cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2072
Views
0
Helpful
5
Replies

Help with firewall/VOIP issue

jasongring
Level 1
Level 1

                   We have a Mitell Border Gateway in our DMZ configured to accept teleworker connections.  I have it all configured, but I get one way com errors on the Mitel border gateway when i try to place a call to a teleworker(phone set up outside the firewall).  The teleworker phone cannot hear audio from the internal phone. I was told by vendor all ports need to be open to the border gateway for it to function.  It seems that for some reason tcp traffic headed from the dmz to the outside are beng blocked and I dont know why. Should tha traffice be allowed by default?  What rule do I need to allow any traffic coming from my MGB IP to use any port to talk to any device on the outside network.  I already have a rule allowing all IP traffic in through the nat'd address fo the MBG.

5 Replies 5

mvsheik123
Level 7
Level 7

Hi Jason,

I already have a rule allowing all IP traffic in through the nat'd address fo the MBG : This rule only allows Internet users to be able to reach MBG.

In order for the MBG to go to internet, you may need to create additional access list and apply to DMZ interface.

For this, first you need to block the communication from MBG to internal network (for security purposes).

Ex: your inside network 192.168.10.0 255.255.255.0

!

access-list DMZ2IN deny ip host 192.1168.10.0 255.255.255.255

access-list DMZ2IN permit ip host any

!

access-group DMZ2IN in interface

!

If you do not have static NAT for MBG with public IP, you need to add nat(dmz) 1 0 0 as well.

Try this and post the results.

hth

MS

The Mitel set up is as this:  Teleworker user in remote office with phone plugged into their local internet connection.  That phone is programmed to find a Mitel device at a certain routable IP. That IP is the outside nat'd IP of the Mitel Border gateway that sits in our DMZ.  That MBG also has to speak to the PBX ( in this case a Mitel 3300) that resides on out internal LAN. Mitel says that we need to the MBG is a firewall and it needs complete access both inside and outside.  So adding more security to its ability to get inside to talk to the PBX won't be helpful. If I set up a test "teleworker" in the DMZ it works fine so I know the one way communication is caused by outbound TCP traffice getting blocked from going outside which doesnt make sense to me since any traffice headed to a lesser security network should be allowed by default, correct?

Hi Jason,

Vendors can say whatever they want but this is the more recomended way to set this up. We looked into similar setup (from Avaya) few minths bacl and  worked with no issues in test environment.

Yes.. I agree MBG definitely need to communicated with your PBX. You need to open only required ports to PBX IPs.

access-list DMZ2IN  permit tcp/udp host   eq

access-list DMZ2IN deny ip host 192.1168.10.0 255.255.255.255

access-list DMZ2IN permit ip host any

!

It is up to you on how you want to proceed but I prefer ASA to handle the security than a PC with some software.

hth

MS

MS,

This is pretty much how it is set up...  Yet Im still gettting one way com error on the ip phone and when i do test calls i cant seem to trap why they packets are not going outbound from the MBG to the outside. The tcp/udp traceroute on the mbg do come back as a success which makes it a bit more strange.

access-list DMZ_access_in line 1 extended permit ip host 172.16.1.2 any (hitcnt=3) 0x822c652c

access-list DMZ_access_in line 2 extended permit object-group DM_INLINE_PROTOCOL_1 host 172.16.1.2 host 172.16.1.100 eq domain log debugging interval 300 0xddcbe2a8

  access-list DMZ_access_in line 2 extended permit udp host 172.16.1.2 host 172.16.1.100 eq domain log debugging interval 300 (hitcnt=1280) 0x0b8733f2

access-list DMZ_access_in line 4 extended permit ip host 172.16.1.2 VOIP 255.255.255.0 log debugging interval 300 (hitcnt=13418) 0x9078b3a9

access-list DMZ_access_in line 5 extended permit ip any any log debugging interval 300 (hitcnt=682664) 0xc651a8ad

Hello Jason,

Hope you are doing great

We can see hitcounts from the MBG to the PBX.

Now the teleworker is the one that is going to contact the MBG so the ASA is going to build on all of its table a connection for that communication, the ASA should be able to let the reply packets to go out.

I would like to see the running configuration ( Please remove the private info such as Ips, passwords,etc)

I would like to see the access-list on the outside, the nat statements and the inspections you have on your firewall.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: