Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

firewall on router

hi . we have 2 routers 881, i need to setup ipsec vpn for 2 sites for h323 voice traffic , vpn is up but i can't register ipphones. that's why i want to find out - is firewall turned off by default ?

also i made ACL permit ip xxxx yyyy wwww qqqq , do i need to change it to permit tcp/udp eq 1719/1720 (for h323) ?

as i know permit ip it's mean permit all protocols , but ..reality might be different??

Everyone's tags (2)
20 REPLIES

Re: firewall on router

Hi Bekzod,

a) firewall is off by default... by the way check your IOS documentation

b) Yes, you need to specify what layer 3 AND layer 4 (TCP/UDP and ports) you want to allow

c) permit ip does  not mean all the protocols, but only the one encapsulated ip, remember an implicit deny any any at the end of every access list

It could be an idea enabling logging and debugging for a better understanding.

conf t

logg buff 16000 debug

end

wr

!

Alessio

VIP Purple

firewall on router

b) Yes, you need to specify what layer 3 AND layer 4 (TCP/UDP and ports) you want to allow

c) permit ip does  not mean all the protocols, but only the one encapsulated ip, remember an implicit deny any any at the end of every access list

that's not the way the ACLs work. "permit ip ..." allows all protocols that work ontop of IP. And thats also TCP, UDP, ICMP and so on ... The router just doesn't care about the upper protocols.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

firewall on router

Karsten,

that's not the way the ACLs work. "permit ip ..." allows all protocols that work ontop of IP. And thats also TCP, UDP, ICMP and so on ... The router just doesn't care about the upper protocols.

i was referring about the non-ip protocols on the first point from you spotted and about a well written ACL rather than a generic one in the second point. This is the way it works.

About your last sentence, i'd be more careful about it. You are too generic.

Alessio

firewall on router

i found out that firewall is off , i added this strings :

    10 permit tcp 192.168.20.0 0.0.0.15 eq 1720 172.16.2.0 0.0.0.255 eq 1720

    20 permit udp 192.168.20.0 0.0.0.15 eq 1719 172.16.2.0 0.0.0.255 eq 1719

    30 permit ip host 192.168.10.1 host 192.168.10.2

    40 deny ip any any

and these on opposite site :

10 permit tcp 172.16.2.0 0.0.0.255 eq 1720 192.168.20.0 0.0.0.15 eq 1720

    20 permit udp 172.16.2.0 0.0.0.255 eq 1719 192.168.20.0 0.0.0.15 eq 1719

    30 permit ip host 192.168.10.2 host 192.168.10.1

    40 deny ip any any

vpn is up , iphone (h323) able to connect to tftp server 172.16.2.220  (on Ip offce 500) load some text file but can't register on it (172.16.2.220 IP office 500 )

what anything else  can i do to reister ipphone guys? please help me

firewall on router

Bekzod,

i would rewrite your ACL  in this way:

    10 permit tcp 192.168.20.0 0.0.0.15   172.16.2.0 0.0.0.255 eq 1720

    20 permit udp 192.168.20.0 0.0.0.15   172.16.2.0 0.0.0.255 eq 1719

    30 permit ip host 192.168.10.1 host 192.168.10.2

    40 deny ip any any

    10 permit tcp 172.16.2.0 0.0.0.255   192.168.20.0 0.0.0.15 eq 1720

    20 permit udp 172.16.2.0 0.0.0.255   192.168.20.0 0.0.0.15 eq 1719

    30 permit ip host 192.168.10.2 host 192.168.10.1

    40 deny ip any any

Then, where did you apply this ACL? the 3rd statement is quite restrictive.....

Let me know

Alessio

firewall on router

i've tried that way too (ACL)...

ACL is applied on crypto map voice  :

sho run             

Building configuration...

Current configuration : 6731 bytes

!

! Last configuration change at 15:18:52 UTC Thu Aug 23 2012 by admin

! NVRAM config last updated at 14:14:14 UTC Thu Aug 23 2012 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Remote_R

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

!        

!aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3874039267

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3874039267

revocation-check none

rsakeypair TP-self-signed-3874039267

!

!

crypto pki certificate chain TP-self-signed-3874039267

ip source-route

!ip dhcp pool data30

   network 192.168.30.0 255.255.255.240

   default-router 192.168.30.1

   option 176 ascii "MCIPADD=172.16.2.220,TFTPSRVR=172.16.2.220,MCPORT=1719,L2Q=1,L2QVLAN=20,VLANTEST=0"

   lease 8

!

ip dhcp pool voice20

   network 192.168.20.0 255.255.255.240

   default-router 192.168.20.1

   option 176 ascii "MCIPADD=172.16.2.220,TFTPSRVR=172.16.2.220,MCPORT=1719,L2Q=1,L2QVLAN=20,VLANTEST=0"

   lease 8

!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn FTX162683CE

!

!

username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90

!        

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key 1voice1 address 192.168.10.2

!

!

crypto ipsec transform-set voice_set esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map voice 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set voice_set

set pfs group1

match address voice

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0

switchport trunk native vlan 30

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 20

!

interface FastEthernet3

switchport access vlan 30

switchport voice vlan 20

!

interface FastEthernet4

description WAN

ip address 192.168.10.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map voice

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Vlan20

ip address 192.168.20.1 255.255.255.240

ip helper-address 192.168.20.1

ip virtual-reassembly

!

interface Vlan30

ip address 192.168.30.1 255.255.255.240

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map nonat interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.10.2 permanent

ip route 192.168.15.0 255.255.255.0 192.168.10.2

!

ip access-list extended voice

permit tcp 192.168.20.0 0.0.0.15 eq 1720 172.16.2.0 0.0.0.255 eq 1720

permit udp 192.168.20.0 0.0.0.15 eq 1719 172.16.2.0 0.0.0.255 eq 1719

permit ip host 192.168.10.1 host 192.168.10.2

deny   ip any any

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 110 deny   ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255

access-list 110 permit ip 192.168.20.0 0.0.0.15 any

no cdp run

!

!

!

!

route-map nonat permit 10

match ip address 110

!

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

end

Re: firewall on router

Bekzod,

you did not change the config for logging. To troubleshoot this you need a debug level:

conf t

logging buffered 51200 debug

logging console

end

wr

!

After that try to open voice record and to check what the

show logg

is telling you.

Let me know

Alessio

      

PS: route-map nonat permit 10, empty?

Re: firewall on router

hi , thank you for ur replies. I have called to avaya tech support they told me to make fixup h323 on router , but router doesnt support fixup protocols, it works only on cisco PIX or ASA .. as i understand fixup protocols it's like ip inspect in router ? do i need to create it ? i am not sure i think if firewall is off traffic must go transparently ...

.what do u think about that ?

Re: firewall on router

https://supportforums.cisco.com/thread/2034919

Check the pix config and replace with ip inspect command...

By the way I am not really convinced about the avaya suggestion

Just try it .. And rate my post if that answered to your questions

Alessio

Re: firewall on router

i configured that on both sides but the same issue , ipphone can see tftp on IP Office 500 and load txt file but cant register ... because of that i rolled back to my old configuration without firewall ..

Current configuration : 7616 bytes

!

! Last configuration change at 16:13:26 UTC Mon Aug 27 2012 by admin

! NVRAM config last updated at 16:23:55 UTC Mon Aug 27 2012 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Remote_R

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3874039267

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3874039267

revocation-check none

rsakeypair TP-self-signed-3874039267

ip source-route

!

!

!

ip dhcp pool data30

   network 192.168.30.0 255.255.255.240

   default-router 192.168.30.1

   option 242 ascii "MCIPADD=172.16.2.220, HTTPSRVR=172.16.2.220, MCPORT=1719, L2Q=1, L2QVLAN=20, VLANTEST=60"

   option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"

   lease 8

!

ip dhcp pool voice20

   network 192.168.20.0 255.255.255.240

   default-router 192.168.20.1

   option 242 ascii "MCIPADD=172.16.2.220, HTTPSRVR=172.16.2.220, MCPORT=1719, L2Q=1, L2QVLAN=20, VLANTEST=60"

   option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"

   lease 8

!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn FTX162683CE

!

!

username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90

!

!

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key 1voice1 address 192.168.10.2

!

!

crypto ipsec transform-set voice_set esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map voice 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set voice_set

set pfs group1

match address voice

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0

switchport trunk native vlan 30

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 20

!

interface FastEthernet3

switchport access vlan 30

switchport voice vlan 20

!

interface FastEthernet4

description WAN$ETH-WAN$

ip address 192.168.10.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map voice

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Vlan20

ip address 192.168.20.1 255.255.255.240

ip virtual-reassembly

!

interface Vlan30

ip address 192.168.30.1 255.255.255.240

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map nonat interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.10.2 permanent

ip route 192.168.15.0 255.255.255.0 192.168.10.2

!

ip access-list extended voice

remark CCP_ACL Category=20

permit tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720

permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719

permit udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1718

deny   ip any any

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 101 remark CCP_ACL Category=16

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 110 deny   udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1718

access-list 110 deny   udp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1719

access-list 110 deny   tcp 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255 eq 1720

access-list 110 deny   ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255

access-list 110 permit ip 192.168.20.0 0.0.0.15 any

no cdp run

!

!

!

!

route-map nonat permit 10

match ip address 110

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

Re: firewall on router

guys , can u look at this config  , vpn is up but  i cant register avaya ipphone

Re: firewall on router

also i have tried to replace all strings in ACL voice with permit ip any any in both sides , still not registered ... so ACL voice is not under suspicion .. what can block h323 traffic ? 

New Member

Re: firewall on router

Hi Bekzod,

I am not sure if your issue has been resolved or not. when you said you removed the firewall, did the phone register normally?

anyway, just wanted to suggest here that when I am ever having such problems where i am not sure what rule to add to make the application work, i try to log the acl deny rule so i can look into what traffic is being dropped and the port number details. That way I put a permit rule just before the deny so that application can passed through.

i did not see that logging of the acl in your case, so probably you could try that out and check out for the dropped packets in the log.

HTH.

Regards,

Mohit

Re: firewall on router

     nope , after i removed firewall nothing changed ... i knew that by default firewall is off but Avaya but Avaya tech support adviced to check to try make fixup and no fixup and see what will happen . nothing had happen ..

     I have no idea, ACl with udp and tcp ports 1718-1720 are open no firewal rules , routing is up , vpn is up , IP phone able to download txt file from tftp server located on IP Office 500 but can't register..  no idea.. tried to replace with new 1606 ip phone but it's more b...t, it even can't get ip from dhcp configured on local router

(old ipphone 5610 was able to get ip and proper vlan but can't register on IPO)...

New Member

Re: firewall on router

I am not a voice person but i am assuming that IP Office 500 is your Call Manager....if yes, just to confirm the ip of the tftp server on the IP Office 500 is the same that you should be using for registering your phone?? and thats the one you are using??

Are the same model phones which are local to the server registered  smoothly??

Re: firewall on router

hi , yes IP office 500 is call manager and ip of tftp is same with ip of call manager (ip office 500)

Re: firewall on router

yes i have tried to register locally ip phone before successfully on this router then i put second rouetr and setup ipsec vpn between them ... 

Re: firewall on router

and trough ip sec vpn it doesn't comes up ..

New Member

Re: firewall on router

Hi,

I see that you dont have firewall running but they are still ACLs and that may block some genuine traffic and we need to watch that out.

Could out try this:

first of all clear counters on your ACLs

and then make sure you log all deny statements in all ACLs (for eg, in all ACLs have this in the last line, " deny   ip any any")

finally try registering a phone again....and when it has died...

on the router at the phone end...

run the following commands:

"sho access-lists" and also "show log"

can you paste that output to me?

Re: firewall on router

thank u for replies . I finally have done it . the problem was that none of us and even avaya support  know that one need to register remote ipphone on the external ip address of the IP office , WAN interface . so if u have local phones u need to register them on lan interface , otherwise on wan ip . i just changed call server ip on ipphone to wan ip and finita la comedy

1065
Views
0
Helpful
20
Replies
CreatePlease login to create content