01-24-2015 12:50 PM - edited 03-11-2019 10:23 PM
Hello,
I am trying to configure zone based firewall (on a 2911 with the k9 security license) to pass VoIP traffic from my VoIP provider to an internal IP PBX (3CX) and vice versa. The way I have it setup currently is to permit all outgoing traffic from the internal network to the outside. For traffic coming from the WAN (G0/1 “Outside-Frontier” zone) I have allowed all traffic with destination port(s) TCP/UDP 5060 (SIP) and UDP 9001-9049 (RTP). However, even after explicitly allowing this traffic (via class-maps with ACL’s) I cannot seem to get voice traffic to pass through (I get a “no response” when attempting to make a call).
I know that my base configuration is correct because if I disable ZBF then I can make calls just fine and the firewall checker in 3CX passes all of the RTP/SIP ports. As soon as I apply the ZBF config I cannot even connect to my SIP provider/make a call.
I have tried all sorts of combinations of ACLs and class-maps/policy-maps but nothing seems to work other than allowing all IP traffic to pass the inside and outside zones (which defeats the purpose of ZBF).
My LAN diagram, running-config, version info, and PBX port settings are pasted below. I have omitted IP addresses and other unnecessary lines (like VPN configuration). I would really appreciate any and all advise on this.
Thanks!
router#show ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 19-Mar-14 19:23 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
router#show run
Building configuration...
Current configuration : 13497 bytes
!
! Last configuration change at 17:29:45 UTC Sat Jan 24 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
ip cef
!
ip domain name invalid.lan
ip name-server x.x.x.x
ip name-server x.x.x.x
no ipv6 cef
ip ssh version 2
!
class-map type inspect match-any Outgoing-Mail-Class
match access-group name OUTGOING_MAIL
class-map type inspect match-any Outgoing-FW-Exceptions-Class
match access-group name OUTGOING_FW_EXCEPTIONS
class-map type inspect match-any Incoming-FW-Exceptions-Class
match access-group name INCOMING_FW_EXCEPTIONS
class-map type inspect match-any Inside->Outside-Comcast-Class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match class-map Outgoing-Mail-Class
!
policy-map type inspect Outside-Frontier->Inside-Policy
class type inspect Incoming-FW-Exceptions-Class
pass
class class-default
drop
policy-map type inspect Inside->Outside-Comcast-Policy
class type inspect Inside->Outside-Comcast-Class
inspect
class class-default
drop
policy-map type inspect Inside->Outside-Frontier-Policy
class type inspect Outgoing-FW-Exceptions-Class
pass
class class-default
drop
!
zone security Inside
zone security Outside-Comcast
zone security Outside-Frontier
zone-pair security Inside->Outside-Frontier source Inside destination Outside-Frontier
service-policy type inspect Inside->Outside-Frontier-Policy
zone-pair security Inside->Outside-Comcast source Inside destination Outside-Comcast
service-policy type inspect Inside->Outside-Comcast-Policy
zone-pair security Outside-Frontier->Inside source Outside-Frontier destination Inside
service-policy type inspect Outside-Frontier->Inside-Policy
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN interface (Comcast cable) for data
ip address x.x.x.x x.x.x.x
zone-member security Outside-Comcast
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN interface (Frontier DSL) for voice interface
ip address x.x.x.x x.x.x.x
ip nat outside
ip virtual-reassembly in
zone-member security Outside-Frontier
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Link to 3560 switch
ip address 10.10.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
zone-member security Inside
duplex auto
speed auto
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat pool dsl-nat x.x.x.xx.x.x.xnetmask x.x.x.x
ip nat inside source list DSL_NAT_ACL pool dsl-nat overload
ip nat inside source static tcp 10.10.10.25 5060 x.x.x.x5060 extendable
ip nat inside source static udp 10.10.10.25 5060 x.x.x.x5060 extendable
ip nat inside source static tcp 10.10.10.25 5090 x.x.x.x5090 extendable
ip nat inside source static udp 10.10.10.25 5090 x.x.x.x5090 extendable
ip nat inside source static tcp 10.10.10.25 5901 x.x.x.x5901 extendable
ip nat inside source static udp 10.10.10.25 9000 x.x.x.x9000 extendable
ip nat inside source static udp 10.10.10.25 9001 x.x.x.x9001 extendable
ip nat inside source static udp 10.10.10.25 9002 x.x.x.x9002 extendable
ip nat inside source static udp 10.10.10.25 9003 x.x.x.x9003 extendable
ip nat inside source static udp 10.10.10.25 9004 x.x.x.x9004 extendable
ip nat inside source static udp 10.10.10.25 9005 x.x.x.x9005 extendable
ip nat inside source static udp 10.10.10.25 9006 x.x.x.x9006 extendable
ip nat inside source static udp 10.10.10.25 9007 x.x.x.x9007 extendable
ip nat inside source static udp 10.10.10.25 9008 x.x.x.x9008 extendable
ip nat inside source static udp 10.10.10.25 9009 x.x.x.x9009 extendable
ip nat inside source static udp 10.10.10.25 9010 x.x.x.x9010 extendable
ip nat inside source static udp 10.10.10.25 9011 x.x.x.x9011 extendable
ip nat inside source static udp 10.10.10.25 9012 x.x.x.x9012 extendable
ip nat inside source static udp 10.10.10.25 9013 x.x.x.x9013 extendable
ip nat inside source static udp 10.10.10.25 9014 x.x.x.x9014 extendable
ip nat inside source static udp 10.10.10.25 9015 x.x.x.x9015 extendable
ip nat inside source static udp 10.10.10.25 9016 x.x.x.x9016 extendable
ip nat inside source static udp 10.10.10.25 9017 x.x.x.x9017 extendable
ip nat inside source static udp 10.10.10.25 9018 x.x.x.x9018 extendable
ip nat inside source static udp 10.10.10.25 9019 x.x.x.x9019 extendable
ip nat inside source static udp 10.10.10.25 9020 x.x.x.x9020 extendable
ip nat inside source static udp 10.10.10.25 9021 x.x.x.x9021 extendable
ip nat inside source static udp 10.10.10.25 9022 x.x.x.x9022 extendable
ip nat inside source static udp 10.10.10.25 9023 x.x.x.x9023 extendable
ip nat inside source static udp 10.10.10.25 9024 x.x.x.x9024 extendable
ip nat inside source static udp 10.10.10.25 9025 x.x.x.x9025 extendable
ip nat inside source static udp 10.10.10.25 9026 x.x.x.x9026 extendable
ip nat inside source static udp 10.10.10.25 9027 x.x.x.x9027 extendable
ip nat inside source static udp 10.10.10.25 9028 x.x.x.x9028 extendable
ip nat inside source static udp 10.10.10.25 9029 x.x.x.x9029 extendable
ip nat inside source static udp 10.10.10.25 9030 x.x.x.x9030 extendable
ip nat inside source static udp 10.10.10.25 9031 x.x.x.x9031 extendable
ip nat inside source static udp 10.10.10.25 9032 x.x.x.x9032 extendable
ip nat inside source static udp 10.10.10.25 9033 x.x.x.x9033 extendable
ip nat inside source static udp 10.10.10.25 9034 x.x.x.x9034 extendable
ip nat inside source static udp 10.10.10.25 9035 x.x.x.x9035 extendable
ip nat inside source static udp 10.10.10.25 9036 x.x.x.x9036 extendable
ip nat inside source static udp 10.10.10.25 9037 x.x.x.x9037 extendable
ip nat inside source static udp 10.10.10.25 9038 x.x.x.x9038 extendable
ip nat inside source static udp 10.10.10.25 9039 x.x.x.x9039 extendable
ip nat inside source static udp 10.10.10.25 9040 x.x.x.x9040 extendable
ip nat inside source static udp 10.10.10.25 9041 x.x.x.x9041 extendable
ip nat inside source static udp 10.10.10.25 9042 x.x.x.x9042 extendable
ip nat inside source static udp 10.10.10.25 9043 x.x.x.x9043 extendable
ip nat inside source static udp 10.10.10.25 9044 x.x.x.x9044 extendable
ip nat inside source static udp 10.10.10.25 9045 x.x.x.x9045 extendable
ip nat inside source static udp 10.10.10.25 9046 x.x.x.x9046 extendable
ip nat inside source static udp 10.10.10.25 9047 x.x.x.x9047 extendable
ip nat inside source static udp 10.10.10.25 9048 x.x.x.x9048 extendable
ip nat inside source static udp 10.10.10.25 9049 x.x.x.x9049 extendable
ip route 10.10.0.0 255.255.0.0 10.10.1.2
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list standard DSL_NAT_ACL
remark Perform PAT from inside to the DSL interface
permit 10.10.0.0 0.0.255.255
!
ip access-list extended INCOMING_FW_EXCEPTIONS
remark Allow SIP and RTP from from any source to any destination
permit tcp any any eq 5060
permit udp any any eq 5060
permit udp any any eq 9000
permit udp any any eq 9001
permit udp any any eq 9002
permit udp any any eq 9003
permit udp any any eq 9004
permit udp any any eq 9005
permit udp any any eq 9006
permit udp any any eq 9007
permit udp any any eq 9008
permit udp any any eq 9009
permit udp any any eq 9010
permit udp any any eq 9011
permit udp any any eq 9012
permit udp any any eq 9013
permit udp any any eq 9014
permit udp any any eq 9015
permit udp any any eq 9016
permit udp any any eq 9017
permit udp any any eq 9018
permit udp any any eq 9019
permit udp any any eq 9020
permit udp any any eq 9021
permit udp any any eq 9022
permit udp any any eq 9023
permit udp any any eq 9024
permit udp any any eq 9025
permit udp any any eq 9026
permit udp any any eq 9027
permit udp any any eq 9028
permit udp any any eq 9029
permit udp any any eq 9030
permit udp any any eq 9031
permit udp any any eq 9032
permit udp any any eq 9033
permit udp any any eq 9034
permit udp any any eq 9035
permit udp any any eq 9036
permit udp any any eq 9037
permit udp any any eq 9038
permit udp any any eq 9039
permit udp any any eq 9040
permit udp any any eq 9041
permit udp any any eq 9042
permit udp any any eq 9043
permit udp any any eq 9044
permit udp any any eq 9045
permit udp any any eq 9046
permit udp any any eq 9047
permit udp any any eq 9048
permit udp any any eq 9049
ip access-list extended OUTGOING_FW_EXCEPTIONS
remark Allow all outgoing IP traffic
permit ip any any
ip access-list extended OUTGOING_MAIL
remark Allow any internal host to send outgoing mail over TCP 8889
permit tcp any eq 8889 any
!
control-plane
!
end
3CX IP PBX port settings
3CX firewall checker