IOS FW

Unanswered Question
Jun 15th, 2008

Hi,

I have local digital voice server which is Siemens hi-path 3000.

and from this local site i have configured IPSec Site-to-Site VPN to a remote site, ASA from my local side and Cisco 2811 with IOS firewall.

Now, the remote IP phones is connected and registered with this voice server (siemens), but they can't make calls to my local LAN through site-to-site VPN, but i can make calls normally from my local site to the remote-site.

I disabled the Firewall settings at the remote site for testing, and everything goes fine.

It seems it is inspection error at the firewall settings from the remote site, i asked them for the required protocols for the RTP traffic, and they informed me that this system is using H.323 and SIP, and i configured them as mentioned below. Any comments?

==================

!

ip inspect name firewall cuseeme

ip inspect name firewall ftp

ip inspect name firewall h323

ip inspect name firewall icmp

ip inspect name firewall netshow

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall rtsp

ip inspect name firewall esmtp

ip inspect name firewall sqlnet

ip inspect name firewall streamworks

ip inspect name firewall tftp

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall vdolive

ip inspect name firewall skinny

ip inspect name firewall dns

ip inspect name firewall h323callsigalt

ip inspect name firewall sip

ip inspect name firewall sip-tls

!

And i applied the firewall at the ethernet interface (LAN gateway) from that remote site

(ip inspect firewall in).

Any suggestions to solve this issue?

Thanks in advance

Abd Alqader

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mherald Sun, 06/15/2008 - 22:56

Do you have an extended access list back in? That is how the traffic gets back. Additionally, to make calls the other way, you may ahve to allow calls in the afore mentioned access-list ...

Mike

a.hajhamad Mon, 06/16/2008 - 03:22

Yes, i have an extended ACL in.

I tried to remove the ext. ACL from the outside interface, but still the problem exists.

At that time, i removed every H323. & SIP inspection command and i applied the ext. ACL again, and the problem solved!

From that, it seems inspection error for the H.323 & SIP. I.e. it seems that IOS FW (inspect H.323 & SIP)is changing the RTP packet!

What do you think?

Thanks

Abd Alqader

Actions

This Discussion