09-03-2018 09:30 AM - edited 02-21-2020 08:11 AM
Hello,
I have set up a zone-based firewall on an ISR4331.
With that zone-based firewall and "debug ccsip message" activated, I observe a lot of "SIP/2.0 488 Not Acceptable Media" or "SIP/2.0 403 Forbidden" messages.
If I add the following configuration:
object-group network IP_SIP_TRUNK_PROVIDER A.B.W.0 255.255.255.0 A.B.X.0 255.255.255.0 A.B.Y.0 255.255.255.0 A.B.Z.0 255.255.255.0 ip access-list extended ACL_TEST permit udp object-group IP_SIP_TRUNK_PROVIDER any eq 5060 permit udp object-group IP_SIP_TRUNK_PROVIDER any eq 8060 permit udp object-group IP_SIP_TRUNK_PROVIDER any range 35000 64999 deny udp any any eq 5060 log permit tcp any any permit udp any any exi interface Dialer0 ip access-group ACL_TEST in exi
I get rid of all the attempts.
In the logs I can see log lines like:
Sep 3 18:26:34.404 CET: [...] : list ACL_TEST denied udp 188.165.193.179(50750) -> L.N.M.O(5060), 1 packet
Obviously the zone-based firewall I configured is ill-configured.
How can i fix this?
Best regards.
09-04-2018 08:33 AM
is there a reason why you only allow udp/5060 and not tcp/5060?
09-04-2018 09:05 AM - edited 09-04-2018 09:13 AM
Hello.
Only UDP, because that's all the SIP trunk provider was asking for.
This guy has some arguments:
"In short, VoIP traffic is best left as UDP traffic for both server load and call quality reasons."
Source: https://www.onsip.com/blog/sip-via-udp-vs-tcp
But how do this relate to my issue?
It's "more blocking" and "less allowing" that I need in the zone-based firewall...
BR.
09-04-2018 09:16 AM
yes RTP is UDP, see no need for TCP on that front. looking at the log entry, your acl denies UDP to port 5060. are you allowing that 188. IP address in your object group? is this expected traffic?
cheers
09-04-2018 09:30 AM
Hello,
> looking at the log entry, your acl denies UDP to port 5060.
> are you allowing that 188. IP address in your object group?
No, I am not allowing that "188." IP address in my object group.
In my object group, are only my SIP provider ranges of IP addresses.
> is this expected traffic?
No, this is not expected traffic.
To me, this ACL is doing a good job.
But my zone-based firewall doesn't do this job.
What I don't know is how to "inject" this ACL in my zone-based firewall.
I would like to get rid of this ACL and fix my zone-based firewall.
BR.
09-06-2018 06:25 AM
Actually, you were right to ask the question, I also received undesired TCP SIP messages.
So I added the rule "deny tcp any any eq 5060 log" after the rule "deny udp any any eq 5060 log" in the "ACL_TEST" access list.
Still, I don't know how to "inject" the ACL rules into the zone-based firewall so that I can get rid of the ACL "ACL_TEST"...
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide