Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
5
Replies

Why i`m able to make phone-calls through the Firewall??

hubemark
Level 1
Level 1

‎08-07-2008 01:43 AM - edited ‎03-11-2019 06:27 AM

I have the following szenario:

Outside Network: 10.2.0.0/16

Inside Network: 192.168.50.0/24

One ASA5505 separates the two networks, standard security levels, no default inspections, no access lists (implicid rules are working).

Cisco Call manager with IP: 10.2.200.203 and one ip-phone (10.2.0.13) are outside connected. Inside connected is another IP-Phone with IP: 192.168.50.13

My question is:

Why can i do a phone call from outside to inside ? Normaly the implicit deny ip any any should work?

If i have a look in my connection table, i can see the following:

UDP outside 10.2.0.13:28038 inside 192.168.50.13:21352, idle 0:00:00, bytes 4879984, flags -

TCP outside 10.2.200.203:2000 inside 192.168.50.13:50289, idle 0:00:26, bytes 16208, flags UIO

Question:

Why do i see no flags in the UDP connection?

Why is this connection possible?

Why is it just one UDP connection?

If i have a look in my firewall log (see attachment), i can see two denied UDP connections an after that an

build with the same parameters????

Maybe its easy, but i`m a bit confused....

Thanks for your help.

Here is the "attachment":

6 Aug 06 2008 18:05:35 302015 10.2.0.13 192.168.50.10 Built outbound UDP connection 377 for outside:10.2.0.13/23366 (10.2.0.13/23366) to inside:192.168.50.13/16816 (192.168.50.13/16816)

2 Aug 06 2008 18:05:35 106006 10.2.0.13 192.168.50.10 Deny inbound UDP from 10.2.0.13/23366 to 192.168.50.13/16816 on interface outside

2 Aug 06 2008 18:05:35 106006 10.2.0.13 192.168.50.10 Deny inbound UDP from 10.2.0.13/23366 to 192.168.50.13/16816 on interface outside

Labels:
0 Helpful
5 Replies 5

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-07-2008 04:27 AM

UDP is a connectionless protocol, thats why it does not have any flag(s). However from your syslog it is clear that the UDP connection was initiated from the inside, "Built *outbound* UDP connection". The TCP connection was also initiated from the Inside (To the call manager) as it has flags UIO. Had it been from the outside, it would be UIOB.

Perhaps its working due to the inspections on the ASA? Did you try to 'talk' tough. As in two-way voice?

Regards

Farrukh

0 Helpful

hubemark
Level 1
Level 1
In response to Farrukh Haroon

‎08-07-2008 05:31 AM

Yes i can establish a normal two way voice call and can also talk through.

Which inspections do you mean?

I have turned off all inspections.

Are there any invisible inspections in the background?

Normally i should see two UDP connections for one voice call, right?

Thanks.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to hubemark

‎08-07-2008 05:36 AM

Try 'show run all policy-map'. Also have a look at the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml#diag2

Regards

Farrukh

0 Helpful

hubemark
Level 1
Level 1
In response to Farrukh Haroon

‎08-07-2008 11:16 PM

sh run all policy-map shows no policy maps.

Thats what i want to have, no policy maps, no inspections.

The question is, why do i have this behaviour with no inspections turned on?

Are there any "side effects" with disabling all inspections?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to hubemark

‎08-08-2008 02:53 AM

Of course, MANY side effects. FTP won't work, TFTP might not either. X-Window won't work. SMTP 'security'/sanity checks will not be performed.

And the list goes on and on.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card