01-31-2023 07:58 AM - last edited on 02-06-2023 10:09 PM by Translator
Hello.
Please view below config (associated with NAT (?)), and also below logs, from 4431 Router, and also downstream workstation softphone vendor log...
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
===
Jan 31 15:20:27.593: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00004203007066538084 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/1.2 172.16.0.5:57810 => 2.2.2.2:5081(target:class)-(IN-TO-OUT:class-default) due to Policy drop:classify result with ip ident 11105 tcp flag 0x2, seq 773446243, ack 0
===
2.2.2.2:5081:
REGISTER sip:CallCenterVendor1.com:5081;transport=TLS SIP/2.0
!! The vendor tells me that the above is evidence that Vendor1 successfully received my workstation softphone contact. !!
===
Tracing route to CallCenterVendor1.com [2.2.2.2]
1 <1 ms <1 ms <1 ms 172.16.0.1
2 1 ms <1 ms <1 ms MY-ISP-Gateway.com [3.3.3.3]
Questions:
1. What communication would this device NOT block?
2. Why would such a configured policy be in place?
3. How is it possible that "The vendor tells me that the above is evidence that Vendor1 successfully received my workstation softphone contact." ?
Thank you.
Solved! Go to Solution.
01-31-2023 09:58 AM - last edited on 02-06-2023 10:11 PM by Translator
permit tcp 172.16.9.0 0.0.0.255 any eq 5081
<<-this line need to add to ACL, port 5081 not found in ACL that why the ZF drop the traffic
01-31-2023 08:43 AM - last edited on 02-06-2023 10:13 PM by Translator
you are ZoneFirewall,
first are what is Zone Pair ?
what is config of class
INSIDE-TO-OUTSIDE-CLASS ?
01-31-2023 09:50 AM - last edited on 02-06-2023 10:10 PM by Translator
ROUTER_4431#sh run all | inc INSIDE-TO-OUTSIDE-CLASS
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
class type inspect INSIDE-TO-OUTSIDE-CLASS
ROUTER_4431#sh run all | beg INSIDE-TO-OUTSIDE-CLASS
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
!
!
=====
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 172.16.9.0 0.0.0.255 any eq www
permit tcp 172.16.9.0 0.0.0.255 any eq pop3
permit tcp 172.16.9.0 0.0.0.255 any eq domain
permit tcp 172.16.9.0 0.0.0.255 any eq smtp
permit tcp 172.16.9.0 0.0.0.255 any eq 443
permit tcp 172.16.9.0 0.0.0.255 any eq 22
permit icmp 172.16.9.0 0.0.0.255 any
=====
01-31-2023 09:58 AM - last edited on 02-06-2023 10:11 PM by Translator
permit tcp 172.16.9.0 0.0.0.255 any eq 5081
<<-this line need to add to ACL, port 5081 not found in ACL that why the ZF drop the traffic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide