cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
621
Views
10
Helpful
3
Replies

4431 router config: What communication would this device NOT block?

Hello.

Please view below config (associated with NAT (?)), and also below logs, from 4431 Router, and also downstream workstation softphone vendor log...

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log

===

Jan 31 15:20:27.593: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00004203007066538084 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/1.2 172.16.0.5:57810 => 2.2.2.2:5081(target:class)-(IN-TO-OUT:class-default) due to Policy drop:classify result with ip ident 11105 tcp flag 0x2, seq 773446243, ack 0

===

2.2.2.2:5081:
REGISTER sip:CallCenterVendor1.com:5081;transport=TLS SIP/2.0

!! The vendor tells me that the above is evidence that Vendor1 successfully received my workstation softphone contact. !!
===

Tracing route to CallCenterVendor1.com [2.2.2.2]
1 <1 ms <1 ms <1 ms 172.16.0.1
2 1 ms <1 ms <1 ms MY-ISP-Gateway.com [3.3.3.3]


 

Questions:

1. What communication would this device NOT block?

2. Why would such a configured policy be in place? 

3. How is it possible that "The vendor tells me that the above is evidence that Vendor1 successfully received my workstation softphone contact." ?

Thank you.

1 Accepted Solution

Accepted Solutions

permit tcp 172.16.9.0 0.0.0.255 any eq 5081

<<-this line need to add to ACL, port 5081 not found in ACL that why the ZF drop the traffic 

View solution in original post

3 Replies 3

you are  ZoneFirewall, 
first are what is Zone Pair ? 
what is config of class 

INSIDE-TO-OUTSIDE-CLASS ?

ROUTER_4431#sh run all | inc INSIDE-TO-OUTSIDE-CLASS
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
class type inspect INSIDE-TO-OUTSIDE-CLASS

ROUTER_4431#sh run all | beg INSIDE-TO-OUTSIDE-CLASS
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
!
!
=====

ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 172.16.9.0 0.0.0.255 any eq www
permit tcp 172.16.9.0 0.0.0.255 any eq pop3
permit tcp 172.16.9.0 0.0.0.255 any eq domain
permit tcp 172.16.9.0 0.0.0.255 any eq smtp
permit tcp 172.16.9.0 0.0.0.255 any eq 443
permit tcp 172.16.9.0 0.0.0.255 any eq 22
permit icmp 172.16.9.0 0.0.0.255 any
=====

permit tcp 172.16.9.0 0.0.0.255 any eq 5081

<<-this line need to add to ACL, port 5081 not found in ACL that why the ZF drop the traffic 

Review Cisco Networking for a $25 gift card