like sccp, mgcp, sip and h323 expecting that pinholes would be opened for RTP ports but it doesn't work. The source LAN RTP packet in spoke router was dropped and I needed to open the RTP UDP range ports to have VoIP comunication between two spoke sites.
Anyone have an experience with this kind of scenario or have any idea if this ZBF config should work in this implementation?
!
crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco@123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set 3DES-SHA
!
!
!
!
!
class-map type inspect match-any VPN-PROT
match protocol ftp
match protocol tftp
match protocol skinny
match protocol sip
match protocol h323
match protocol mgcp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all IN-VPN
match access-group name IN-VPN
class-map type inspect match-all IN-VPN-POLICY
match class-map VPN-PROT
match class-map IN-VPN
class-map type inspect match-all VPN-IN
match access-group name VPN-IN
match access-group name VPN-IN
class-map type inspect match-all VPN-IN-POLICY
match class-map VPN-PROT
match class-map VPN-IN
class-map type inspect match-any VOICE-PROT
match protocol skinny
match protocol sip
match protocol h323
match protocol mgcp
match protocol icmp
match protocol user-rtp
class-map type inspect match-all IN-VOICE
match access-group name IN-VOICE
class-map type inspect match-all IN-VOICE-POLICY
match class-map VOICE-PROT
match class-map IN-VOICE
class-map type inspect match-all VOICE-IN
match access-group name VOICE-IN
class-map type inspect match-all VOICE-IN-POLICY
match class-map VOICE-PROT
match class-map VOICE-IN
!
!
policy-map type inspect IN-VPN-POLICY
class type inspect IN-VOICE-POLICY
inspect
class type inspect IN-VPN-POLICY
inspect
class class-default
drop log
policy-map type inspect VPN-IN-POLICY
class type inspect VOICE-IN-POLICY
inspect
class type inspect VPN-IN-POLICY
inspect
class class-default
drop log
!
zone security INSIDE
zone security MPLS
zone-pair security IN-VPN source INSIDE destination MPLS
service-policy type inspect IN-VPN-POLICY
zone-pair security VPN-IN source MPLS destination INSIDE
service-policy type inspect VPN-IN-POLICY
!
!
!
!
interface Tunnel10
ip address 10.255.255.2 255.255.255.0
no ip redirects
ip mtu 1408
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map multicast 192.168.100.2
ip nhrp map 10.255.255.1 192.168.100.2
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.255.255.1
ip nhrp registration no-unique
zone-member security MPLS
ip tcp adjust-mss 1368
no ip split-horizon eigrp 1
tunnel source 192.168.101.2
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
ip address 192.168.101.2 255.255.255.252
zone-member security MPLS
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
zone-member security INSIDE
duplex auto
speed auto
!
router eigrp 1
network 10.255.255.0 0.0.0.255
network 192.168.10.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.101.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended IN-VOICE
permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended IN-VPN
permit ip 192.168.10.0 0.0.0.255 10.123.45.0 0.0.0.255
ip access-list extended VOICE-IN
permit ip 192.168.0.0 0.0.255.255 192.168.10.0 0.0.0.255
ip access-list extended VPN-IN
permit ip 10.123.45.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
!
02-26-2013 01:31 PM
Can you specify the signaling protocol and the IOS code version on the router?
Also, can you provide the logs you get from the ASA?
Make sure the "ip inspect log drop-pkt" is applied before getting'em.
02-27-2013 05:05 AM
The signaling protocol is skinny and the IOS version is 15.2(4)M2 with data, sec and uc license.
There is no ASA in topology, I have just made the tests with IOS zone based firewall in two spoke routers with IP phones in each LAN. The log message that appears in the router is a drop log of RTP packets on inside interface.
The signaling is ok, the phone rings on the other phone through VPN but when complete the call, there is no voice. Since the router is inspecting skinny, my thought was that the IOS ZBF would open dinamically the RTP ports.
phone1----IOS ZBF R1----VPN----HUB-ROUTER----CUCM----HUB-ROUTER----VPN----IOS ZBF R2----phone2----signaling ok
phone1----IOS ZBF R1----VPN----IOS ZBF R2----phone2---- RTP nok
02-27-2013 07:28 AM
Hi
Can you add this to the class-map?
"match protocol rtp audio"
A while ago I had the same problem as you and I couldn't match RTP Audio on that router so i thought it wasn't possible. But later on another router I could do it...
02-27-2013 08:44 AM
Hi,
Since it's a class-map type inspect, I have no option to include rtp audio into class-map. I configure a port-map including the rtp range, but I think in this situation all these ports will be open on IOS ZBF. The idea was that IOS ZBF recognized the signaling protocol and opened the RTP ports dinamically.
02-27-2013 10:26 AM
Yeah, sorry about the ASA thing, i'm used to work with'em.
Can you provide the logs you get from the router?
02-28-2013 05:34 AM
I haven't saved this log, but it seems like this...
%Fg W-6-DROP_PKT: DroppinOther session 192.168.10.5:21388 192.168.20.5:19544 on zone-pair IN-VPN class class-default due to DROP action found in policy-map with ip ident 486
03-01-2013 03:15 PM
Try this:
class-map type inspect match-any VPN-PROT
class-map type inspect match-any VPN-PROT
class-map type inspect match-any VPN-PROT
match protocol rtsp
03-04-2013 09:18 AM
Thank you but it does not work. The problem is the same, RTSP Real Time Streaming Protocol does not work in RTP udp range 16384 - 32767 for voice communication that is being blocked by zone based firewall.
03-04-2013 11:58 AM
Ok, this is weird.
Let's try this:
class-map type inspect match-any VPN-PROT
match protocol ssp
Also, do you see any logs or information refering to this problem on the CUCM?
What are the phones and CUCM versions?
03-04-2013 12:36 PM
Nothing yet. CUCM is running 8.6.2 version.
The signaling through CUCM is ok, both phones register and rings when making the test calls, just the voice packets are dropped by ZBF.
When configuring a port-map with rtp in class-map it works normally.
!
ip port-map user-rtp port udp from 16384 to 32768
!
class-map type inspect match-any VOICE-PROT
match protocol user-rtp
!
03-04-2013 02:01 PM
Can you share the output of the " show policy-map type inspect IN-VPN-POLICY zone-pair sessions" while testing?
03-06-2013 09:31 AM
Sorry, the devices that I used to do the lab are not available anymore.
Thanks for your help, I'll post again when I do the implementation on the customer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide