cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1462
Views
0
Helpful
13
Replies
Highlighted
Beginner

ISA550 DMZ for VOIP

Hi !

I have a ISA550 and I want to make a DMZ LAN with VOIP SIP Phones ! This DMZ Subnet schould not be patet and should ve accessed from the Internet only form a certian Subnet !

The DMZ Network is statc routed to the ISA 550 WAN Interface from outside !

Here my Config:

ACL Rule

From WAN to DMZ  Services any  Source Managment  Destination Address DMZ-Network   enable

Dynamic PAT

disable DMZ

Advanced NAT:

From DMZ to WAN1 Original DMZ to WAN1 Orgnal Source DMZ-Network  Orginal Destination any any Translatated Source DMZ-Network any any

The config above not work !  What is wong ?

Also I want to use QOS with strict priority Queuing for this Network  -> How should I do this -> Protocol RTP and SIP

Thanks !

kind regards

kristoferus

13 REPLIES 13
Highlighted
Contributor

Kristoferus,

If you don't mind, let's try to address one challenge at at time starting with the VoIP SIP Phones and then we can circle back around to the QoS.

I would like to start by trying to understand your desired end result.  So if I'm understanding correctly, you have SIP Phones that need to connect to a VoIP provider over the internet.  You want the phones to be in their own VLAN/DMZ, and you only want the phones to have the ability to access the VoIP provider and nothing else.  Is all of that correct?  Is there anything that I'm missing?

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Hi Shawn !

Yes its right only the Voip Provider should have access to the SIP Phones and the Phones should only access VOIP Povider Network -> any Services !

kind regrads

kristoferus

Highlighted

Kristoferus,

To accomplish what you are wanting shouldn't require any special ACL Rules or NAT configuration.  The reason for this is because all communications are initiated from the SIP Phones to the VoIP provider.  Once the SIP Phone connects to the VoIP provider's network, all traffic is managed over that established connection.  So the VoIP provider's network will never actually initiate a connection into your network and thus you don't need any special NAT configuration to allow them access.

Since the VoIP provider is in a lower security level Zone (WAN), the VoIP DMZ will have, by default, unlimited access to the WAN, and by default the WAN will explicitly allow back through any traffic initiated from a higher security level Zone (VoIP DMZ).  So this is what I would suggest doing.

  1. Assumptions
    • You mentioned source Management in your ACL Rule.  I'm assuming Management is the Address Group that contains the VoIP provider's subnet.

Steps to complete

  1. Delete the ACL Rule you created and referenced above
  2. Delete the Advanced NAT statement you created and mentioned above
  3. Under Dynamic PAT, enable for the VoIP DMZ as well
  4. Under Application Level Gateway, ensure SIP Support is unchecked
  5. Under Networking -> Ports -> Physical Interface, ensure the DMZ VoIP VLAN is applied to the appropriate interface
    • If the only thing attached to this port is an external switch that only phones plug into, then ensure the mode is set to Access and that the only VLAN on this port is the VoIP DMZ.
    • If a switch is connected to this port and that switch is shared by both phones and devices in other VLANs...
      • Ensure the external switch supports VLANs
      • Set the Mode to Trunk and add the appropriate VLANs to the port
      • Configure the external switch ports to include the correct VLANs on the associated ports to ensure that phones are being placed in the VoIP DMZ VLAN and not the default.
  6. Once you have all of this setup, test the phones and they should be working.  If they are proceed to the next step to lock down security.  If not, do not proceed to the next step as it will only add complexity to troubleshooting.
  7. Limit SIP Phones to only have access to VoIP provider
    • Create an ACL Rule...
      • From Zone:  VoIP DMZ
      • To Zone:  WAN
      • Services:  ANY
      • Source Address:  VoIP DMZ Network
      • Destination Address: Management (Based on my assumption above)
      • Log:  On
      • Match Action:  Permit
    • Create an ACL Rule...
      • From Zone:  VoIP DMZ
      • To Zone:  WAN
      • Services:  ANY
      • Source Address:  ANY
      • Destination Address: ANY
      • Log:  On
      • Match Action:  Deny
  8. Once both ACL Rules are created, ensure the first ACL Rule is before the second ACL Rule.
    • The combination of these rules in the correct order will allow traffic from the SIP Phones to the VoIP provider and then block the SIP Phones from accessing anything else.

You should be done and working at this point.  If so, let me know and we can move on to QoS.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Hi Shawn !

Thank you but I don't want to PAT this SIP Network  because the SIP Privider and also our Management Network in the Internet want to have access to this Subnet for Firmware Updates and for Management the SIP Phones IP Adresses etc and other Boxes in this DMZ-Network !  Any Services -> full Access !

Is this possible to configure this and how ?

kind regards

kristoferus

Highlighted

It may be possible using Static NAT.

1) How many SIP Phones do you have?
2) How many static public IPs do you have from you provider?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Hi Shawn !

1.) 8 IP Adress Block max 16 IP Network

2.) its the same

The /29 or /28 Network is routed to the WAN outside IP Address to the ISA550 ->  from Provider Side

The network should not be patet !

Is there a limit with this box ?

I know this config with a ASA  -> static NAT (perimter/outside) entry ...

kind regards

kristoferus

Highlighted

Kristoferus,

Looking at this, there are some factors to take into consideration.

Your ability to do this will be dependant on the following:

  1. If you have a /29 or a /28 from your ISP.
    • With a /29, you'll have a total of 6 usable public IPs.  At least one will be assigned to your ISA WAN Interface leaving you with 5.  Depending on your ISP, one of those may be assigned to their CPE leaving you with 4 Public IPs that can be static NAT'd to a max of 4 SIP Phones.
    • With a /28, you'll have a total of 14 usable public IPs.  At least one will be assigned to your ISA WAN Interface leaving you with 13.  Depending on your ISP, one of those may be assigned to their CPE leaving you with 12 Public IPs that can be static NAT'd to a max of 12 SIP Phones.
    • The only way to potentially utilize the IP assigned to your ISA WAN Interface is to use PAT.  Keep in mind that you can use both PAT and static NAT at the same time on the VoIP DMZ, so either way I would suggest enabling PAT on the VoIP DMZ.  It will also depend on what port(s) are used by the VoIP Provider to access the SIP Phones for Management/Firmware Updates as some ports are claimed by the ISA itself on the WAN Interface depending on what services you are utilizing (i.e. 8080 (Remote Access), 443 (SSL VPN), etc.).

Based on all of that, here's is what you need to do.

  1. Delete the Advanced NAT entry you created.
  2. Create a Static NAT entry for each SIP Phone to one of the available Public IPs not used by the ISA WAN Interface or the ISP CPE.  Each SIP Phone will need its own Static NAT entry.

The ACL Rule you created above should work fine then.  You will need to instruct the VoIP Provider to use the public IPs you NAT'd for the SIP Phones to gain access to them.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Hi Shawn !

The Wan Interface have a other one fix off IP Adress from the Provder and a Default Gateway in this network !

The ISP route e /28 or /29 to this fix off IP Adress to the Wan Interface of the ISA 550 !

The DMZ Interface have one IP Adress as GW for the Voip Network !

I need a secondery IP Adress from the VOIP Subnet on the WAN Interface ?

I think I need like this on ASA FW:

Static NAT of entire IP subnet

static (inside,outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0

Description:

Any  hosts within 192.168.45.0/24 will appear as themselves when there is  outbound traffic initiated from 192.168.45.0/24 (within the Inside  network) using any IP protocol (including ESP, TCP, and UDP) to any  Outside network IP address. Similarly, any IP address within Outside  network will access 192.168.45.0/24 using any IP protocol directly.

Possible also with ISA ?

kind regards

kristoferus

Highlighted

Kristoferus,

I think I understand how you have this setup now.  So the ISP has assigned an IP to their CPE and given you one for your WAN interface that are in one subnet.  They are also routing a /28 or /29 down to you and you've assigned that subnet of IPs to your VoIP DMZ VLAN.

Assuming all of that is correct, let's try something.

  1. Select Networking -> Routing -> Routing Mode and turn that On
  2. Delete your Advance NAT rule and test

If everything is working as desired, great!!  If not, try the following.

  1. Turning Routing Mode back to Off
  2. Create Static NAT rules, instead of Advanced NAT rules, setting the Public IP and Private IP drop downs to the same IP from the /28 or /29 subnet
    • Create a rule for each IP in the /28 or /29 subnet

One of those should address the challenge.  Please let me know the results.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Hi Shawn !

:-) no Problem ! Thank you !

ok  i can test this tommorow !

I have tested with  Routing mode but with the Advanced NAT rules :-)

What is the porpose of the advanced nat rule ? 

thanks

kristoferus

Highlighted

Kristoferus,

What you are trying to accomplish should be able to be accomplished with either the Advanced NAT or Static NAT.  Basically the Advanced NAT just gives you more control over Source and Destination information including IPs and Services whereas Static NAT just creates a One-to-One NAT rule for all services.  Think of Advanced NAT being more similar to what you would see in an ASA when creating NAT rules.  However also keep in mind that with more complex options comes a higher likelihood of not getting something just perfect.  In theory, what you initially started with should work.  However, without actually connecting into your ISA to look over everything it's hard for me to determine if the issue is potentially Advanced NAT or something else.  That's why I'm suggesting taking this back to a simpler configuration and going from there.

To be candid, once you remove the Advanced NAT rule and turn on Routing Mode, I think you're going to be good to go.  Take a look at this thread where we worked through stopping the firewall from NAT'ing the traffic so his border router could do the NAT since he had a private IP assigned to his WAN interface.

https://supportforums.cisco.com/thread/2219912

In the end, turning on Routing Mode disabled Dynamic PAT and NAT Statements however it wasn't until he actually deleted the NAT/PAT Statements and then turned on Routing Mode that it actually stopped NAT'ing his IPs.  My concern in your situation, is that we don't want to NAT/PAT the IPs in the VoIP DMZ but we do want to continue PAT'ing everything else.  I'm concerned that Routing Mode will turn off ALL Dynamic PAT and your phones will work as desired but nothing else will.  It's based on the possibility of that being the end result that I provided the second set of steps, which we both know will work in an ASA but not sure if it will work in the ISA as I haven't had a need to do that yet.

As I was doing some searching, I also came across this article.

https://supportforums.cisco.com/thread/2192489

This seems like a fairly similar setup to what you're trying to accomplish.  If neither of the two options I gave you works, then you would have to assign private IPs to the SIP Phones and actually NAT private to public IPs, as was mentioned here.  But I would try what I suggested first as it's not uncommon to find an answer that wasn't previously realized. 

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Hi Shawn !

Yes with Routing Mode it work but PAT for othter internal network is then disabled -> not good :-(

With static NAT entries internal SIP Phone to internal SIP Phone (to WAN) -> its not possible :-(

With static NAT entries internal to external IP should this work but this is not really comfortable :-(

I know that a ASA Firewall can do this ...

That is really too bad !

kind regards

kristoferus

Highlighted

Kristoferus,
I was concerned those two options wouldn't work. I also agree with you that if it was deciding between and ISA with Private to Public NAT only or an ASA that can do it all, I'd go the ASA route. Sorry it didn't work out. Thanks for letting me know the results.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.