We have a Mitell Border Gateway in our DMZ configured to accept teleworker connections. I have it all configured, but I get one way com errors on the Mitel border gateway when i try to place a call to a teleworker(phone set up outside the firewall). The teleworker phone cannot hear audio from the internal phone. I was told by vendor all ports need to be open to the border gateway for it to function. It seems that for some reason tcp traffic headed from the dmz to the outside are beng blocked and I dont know why. Should tha traffice be allowed by default? What rule do I need to allow any traffic coming from my MGB IP to use any port to talk to any device on the outside network. I already have a rule allowing all IP traffic in through the nat'd address fo the MBG.
The Mitel set up is as this: Teleworker user in remote office with phone plugged into their local internet connection. That phone is programmed to find a Mitel device at a certain routable IP. That IP is the outside nat'd IP of the Mitel Border gateway that sits in our DMZ. That MBG also has to speak to the PBX ( in this case a Mitel 3300) that resides on out internal LAN. Mitel says that we need to the MBG is a firewall and it needs complete access both inside and outside. So adding more security to its ability to get inside to talk to the PBX won't be helpful. If I set up a test "teleworker" in the DMZ it works fine so I know the one way communication is caused by outbound TCP traffice getting blocked from going outside which doesnt make sense to me since any traffice headed to a lesser security network should be allowed by default, correct?
This is pretty much how it is set up... Yet Im still gettting one way com error on the ip phone and when i do test calls i cant seem to trap why they packets are not going outbound from the MBG to the outside. The tcp/udp traceroute on the mbg do come back as a success which makes it a bit more strange.
access-list DMZ_access_in line 1 extended permit ip host 172.16.1.2 any (hitcnt=3) 0x822c652c
Now the teleworker is the one that is going to contact the MBG so the ASA is going to build on all of its table a connection for that communication, the ASA should be able to let the reply packets to go out.
I would like to see the running configuration ( Please remove the private info such as Ips, passwords,etc)
I would like to see the access-list on the outside, the nat statements and the inspections you have on your firewall.
Looking for some Networking Assistance?
Contact me directly at firstname.lastname@example.org
I will fix your problem ASAP.
Julio Carvajal Segura
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...