Unconfigured Ad Widget

Collapse

Cisco firewall guys, another question...

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • WiKDMoNKY
    CGN/CGSSA Contributor
    • Jan 2011
    • 506

    Cisco firewall guys, another question...

    I have a client that currently has a RV082 and I am moving them over to a RV325, but I am trying to work out some settings issues on the RV082 first.

    They have a Fonality SIP/VOIP phone system that has been attacked a few times lately which totally brings down the phone server. I spoke to Fonality support and they told me I need to whitelist the VOIP/SIP ports to only allow traffic from the ISP (http://help.fonality.com/Troubleshoo...urity_Settings). I created a couple of access rules as they told me/the faq explained and the phones stopped working. The phone system works fine when I forward ports 5060 and 10000-20000 to the internal phone server IP address, but as soon as I enable 2 access rules, the system stops working. I noticed in the logs, I am getting internal connections refused when the access rules are enabled, so I decided to add access rules for the LAN to WAN, still no go. What am I missing? Do I have them out of order? Do I need to remove one of the default deny rules?



    Thank you for any guidance!
    NRA, SAF, GOA GET INVOLVED NOW OR DON'T COMPLAIN LATER!

    "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." Benjamin Franklin 1818

    "A free people ought not only to be armed and disciplined, but they should have sufficient arms and ammunition to maintain a status of independence from any who might attempt to abuse them, which would include their own government." George Washington 1790
  • #2
    jmlivingston
    Moderator Emeritus
    CGN Contributor - Lifetime
    • Oct 2005
    • 5095

    The VoIP that you're trying to allow through the firewall, is that from an internet-based VoIP provider or is it for remote phones?

    How do you have the various services defined? The screenshot you showed doesn't really show that very well.

    Was the phone system setup to handle the NAT? You can't just NAT sip traffic as it carries port information in the packet data. Either the firewall has to be able to inspect the packet and rewrite it or the server has to be able to handle it correctly.

    Comment

    • #3
      WiKDMoNKY
      CGN/CGSSA Contributor
      • Jan 2011
      • 506

      We have the Fonality phone server local at our office and we will have 1 remote phone in the near future. I have brought a phone home with me and was able to work with the server remotely when the ports are forwarded, but when I enable the access rules (and disable forwarding), it all stops working. No NAT'ing that I know of.


      Here is a screenshot of the forwards/services




      Originally posted by jmlivingston
      The VoIP that you're trying to allow through the firewall, is that from an internet-based VoIP provider or is it for remote phones?

      How do you have the various services defined? The screenshot you showed doesn't really show that very well.

      Was the phone system setup to handle the NAT? You can't just NAT sip traffic as it carries port information in the packet data. Either the firewall has to be able to inspect the packet and rewrite it or the server has to be able to handle it correctly.
      Last edited by WiKDMoNKY; 08-26-2014, 7:02 AM.
      NRA, SAF, GOA GET INVOLVED NOW OR DON'T COMPLAIN LATER!

      "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." Benjamin Franklin 1818

      "A free people ought not only to be armed and disciplined, but they should have sufficient arms and ammunition to maintain a status of independence from any who might attempt to abuse them, which would include their own government." George Washington 1790

      Comment

      • #4
        ocabj
        Calguns Addict
        • Oct 2005
        • 7924

        When you see the dropped packets in the logs, what IP are they coming from? Does that IP match the allow rule for source?

        Distinguished Rifleman #1924
        NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
        NRL22 Match Director at WEGC

        https://www.ocabj.net

        Comment

        • #5
          ocabj
          Calguns Addict
          • Oct 2005
          • 7924

          Note that in your screen cap, rules 3 and 4 are kind of redundant since you have that 5th rule which allows all internal LAN traffic regardless of port.

          Distinguished Rifleman #1924
          NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
          NRL22 Match Director at WEGC

          https://www.ocabj.net

          Comment

          • #6
            WiKDMoNKY
            CGN/CGSSA Contributor
            • Jan 2011
            • 506

            They are internal IP's that show connection refused. That is what I don't understand. When I disable the access rules, I don't see any connections refused errors in the logs.

            RV082 System log

            Aug 26 0411 2014 Connection Refused - Policy violation TCP 192.168.16.152:64271->192.168.16.10:5222 on ixp0
            Aug 26 0411 2014 Authentication Success HTTP Basic authentication succeeded for user: admin
            Aug 26 0439 2014 Connection Refused - Policy violation UDP 192.168.16.20:1127->239.255.255.250:1900 on ixp0
            Aug 26 0441 2014 Authentication Success HTTP Basic authentication succeeded for user: admin
            Aug 26 0454 2014 Connection Accepted UDP 198.101.xx.xx:5060->192.168.16.10:5060 on ixp1
            Aug 26 0454 2014 Connection Accepted UDP 198.101.xx.xx:5060->192.168.16.10:5060 on ixp1
            Aug 26 0458 2014 Connection Accepted UDP 198.101.xx.xx:21847->192.168.16.10:17089 on ixp1
            Aug 26 0411 2014 Authentication Success HTTP Basic authentication succeeded for user: admin
            Aug 26 0531 2014 Connection Refused - Policy violation TCP 192.168.16.10:5222->192.168.16.186:54167 on ixp0
            Aug 26 0538 2014 Authentication Success HTTP Basic authentication succeeded for user: admin
            Aug 26 0538 2014 Authentication Success HTTP Basic authentication succeeded for user: admin
            Aug 26 0554 2014 Connection Refused - Policy violation UDP 192.168.16.137:65299->224.0.0.252:5355 on ixp0
            Aug 26 0501 2014 Authentication Success HTTP Basic authentication succeeded for user: admin
            Aug 26 0501 2014 Authentication Success HTTP Basic authentication succeeded for user: admin
            Aug 26 0506 2014 Connection Refused - Policy violation UDP 192.168.16.137:137->192.168.16.255:137 on ixp0
            Aug 26 0512 2014 Authentication Success HTTP Basic authentication succeeded for user: admin

            RV082 Incoming Log

            Aug 26 0439 2014 Connection Refused - Policy violation UDP 192.168.16.20:1127->239.255.255.250:1900 on ixp0
            Aug 26 0454 2014 Connection Accepted UDP 198.101.xx.xx:5060->192.168.16.10:5060 on ixp1
            Aug 26 0454 2014 Connection Accepted UDP 198.101.xx.xx:5060->192.168.16.10:5060 on ixp1
            Aug 26 0458 2014 Connection Accepted UDP 198.101.xx.xx:21847->192.168.16.10:17089 on ixp1
            Aug 26 0458 2014 Connection Accepted UDP 198.101.xx.xx:21847->192.168.16.10:17089 on ixp1
            Aug 26 0531 2014 Connection Refused - Policy violation TCP 192.168.16.10:5222->192.168.16.186:54167 on ixp0
            Aug 26 0531 2014 Connection Refused - Policy violation TCP 192.168.16.10:5222->192.168.16.186:54167 on ixp0
            Aug 26 0531 2014 Connection Refused - Policy violation TCP 192.168.16.10:5222->192.168.16.186:54167 on ixp0
            Aug 26 0554 2014 Connection Refused - Policy violation UDP 192.168.16.137:65299->224.0.0.252:5355 on ixp0
            Aug 26 0554 2014 Connection Refused - Policy violation UDP 192.168.16.137:65299->224.0.0.252:5355 on ixp0
            Aug 26 0554 2014 Connection Refused - Policy violation UDP 192.168.16.137:65299->224.0.0.252:5355 on ixp0
            Aug 26 0506 2014 Connection Refused - Policy violation UDP 192.168.16.137:137->192.168.16.255:137 on ixp0
            Aug 26 0506 2014 Connection Refused - Policy violation UDP 192.168.16.137:137->192.168.16.255:137 on ixp0
            Aug 26 05:15:50 2014 Connection Refused - Policy violation UDP 192.168.16.148:53107->224.0.0.252:5355 on ixp0
            Aug 26 05:15:50 2014 Connection Refused - Policy violation UDP 192.168.16.148:53107->224.0.0.252:5355 on ixp0
            Aug 26 05:15:50 2014 Connection Refused - Policy violation UDP 192.168.16.148:53107->224.0.0.252:5355 on ixp0
            Aug 26 05:15:59 2014 Connection Refused - Policy violation UDP 192.168.16.20:1127->239.255.255.250:1900 on ixp0
            Aug 26 05:15:59 2014 Connection Refused - Policy violation UDP 192.168.16.20:1127->239.255.255.250:1900 on ixp0
            Aug 26 05:16:21 2014 Connection Refused - Policy violation UDP 192.168.16.137:61740->224.0.0.252:5355 on ixp0
            Aug 26 05:16:21 2014 Connection Refused - Policy violation UDP 192.168.16.137:61740->224.0.0.252:5355 on ixp0



            Originally posted by ocabj
            When you see the dropped packets in the logs, what IP are they coming from? Does that IP match the allow rule for source?
            Last edited by WiKDMoNKY; 08-26-2014, 7:45 AM.
            NRA, SAF, GOA GET INVOLVED NOW OR DON'T COMPLAIN LATER!

            "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." Benjamin Franklin 1818

            "A free people ought not only to be armed and disciplined, but they should have sufficient arms and ammunition to maintain a status of independence from any who might attempt to abuse them, which would include their own government." George Washington 1790

            Comment

            • #7
              WiKDMoNKY
              CGN/CGSSA Contributor
              • Jan 2011
              • 506

              I was trying anything to get it to work and I knew it was redundant, but I was reading somewhere to try adding them.

              Originally posted by ocabj
              Note that in your screen cap, rules 3 and 4 are kind of redundant since you have that 5th rule which allows all internal LAN traffic regardless of port.
              Last edited by WiKDMoNKY; 08-26-2014, 7:45 AM.
              NRA, SAF, GOA GET INVOLVED NOW OR DON'T COMPLAIN LATER!

              "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." Benjamin Franklin 1818

              "A free people ought not only to be armed and disciplined, but they should have sufficient arms and ammunition to maintain a status of independence from any who might attempt to abuse them, which would include their own government." George Washington 1790

              Comment

              • #8
                Mute
                Calguns Addict
                • Oct 2005
                • 8566

                Without looking more in depth at the admin interface, based on the log it looks like it uses a range of ports for the service, not just the 5060 port. Also, does the setup allow you to choose the port types (TCP, UDP...etc), or does it only let you choose the port number/range? I suggest looking at your log and setting the forwarding to cover the entire range that are shown for policy violations for the specific IPs and ports listed.
                NRA Benefactor Life Member
                NRA Certified Pistol, Rifle, Personal Protection In The Home, Personal Protection Outside The Home Instructor, CA DOJ Certified CCW Instructor, RSO


                American Marksman Training Group
                Visit our American Marksman Facebook Page

                Comment

                • #9
                  ocabj
                  Calguns Addict
                  • Oct 2005
                  • 7924

                  Based on the drop errors, it looks like the 192.168. is getting blocked.

                  I assumed 192.168 was your 'LAN' subnet, which would be covered by rule 5.

                  You can try creating an explicit allow any from the 192.168.0.0/16 to the 192.168.0.0/16 (or whatever mask is appropriate that defines your internal network) to see if that solves the issue.

                  Distinguished Rifleman #1924
                  NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
                  NRL22 Match Director at WEGC

                  https://www.ocabj.net

                  Comment

                  • #10
                    jmlivingston
                    Moderator Emeritus
                    CGN Contributor - Lifetime
                    • Oct 2005
                    • 5095

                    I'd be shocked if you aren't using NAT, especially since you have 192.168.x.x IP addresses and you're connecting from home. Presumably that connection you're making is coming over the internet, where 192.168.0.0 addresses are not allowed.

                    Looking at those logs it seems to me like you have an outbound problem. The ixp0 interface referenced in the drops for 192.168.16.10 (the Trixbox server, right?) is the LAN side of the router I believe. Any sort of outbound filters in place?

                    Comment

                    • #11
                      WiKDMoNKY
                      CGN/CGSSA Contributor
                      • Jan 2011
                      • 506

                      Yes, the Fonality server runs on asterick/tribox.

                      I am installing the router this weekend with just the port forwarding like the old router for now. After I get their new domain and 3 servers installed this weekend I will focus on working on the access lists/whitelists next week.

                      Is anyone available to be hired to help me with the whitelist setup?

                      Originally posted by jmlivingston
                      I'd be shocked if you aren't using NAT, especially since you have 192.168.x.x IP addresses and you're connecting from home. Presumably that connection you're making is coming over the internet, where 192.168.0.0 addresses are not allowed.

                      Looking at those logs it seems to me like you have an outbound problem. The ixp0 interface referenced in the drops for 192.168.16.10 (the Trixbox server, right?) is the LAN side of the router I believe. Any sort of outbound filters in place?
                      NRA, SAF, GOA GET INVOLVED NOW OR DON'T COMPLAIN LATER!

                      "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." Benjamin Franklin 1818

                      "A free people ought not only to be armed and disciplined, but they should have sufficient arms and ammunition to maintain a status of independence from any who might attempt to abuse them, which would include their own government." George Washington 1790

                      Comment

                      • #12
                        jmlivingston
                        Moderator Emeritus
                        CGN Contributor - Lifetime
                        • Oct 2005
                        • 5095

                        Send me a PM and let mn know when/where, I am probably available. You're in OC right?

                        Comment

                        Working...
                        UA-8071174-1