09-14-2015 07:05 AM - edited 03-11-2019 11:35 PM
Hi all,
I replaced an old 2811 Gateway with IPSEC, IP-INSPECT, PBR, and H323 ISDN gatewa with a new 4431-VSEC with a 4 Port ISDN NIM-4BRI-NT/TE.
So I decided to to with IOS XE 3.16 since the nim is supported since 3.14 according to http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-733646.html.
While doing the 1:1 config the ISR4431 declined the "ip inspect ..." under interface configuration. So I tried implementing ZBF and failed.
I put all private interfaces into one zone and the Intrazone communication works flowless (also over the Tunnel Interfaces)
If I generate a ISDN Call Inword, the Phones will ring, and I do hear the Partner with the Cisco Phone Clearly speaking, but he does not hear me, so here is my problem. I do have an Unidirectional Voicestream generated by the Router ( Self zone ) to Inside, which should be a default PASS all, if no security-pair is configured (accourding to http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book.html)
To Verify this I configured a policy map to pass all traffic
! policy-map type inspect PASS-ALL class class-default pass I then applied it to zone-pair security inside->self source Inside destination self service-policy type inspect PASS-ALL zone-pair security self->inside source self destination Inside service-policy type inspect PASS-ALL !
I then reestablished a voice call,, and the same Result as above but now I do have the Policy maps counters count up.
Zone-pair: inside->self Service-policy inspect : PASS-ALL Class-map: class-default (match-any) Match: any Pass 6488 packets, 738225 bytes Zone-pair: self->inside Service-policy inspect : PASS-ALL Class-map: class-default (match-any) Match: any Pass 8290 packets, 898943 bytes
I then decided to use L7 Inspection an configured a H323 Inspect map with inspect to the same policy map
Zone-pair: inside->self Service-policy inspect : PASS-ALL Class-map: H323 (match-all) Match: protocol h323 Inspect Established Sessions Session ID 0x00000176 (10.10.16.6:57388)=>(10.120.18.1:17664) h245 SIS_OPEN Created 00:00:39, Last heard 00:00:25 Bytes sent (initiator:responder) [139:168] Session ID 0x00000175 (10.10.16.6:57387)=>(10.120.18.1:1720) h225 SIS_OPEN Created 00:00:39, Last heard 00:00:05 Bytes sent (initiator:responder) [232:605] Pre-Generating Sessions Session ID 0x0000017B (10.120.18.22:21266)=>(10.120.18.1:8036) h323-RTP-data SIS_PREGEN Created 00:00:27, Last heard 00:00:27 Bytes sent (initiator:responder) [0:0] Session ID 0x0000017A (10.120.18.22:21267)=>(10.120.18.1:8037) h323-RTCP-data SIS_PREGEN Created 00:00:27, Last heard 00:00:27 Bytes sent (initiator:responder) [0:0] Session ID 0x00000179 (10.10.16.6:0)=>(10.120.18.1:8036) h323-RTP-data SIS_PREGEN Created 00:00:28, Last heard 00:00:28 Bytes sent (initiator:responder) [0:0] Session ID 0x00000178 (10.10.16.6:4001)=>(10.120.18.1:8037) h323-RTCP-data SIS_PREGEN Created 00:00:28, Last heard 00:00:28 Bytes sent (initiator:responder) [0:0] Session ID 0x00000177 (10.10.16.6:4000)=>(10.120.18.1:8036) h323-RTP-data SIS_PREGEN Created 00:00:28, Last heard 00:00:28 Bytes sent (initiator:responder) [0:0] Session ID 0x00000188 (10.10.16.6:0)=>(10.120.18.1:17664) h245 SIS_PREGEN Created 00:00:05, Last heard 00:00:05 Bytes sent (initiator:responder) [0:0] Class-map: class-default (match-any) Match: any Pass 8218 packets, 929550 bytes Zone-pair: self->inside Service-policy inspect : PASS-ALL Class-map: H323 (match-all) Match: protocol h323 Inspect Class-map: class-default (match-any) Match: any Pass 10650 packets, 1117545 bytes
and again only unidirektional voice..
So Two Question: I did not find any place in the release notes that classic CBAC has been droped. Can somebody verify this?
Why do I only get Pre-Genereated Session? This seems like a BUG to me but I could not identify a Bug via bugsearch.
Any Ideas ?
BR
felix
09-14-2015 07:17 AM
Oh I forgot to mention: If I disable ZBF , voice works ok, but then my local internet breakout with PBR and nat does not work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide