08-22-2012 04:29 PM - edited 03-04-2019 05:20 PM
hi . we have 2 routers 881, i need to setup ipsec vpn for 2 sites for h323 voice traffic , vpn is up but i can't register ipphones. that's why i want to find out - is firewall turned off by default ?
also i made ACL permit ip xxxx yyyy wwww qqqq , do i need to change it to permit tcp/udp eq 1719/1720 (for h323) ?
as i know permit ip it's mean permit all protocols , but ..reality might be different??
08-23-2012 04:04 AM
Hi Bekzod,
a) firewall is off by default... by the way check your IOS documentation
b) Yes, you need to specify what layer 3 AND layer 4 (TCP/UDP and ports) you want to allow
c) permit ip does not mean all the protocols, but only the one encapsulated ip, remember an implicit deny any any at the end of every access list
It could be an idea enabling logging and debugging for a better understanding.
conf t
logg buff 16000 debug
end
wr
!
Alessio
08-23-2012 04:27 AM
b) Yes, you need to specify what layer 3 AND layer 4 (TCP/UDP and ports) you want to allow
c) permit ip does not mean all the protocols, but only the one encapsulated ip, remember an implicit deny any any at the end of every access list
that's not the way the ACLs work. "permit ip ..." allows all protocols that work ontop of IP. And thats also TCP, UDP, ICMP and so on ... The router just doesn't care about the upper protocols.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-23-2012 04:42 AM
Karsten,
that's not the way the ACLs work. "permit ip ..." allows all protocols that work ontop of IP. And thats also TCP, UDP, ICMP and so on ... The router just doesn't care about the upper protocols.
i was referring about the non-ip protocols on the first point from you spotted and about a well written ACL rather than a generic one in the second point. This is the way it works.
About your last sentence, i'd be more careful about it. You are too generic.
Alessio
08-23-2012 07:12 AM
i found out that firewall is off , i added this strings :
10 permit tcp 192.168.20.0 0.0.0.15 eq 1720 172.16.2.0 0.0.0.255 eq 1720
20 permit udp 192.168.20.0 0.0.0.15 eq 1719 172.16.2.0 0.0.0.255 eq 1719
30 permit ip host 192.168.10.1 host 192.168.10.2
40 deny ip any any
and these on opposite site :
10 permit tcp 172.16.2.0 0.0.0.255 eq 1720 192.168.20.0 0.0.0.15 eq 1720
20 permit udp 172.16.2.0 0.0.0.255 eq 1719 192.168.20.0 0.0.0.15 eq 1719
30 permit ip host 192.168.10.2 host 192.168.10.1
40 deny ip any any
vpn is up , iphone (h323) able to connect to tftp server 172.16.2.220 (on Ip offce 500) load some text file but can't register on it (172.16.2.220 IP office 500 )
what anything else can i do to reister ipphone guys? please help me
08-23-2012 08:04 AM
Bekzod,
i would rewrite your ACL in this way:
10 permit tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720
20 permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719
30 permit ip host 192.168.10.1 host 192.168.10.2
40 deny ip any any
10 permit tcp 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15 eq 1720
20 permit udp 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15 eq 1719
30 permit ip host 192.168.10.2 host 192.168.10.1
40 deny ip any any
Then, where did you apply this ACL? the 3rd statement is quite restrictive.....
Let me know
Alessio
08-23-2012 08:28 AM
i've tried that way too (ACL)...
ACL is applied on crypto map voice :
sho run
Building configuration...
Current configuration : 6731 bytes
!
! Last configuration change at 15:18:52 UTC Thu Aug 23 2012 by admin
! NVRAM config last updated at 14:14:14 UTC Thu Aug 23 2012 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote_R
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
!
!aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3874039267
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3874039267
revocation-check none
rsakeypair TP-self-signed-3874039267
!
!
crypto pki certificate chain TP-self-signed-3874039267
ip source-route
!ip dhcp pool data30
network 192.168.30.0 255.255.255.240
default-router 192.168.30.1
option 176 ascii "MCIPADD=172.16.2.220,TFTPSRVR=172.16.2.220,MCPORT=1719,L2Q=1,L2QVLAN=20,VLANTEST=0"
lease 8
!
ip dhcp pool voice20
network 192.168.20.0 255.255.255.240
default-router 192.168.20.1
option 176 ascii "MCIPADD=172.16.2.220,TFTPSRVR=172.16.2.220,MCPORT=1719,L2Q=1,L2QVLAN=20,VLANTEST=0"
lease 8
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX162683CE
!
!
username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key 1voice1 address 192.168.10.2
!
!
crypto ipsec transform-set voice_set esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map voice 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set voice_set
set pfs group1
match address voice
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
switchport trunk native vlan 30
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 30
switchport voice vlan 20
!
interface FastEthernet4
description WAN
ip address 192.168.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map voice
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 192.168.20.1 255.255.255.240
ip helper-address 192.168.20.1
ip virtual-reassembly
!
interface Vlan30
ip address 192.168.30.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.2 permanent
ip route 192.168.15.0 255.255.255.0 192.168.10.2
!
ip access-list extended voice
permit tcp 192.168.20.0 0.0.0.15 eq 1720 172.16.2.0 0.0.0.255 eq 1720
permit udp 192.168.20.0 0.0.0.15 eq 1719 172.16.2.0 0.0.0.255 eq 1719
permit ip host 192.168.10.1 host 192.168.10.2
deny ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 deny ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.15 any
no cdp run
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
08-23-2012 08:40 AM
Bekzod,
you did not change the config for logging. To troubleshoot this you need a debug level:
conf t
logging buffered 51200 debug
logging console
end
wr
!
After that try to open voice record and to check what the
show logg
is telling you.
Let me know
Alessio
PS: route-map nonat permit 10, empty?
08-23-2012 06:48 PM
hi , thank you for ur replies. I have called to avaya tech support they told me to make fixup h323 on router , but router doesnt support fixup protocols, it works only on cisco PIX or ASA .. as i understand fixup protocols it's like ip inspect in router ? do i need to create it ? i am not sure i think if firewall is off traffic must go transparently ...
.what do u think about that ?
08-23-2012 06:58 PM
https://supportforums.cisco.com/thread/2034919
Check the pix config and replace with ip inspect command...
By the way I am not really convinced about the avaya suggestion
Just try it .. And rate my post if that answered to your questions
Alessio
08-27-2012 09:43 AM
i configured that on both sides but the same issue , ipphone can see tftp on IP Office 500 and load txt file but cant register ... because of that i rolled back to my old configuration without firewall ..
Current configuration : 7616 bytes
!
! Last configuration change at 16:13:26 UTC Mon Aug 27 2012 by admin
! NVRAM config last updated at 16:23:55 UTC Mon Aug 27 2012 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote_R
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3874039267
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3874039267
revocation-check none
rsakeypair TP-self-signed-3874039267
ip source-route
!
!
!
ip dhcp pool data30
network 192.168.30.0 255.255.255.240
default-router 192.168.30.1
option 242 ascii "MCIPADD=172.16.2.220, HTTPSRVR=172.16.2.220, MCPORT=1719, L2Q=1, L2QVLAN=20, VLANTEST=60"
option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
lease 8
!
ip dhcp pool voice20
network 192.168.20.0 255.255.255.240
default-router 192.168.20.1
option 242 ascii "MCIPADD=172.16.2.220, HTTPSRVR=172.16.2.220, MCPORT=1719, L2Q=1, L2QVLAN=20, VLANTEST=60"
option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
lease 8
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX162683CE
!
!
username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key 1voice1 address 192.168.10.2
!
!
crypto ipsec transform-set voice_set esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map voice 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set voice_set
set pfs group1
match address voice
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
switchport trunk native vlan 30
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 30
switchport voice vlan 20
!
interface FastEthernet4
description WAN$ETH-WAN$
ip address 192.168.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map voice
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 192.168.20.1 255.255.255.240
ip virtual-reassembly
!
interface Vlan30
ip address 192.168.30.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.2 permanent
ip route 192.168.15.0 255.255.255.0 192.168.10.2
!
ip access-list extended voice
remark CCP_ACL Category=20
permit tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720
permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719
permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1718
deny ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 remark CCP_ACL Category=16
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 110 deny udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1718
access-list 110 deny udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719
access-list 110 deny tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720
access-list 110 deny ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.15 any
no cdp run
!
!
!
!
route-map nonat permit 10
match ip address 110
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
08-27-2012 09:45 AM
guys , can u look at this config , vpn is up but i cant register avaya ipphone
08-27-2012 10:11 AM
also i have tried to replace all strings in ACL voice with permit ip any any in both sides , still not registered ... so ACL voice is not under suspicion .. what can block h323 traffic ?
08-28-2012 05:12 PM
Hi Bekzod,
I am not sure if your issue has been resolved or not. when you said you removed the firewall, did the phone register normally?
anyway, just wanted to suggest here that when I am ever having such problems where i am not sure what rule to add to make the application work, i try to log the acl deny rule so i can look into what traffic is being dropped and the port number details. That way I put a permit rule just before the deny so that application can passed through.
i did not see that logging of the acl in your case, so probably you could try that out and check out for the dropped packets in the log.
HTH.
Regards,
Mohit
08-28-2012 06:25 PM
nope , after i removed firewall nothing changed ... i knew that by default firewall is off but Avaya but Avaya tech support adviced to check to try make fixup and no fixup and see what will happen . nothing had happen ..
I have no idea, ACl with udp and tcp ports 1718-1720 are open no firewal rules , routing is up , vpn is up , IP phone able to download txt file from tftp server located on IP Office 500 but can't register.. no idea.. tried to replace with new 1606 ip phone but it's more b...t, it even can't get ip from dhcp configured on local router
(old ipphone 5610 was able to get ip and proper vlan but can't register on IPO)...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: