Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
1
Replies

ZBF SIP inspection

TONY SMITH
Spotlight
Spotlight

‎06-07-2018 07:01 AM - edited ‎02-21-2020 07:51 AM

Hi,

The context here is an IOS Internet router with ZBF,  ITSP on the outside and CUBE gateway on the inside.   SIP signalling and voice media therefore have to pass through the ZBF and obviously we want to create as few holes in the firewall as possible, while still permitting things to work.

 

After ploughing through samples and configuration guides I am still not clear whether SIP inspection in Zone Based Firewall will do what I want, which is to selectively permit in RTP but only between the IP and UDP ports specified in the SDP parameters.  

 

For normal calls the basic UDP inspection suffices, because the CUBE gateway always starts media transmission which in turn permits the matching return traffic from the ITSP.  No static permit is needed for RTP.  

 

In some special cases this does not work, one example being a forwarded call where the CUBE doesn't initiate but only relays RTP between the two call legs.  There is therefore no initial outbound RTP to be inspected and open the inbound path.  To fix this needs a static inbound ACL line, effectively permitting anything from the ITSP end point.

 

Does ZBF SIP inspection provide this function?

 

Thanks,  Tony S

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card