Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
3
Replies

Trying to understand weird Firewall rule. What rule causes this action?

Mike Bowers
Level 1
Level 1

‎03-26-2015 01:02 PM - edited ‎03-11-2019 10:42 PM

I have a CUCM sitting in my test lab behind a 2851 on the Main site. I have an ASA on this network on the side, handing out DHCP to the Phones. Both 2851's are pointed at each other with default routes connected directly together with serial cables. The only thing using the ASA as a default gateway is the IP phones receiving DHCP on the main site.

My ASA Firewall is handing out DHCP 192.168.5.x.  I have a PSTN Simulator sitting between the two 2851 routers. The Branch H323 gateway 2851 is handing out DHCP in the range of 10.0.30.x on the branch site.   

 

Note: Both routers are looking at each other as the default route 0.0.0.0 and I even specifically added 1.1.1.1 so all 1.1.1.1 traffic is passed between the two. The H323 source IP it is using is a loopback of 1.1.1.1. 

 

 

Here's the part that's interesting/confusing. The calls connect and the Branch audio reaches the Main Site, but the Main Site audio never reaches the Branch site UNLESS I add into my ASA firewall "route inside 1.1.1.1 255.255.255.255 192.168.5.245"  (.245 is the 2851 Router on the Main site).

 

So I have an idea that the IP Phones receiving DHCP are using the ASA as a default gateway and the ASA is only seeing half of the traffic packets since they are returning across the routers only and dropping the packets. So I tried to set up TCP Bypass to allow all TCP traffic, but it still doesn't work unless I add the specific route in. Is this an Asymmetric Routing issue or something else? Why can't I see the packets? 

=====================================

access-list capin extended permit tcp host 192.168.5.11 any4
access-list capin extended permit udp host 192.168.5.11 any4
access-list capin extended permit ip any4 host 192.168.5.11 
access-list capin extended permit tcp any4 host 192.168.5.11 
access-list capin extended permit udp any4 host 192.168.5.11 
access-list capin extended permit ip host 192.168.5.11 any4 

capture capin access-list capin

! Placed phone calls between the phones.

show capture capin

0 packet captured

0 packet shown

=====================================

 

The capture results show zero packets. The 192.168.5.11 is the phone that is using the ASA as a default gateway.  Why can I not see any traffic coming from this phone or to this phone when it is using the ASA as a default gateway? If this was an Asymmetric routing issue, why did TCP Bypass not get the audio to work goin both ways? ONLY the route command does (or changing the default gateway of the IP phone).

 

Is there another capture method that will pick up these ghost packets that the capture command is not? I know the phone is using the ASA as a default gateway, so when its trying to go to 1.1.1.1, I should see SOMETHING in the packet capture. Right? Or is this some other Firewall rule?

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎03-28-2015 02:23 PM

are these two on the same subnet? 192.168.5.11 and 192.168.5.254?

Ther are a few reasons that could be causing you not to see the captures.  One reason is that you are filtering on the wrong IP, another is that the traffic is being encrypted, yet another is that you have a routing issue.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Mike Bowers
Level 1
Level 1
In response to Marius Gunnerud

‎03-29-2015 01:15 PM

Hello Marius and thanks for the response!

Oh by the way I tried the below capture too and nothing showed up:

access-list capin extended permit tcp host 1.1.1.1 any4
access-list capin extended permit udp host 1.1.1.1 any4
access-list capin extended permit ip any4 host 1.1.1.1 
access-list capin extended permit tcp any4 host 1.1.1.1 
access-list capin extended permit udp any4 host 1.1.1.1 
access-list capin extended permit ip host 1.1.1.1  any4 

 

I also tried a capture for dropped packets by using capture asp-drop type asp-drop and nothing showed up.

 

Yes, that is the same subnet.  What I'm curious about, is the H323 Gateway's source is a loopback of 1.1.1.1.  Adding the static route of 1.1.1.1 lets the call audio complete on both sides. If I was capturing the wrong IP, why would specifically adding 1.1.1.1 in the routing table allow it to work when it won't work without it? So it seems it's routing to 1.1.1.1 since the route is required, but no traffic to or from 1.1.1.1 can be captured like there isn't any. Very confusing.

 

The setup is basic so there isn't any encryption added.

If there was a routing issue, it should still be seeing some traffic to or from 1.1.1.1 I would think. Just weird.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Mike Bowers

‎03-29-2015 01:22 PM

If I was capturing the wrong IP, why would specifically adding 1.1.1.1 in the routing table allow it to work when it won't work without it?

This is a question that might be better answered by the people on the IP Telefony forum.  I suggest posting the question there, as there might be something that Voice savey techs can point out.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card