01-26-2014 07:04 AM - edited 03-11-2019 08:35 PM
I am using a Cisco 2821 with IOS 12.4(22)YB8. I have a pretty simple ZBF setup. All TCP, UDP, and ICMP from the internal LAN is inspected to the Internet. My problem is with my IP phone, which connects to an Asterisk Server on the Internet. I can call out, but the call will drop everytime after about 10 minutes. Also, incoming calls do not work. If I disable the ZBF, everything works fine. Calls do not drop, and incoming calls work fine. Anyone have any ideas? Here is a scrubbed config to the relevants parts.
class-map type inspect match-any CLASS_IN_OUT
match protocol icmp
match protocol tcp
match protocol udp
policy-map type inspect POLICY_IN_OUT
class type inspect CLASS_IN_OUT
inspect
class class-default
drop
policy-map type inspect POLICY_OUT_IN
class class-default
drop
zone security INSIDE
zone security OUTSIDE
zone-pair security ZONE_PAIR_IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect POLICY_IN_OUT
zone-pair security ZONE_PAIR_OUT_IN source OUTSIDE destination INSIDE
service-policy type inspect POLICY_OUT_IN
interface GigabitEthernet0/0
description WAN Interface
bandwidth 20000
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security OUTSIDE
duplex auto
speed auto
interface GigabitEthernet0/1
description LAN Interface
ip address 192.168.1.1 255.255.255.128
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
duplex auto
speed auto
ip nat inside source list NATHOST interface GigabitEthernet0/0 overload
ip access-list standard NATHOST
permit 192.168.1.0 0.0.0.127
02-06-2014 12:19 AM
I'm not a voice expert, but I do inspect the traffic going from the outside zone to the inside when using ZBF. ZBF is application aware. This probably doesn't answer the reason it times out after 10 minutes. But when you say incoming calls don't work on an iphone, but do when you disable the ZBF, this could be a reason. Let me know if you try this and if it works for you.
Thank you.
Joe
02-07-2014 06:12 AM
I seem to have fixed the problem. My phone registers to the phone server on port 5060. So I did this.
ip access-list extended VOIP
permit udp host X.X.X.X any eq 5060
class-map type inspect match-any VOIP
match access-group name VOIP
policy-map type inspect POLICY_OUT_IN
class type inspect VOIP
pass
class class-default
drop
So after passing UDP 5060 from the phone server to the inside, I was able to receive incoming calls and I have not had any further drops. From the way I understand this phone works, you typically don't have to open up anything from the outside. It works from the inside out, opening a connection with the phone server when it boots. All I can figure is the ZBF has some kind of security timeout on those connections after a period of ten minutes or so. So the phone was opening a connection with the server, but the firewall was closing the connection after ten minutes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide