Allowing VOIP traffic on FWSM

Unanswered Question
Sep 13th, 2010

Hi.. We are having FWSM between a

Avaya voip phone and call manager server. We are using NAT and access lists for allowing the traffic. Our calls rings both ways but not able to hear the voice. Our observation is as below :

When the IP telephony handset on the abc network calls an extension attached to an IP telephony handset on the xyz network the calls establishes, but the audio is either unidirectional or does not establish in either direction. Analysis of this traffic shows that the handset on the SPE network is sending the RTP stream to a UDP port below 2048. According to the Avaya documentation 2048 is the minimum value.

This indicates that there is an issue with the NAT configuration on the fwsm.

Can any one suggest any typical config which is required for allowing Voice traffic on FWSM when we are hiding the actual IPs on both interfaces.

Thanks and Regards

Yogesh Kelkar

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yogesh.kelkar Mon, 09/13/2010 - 22:13

Hi.. We are having FWSM between a

Avaya voip phone and call manager server. We are using NAT and access lists for allowing the traffic. Our calls rings both ways but not able to hear the voice. Our observation is as below :

When the IP telephony handset on the abc network calls an extension attached to an IP telephony handset on the xyz network the calls establishes, but the audio is either unidirectional or does not establish in either direction. Analysis of this traffic shows that the handset on the SPE network is sending the RTP stream to a UDP port below 2048. According to the Avaya documentation 2048 is the minimum value.

This indicates that there is an issue with the NAT configuration on the fwsm.

From the low UDP destination port it looks to me as if the dynamic NAT is currently set to translate to a single IP address (i.e. a PAT, NAT overload, or Hide NAT depending on which firewall vendor you ask). This explains why the inspection policy is translating the UDP destination port to 1024 and above. However, even if UDP traffic at this level were permitted through the SPE firewall the PAT translation isn't going to work. Avaya IP telephony doesn't support PAT, only NAT.

Can any one suggest any typical config which is required for allowing Voice traffic on FWSM when we are hiding the actual IPs on both interfaces.

Thanks and Regards

Yogesh Kelkar

Marcin Latosiewicz Tue, 09/14/2010 - 07:07

Yogesh,

FWSM should perform DPI on SIP/skinny packets (provided those inspection engines are enabled  and no non-default ports are being used).

the FWSm with inspection enabled the payload of SIP/skinny packets should be rewritten and dynamically connection/xlates and ACL entries created.

sooo have a look here:

http://isamology.blogspot.com/2010/06/troubleshooting-voip-issues-over.html

If you're already running failrly recent FWSM version and have inspection engines enabled.

Try manaully opening access-lists for all traffic from phones or call manager (depending on call flow).

If that does not work - open a TAC case.

Marcin

Actions

This Discussion