I am using a Cisco 2821 with IOS 12.4(22)YB8. I have a pretty simple ZBF setup. All TCP, UDP, and ICMP from the internal LAN is inspected to the Internet. My problem is with my IP phone, which connects to an Asterisk Server on the Internet. I can call out, but the call will drop everytime after about 10 minutes. Also, incoming calls do not work. If I disable the ZBF, everything works fine. Calls do not drop, and incoming calls work fine. Anyone have any ideas? Here is a scrubbed config to the relevants parts.
class-map type inspect match-any CLASS_IN_OUT match protocol icmp match protocol tcp match protocol udp
I'm not a voice expert, but I do inspect the traffic going from the outside zone to the inside when using ZBF. ZBF is application aware. This probably doesn't answer the reason it times out after 10 minutes. But when you say incoming calls don't work on an iphone, but do when you disable the ZBF, this could be a reason. Let me know if you try this and if it works for you.
I seem to have fixed the problem. My phone registers to the phone server on port 5060. So I did this.
ip access-list extended VOIP
permit udp host X.X.X.X any eq 5060
class-map type inspect match-any VOIP
match access-group name VOIP
policy-map type inspect POLICY_OUT_IN
class type inspect VOIP
So after passing UDP 5060 from the phone server to the inside, I was able to receive incoming calls and I have not had any further drops. From the way I understand this phone works, you typically don't have to open up anything from the outside. It works from the inside out, opening a connection with the phone server when it boots. All I can figure is the ZBF has some kind of security timeout on those connections after a period of ten minutes or so. So the phone was opening a connection with the server, but the firewall was closing the connection after ten minutes.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :