firewall on router

Bekzod Fakhriddinov · ‎08-22-2012

hi . we have 2 routers 881, i need to setup ipsec vpn for 2 sites for h323 voice traffic , vpn is up but i can't register ipphones. that's why i want to find out - is firewall turned off by default ?

also i made ACL permit ip xxxx yyyy wwww qqqq , do i need to change it to permit tcp/udp eq 1719/1720 (for h323) ?

as i know permit ip it's mean permit all protocols , but ..reality might be different??

Alessio Andreoli · ‎08-23-2012

Hi Bekzod,

a) firewall is off by default... by the way check your IOS documentation

b) Yes, you need to specify what layer 3 AND layer 4 (TCP/UDP and ports) you want to allow

c) permit ip does not mean all the protocols, but only the one encapsulated ip, remember an implicit deny any any at the end of every access list

It could be an idea enabling logging and debugging for a better understanding.

conf t

logg buff 16000 debug

end

wr

!

Alessio

Karsten Iwen · ‎08-23-2012

b) Yes, you need to specify what layer 3 AND layer 4 (TCP/UDP and ports) you want to allow

c) permit ip does not mean all the protocols, but only the one encapsulated ip, remember an implicit deny any any at the end of every access list

that's not the way the ACLs work. "permit ip ..." allows all protocols that work ontop of IP. And thats also TCP, UDP, ICMP and so on ... The router just doesn't care about the upper protocols.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Alessio Andreoli · ‎08-23-2012

Karsten,

that's not the way the ACLs work. "permit ip ..." allows all protocols that work ontop of IP. And thats also TCP, UDP, ICMP and so on ... The router just doesn't care about the upper protocols.

i was referring about the non-ip protocols on the first point from you spotted and about a well written ACL rather than a generic one in the second point. This is the way it works.

About your last sentence, i'd be more careful about it. You are too generic.

Alessio

Bekzod Fakhriddinov · ‎08-23-2012

i found out that firewall is off , i added this strings :

10 permit tcp 192.168.20.0 0.0.0.15 eq 1720 172.16.2.0 0.0.0.255 eq 1720

20 permit udp 192.168.20.0 0.0.0.15 eq 1719 172.16.2.0 0.0.0.255 eq 1719

30 permit ip host 192.168.10.1 host 192.168.10.2

40 deny ip any any

and these on opposite site :

10 permit tcp 172.16.2.0 0.0.0.255 eq 1720 192.168.20.0 0.0.0.15 eq 1720

20 permit udp 172.16.2.0 0.0.0.255 eq 1719 192.168.20.0 0.0.0.15 eq 1719

30 permit ip host 192.168.10.2 host 192.168.10.1

40 deny ip any any

vpn is up , iphone (h323) able to connect to tftp server 172.16.2.220 (on Ip offce 500) load some text file but can't register on it (172.16.2.220 IP office 500 )

what anything else can i do to reister ipphone guys? please help me

Alessio Andreoli · ‎08-23-2012

Bekzod,

i would rewrite your ACL in this way:

10 permit tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720

20 permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719

30 permit ip host 192.168.10.1 host 192.168.10.2

40 deny ip any any

10 permit tcp 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15 eq 1720

20 permit udp 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15 eq 1719

30 permit ip host 192.168.10.2 host 192.168.10.1

40 deny ip any any

Then, where did you apply this ACL? the 3rd statement is quite restrictive.....

Let me know

Alessio

Bekzod Fakhriddinov · ‎08-23-2012

i've tried that way too (ACL)...

ACL is applied on crypto map voice :

sho run

Building configuration...

Current configuration : 6731 bytes

!

! Last configuration change at 15:18:52 UTC Thu Aug 23 2012 by admin

! NVRAM config last updated at 14:14:14 UTC Thu Aug 23 2012 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Remote_R

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login default local

!

!aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3874039267

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3874039267

revocation-check none

rsakeypair TP-self-signed-3874039267

!

crypto pki certificate chain TP-self-signed-3874039267

ip source-route

!ip dhcp pool data30

network 192.168.30.0 255.255.255.240

default-router 192.168.30.1

option 176 ascii "MCIPADD=172.16.2.220,TFTPSRVR=172.16.2.220,MCPORT=1719,L2Q=1,L2QVLAN=20,VLANTEST=0"

lease 8

!

ip dhcp pool voice20

network 192.168.20.0 255.255.255.240

default-router 192.168.20.1

option 176 ascii "MCIPADD=172.16.2.220,TFTPSRVR=172.16.2.220,MCPORT=1719,L2Q=1,L2QVLAN=20,VLANTEST=0"

lease 8

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

license udi pid CISCO881-K9 sn FTX162683CE

!

username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key 1voice1 address 192.168.10.2

!

crypto ipsec transform-set voice_set esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map voice 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set voice_set

set pfs group1

match address voice

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0

switchport trunk native vlan 30

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 20

!

interface FastEthernet3

switchport access vlan 30

switchport voice vlan 20

!

interface FastEthernet4

description WAN

ip address 192.168.10.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map voice

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Vlan20

ip address 192.168.20.1 255.255.255.240

ip helper-address 192.168.20.1

ip virtual-reassembly

!

interface Vlan30

ip address 192.168.30.1 255.255.255.240

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map nonat interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.10.2 permanent

ip route 192.168.15.0 255.255.255.0 192.168.10.2

!

ip access-list extended voice

permit tcp 192.168.20.0 0.0.0.15 eq 1720 172.16.2.0 0.0.0.255 eq 1720

permit udp 192.168.20.0 0.0.0.15 eq 1719 172.16.2.0 0.0.0.255 eq 1719

permit ip host 192.168.10.1 host 192.168.10.2

deny ip any any

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 110 deny ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255

access-list 110 permit ip 192.168.20.0 0.0.0.15 any

no cdp run

!

route-map nonat permit 10

match ip address 110

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

end

Alessio Andreoli · ‎08-23-2012

Bekzod,

you did not change the config for logging. To troubleshoot this you need a debug level:

conf t

logging buffered 51200 debug

logging console

end

wr

!

After that try to open voice record and to check what the

show logg

is telling you.

Let me know

Alessio

PS: route-map nonat permit 10, empty?

Bekzod Fakhriddinov · ‎08-23-2012

hi , thank you for ur replies. I have called to avaya tech support they told me to make fixup h323 on router , but router doesnt support fixup protocols, it works only on cisco PIX or ASA .. as i understand fixup protocols it's like ip inspect in router ? do i need to create it ? i am not sure i think if firewall is off traffic must go transparently ...

.what do u think about that ?

Alessio Andreoli · ‎08-23-2012

https://supportforums.cisco.com/thread/2034919

Check the pix config and replace with ip inspect command...

By the way I am not really convinced about the avaya suggestion

Just try it .. And rate my post if that answered to your questions

Alessio

Bekzod Fakhriddinov · ‎08-27-2012

i configured that on both sides but the same issue , ipphone can see tftp on IP Office 500 and load txt file but cant register ... because of that i rolled back to my old configuration without firewall ..

Current configuration : 7616 bytes

!

! Last configuration change at 16:13:26 UTC Mon Aug 27 2012 by admin

! NVRAM config last updated at 16:23:55 UTC Mon Aug 27 2012 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Remote_R

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3874039267

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3874039267

revocation-check none

rsakeypair TP-self-signed-3874039267

ip source-route

!

ip dhcp pool data30

network 192.168.30.0 255.255.255.240

default-router 192.168.30.1

option 242 ascii "MCIPADD=172.16.2.220, HTTPSRVR=172.16.2.220, MCPORT=1719, L2Q=1, L2QVLAN=20, VLANTEST=60"

option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"

lease 8

!

ip dhcp pool voice20

network 192.168.20.0 255.255.255.240

default-router 192.168.20.1

option 242 ascii "MCIPADD=172.16.2.220, HTTPSRVR=172.16.2.220, MCPORT=1719, L2Q=1, L2QVLAN=20, VLANTEST=60"

option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"

lease 8

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

license udi pid CISCO881-K9 sn FTX162683CE

!

username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key 1voice1 address 192.168.10.2

!

crypto ipsec transform-set voice_set esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map voice 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set voice_set

set pfs group1

match address voice

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0

switchport trunk native vlan 30

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 20

!

interface FastEthernet3

switchport access vlan 30

switchport voice vlan 20

!

interface FastEthernet4

description WAN$ETH-WAN$

ip address 192.168.10.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map voice

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Vlan20

ip address 192.168.20.1 255.255.255.240

ip virtual-reassembly

!

interface Vlan30

ip address 192.168.30.1 255.255.255.240

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map nonat interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.10.2 permanent

ip route 192.168.15.0 255.255.255.0 192.168.10.2

!

ip access-list extended voice

remark CCP_ACL Category=20

permit tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720

permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719

permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1718

deny ip any any

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 101 remark CCP_ACL Category=16

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 110 deny udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1718

access-list 110 deny udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719

access-list 110 deny tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720

access-list 110 deny ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255

access-list 110 permit ip 192.168.20.0 0.0.0.15 any

no cdp run

!

route-map nonat permit 10

match ip address 110

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

Bekzod Fakhriddinov · ‎08-27-2012

guys , can u look at this config , vpn is up but i cant register avaya ipphone

Bekzod Fakhriddinov · ‎08-27-2012

also i have tried to replace all strings in ACL voice with permit ip any any in both sides , still not registered ... so ACL voice is not under suspicion .. what can block h323 traffic ?

Mohit Chauhan · ‎08-28-2012

Hi Bekzod,

I am not sure if your issue has been resolved or not. when you said you removed the firewall, did the phone register normally?

anyway, just wanted to suggest here that when I am ever having such problems where i am not sure what rule to add to make the application work, i try to log the acl deny rule so i can look into what traffic is being dropped and the port number details. That way I put a permit rule just before the deny so that application can passed through.

i did not see that logging of the acl in your case, so probably you could try that out and check out for the dropped packets in the log.

HTH.

Regards,

Mohit

Bekzod Fakhriddinov · ‎08-28-2012

nope , after i removed firewall nothing changed ... i knew that by default firewall is off but Avaya but Avaya tech support adviced to check to try make fixup and no fixup and see what will happen . nothing had happen ..

I have no idea, ACl with udp and tcp ports 1718-1720 are open no firewal rules , routing is up , vpn is up , IP phone able to download txt file from tftp server located on IP Office 500 but can't register.. no idea.. tried to replace with new 1606 ip phone but it's more b...t, it even can't get ip from dhcp configured on local router

(old ipphone 5610 was able to get ip and proper vlan but can't register on IPO)...