Announcement

Collapse
No announcement yet.

Forwarding Range of UDP Ports, Cisco 870

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forwarding Range of UDP Ports, Cisco 870

    I feel like this has probably been asked a thousand times over, but it doesn't seem to work for me. TCP works fine. I can't find any definitive answers, I'm still a novice with the IOS.

    The purpose behind opening the ranges of UDP ports to the interface and forwarding is because the people in question want to run a VOIP phone from their home, but they have a home grade Internet connection, so therefore no static IP. Also, they're not going to pay for a router to create a S2S VPN.


    Also, from one of the remote sites for which there is a VPN ( the 192.168.6.X/24 site), the audio is only one way. The phone guy says "i need to open ports both way through the VPN), but I feel like that's already been done??

    For my other site ( 192.168.15.0/24 ) I have an IPSEC over GRE tunnel going, I don't know about the status of the voice phone there..or if its even made it there




    I don't think the route-map option will work for me because the VOIP system has multiple private ip addresses/NIC's that it listens on.



    IOS version is : Version 12.4(15)T7


    Here's my config...i'm redacting things like public IP's, VPN keys, and the like



    #show run
    Building configuration...

    Current configuration : 6525 bytes
    !
    ! Last configuration change at 14:51:00 EST Wed Jan 2 2013 by ctouch
    ! NVRAM config last updated at 14:57:46 EST Wed Jan 2 2013 by ctouch
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname XXXXX
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    no logging console
    !
    no aaa new-model
    clock timezone EST -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-2607594268
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2607594268
    revocation-check none
    rsakeypair TP-self-signed-2607594268
    !
    !
    crypto pki certificate chain TP-self-signed-2607594268
    certificate self-signed 02
    3082024B 308201B4 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32363037 35393432 3638301E 170D3131 30373032 30333531
    30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303735
    39343236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A3B6 2C48D6E3 3778EEA9 704EB4A3 CDC45D92 A52DADD0 6E4D3576 0B2DBB92
    1BEBE89D 74514A05 E367D13E CCD2685B 11AB6886 0C43202D 99880116 F2940746
    153F6B89 340E0859 9DF52145 3A46F5A6 DEB6DD8D 88A5E425 928DE986 04079AF0
    10FDDE65 57C20BE9 E4DEB432 C6CF88DE 02A3D314 0C0C43BA 2F50BC5E 4361CCCF
    611F0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
    551D1104 17301582 13435449 6E64792E 4354696E 64792E6C 6F63616C 301F0603
    551D2304 18301680 143B64AC 65D3F8E6 F7904C90 F4911F8D 65B2793D D6301D06
    03551D0E 04160414 3B64AC65 D3F8E6F7 904C90F4 911F8D65 B2793DD6 300D0609
    2A864886 F70D0101 04050003 81810029 FAF2A093 69D3730B 40265212 38338B6C
    966CBB6F A7ED4BF5 964B8725 0C973812 B23DAAA9 2404EFAB 2089775C 4459FCF1
    ED56C682 3604EA56 EE34F087 161C55C4 FB612A2A 088DE03F B7C9000B BCF78B49
    BB459CE7 A9CDFE4E E6DE90BB 0B73B8EF C1E96680 B14609CC D75E657E EA7C1279
    A34FD9F8 D5D88B5A A4A034FA 340B50
    quit
    dot11 syslog
    ip cef
    !
    !
    ip dhcp excluded-address 192.168.2.101 192.168.2.254
    ip dhcp excluded-address 192.168.2.1 192.168.2.49
    !
    !
    ip domain name
    !
    multilink bundle-name authenticated
    !
    !

    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 2
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 3
    authentication pre-share
    crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXx
    crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set CTLVPNSET esp-3des esp-sha-hmac
    crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    !
    crypto ipsec profile VTI
    set transform-set TSET
    !
    !
    crypto map CTMAP 1 ipsec-isakmp
    set peer XXXXXXXXXXXXXX
    set transform-set CTLVPNSET
    match address VPNACL
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface Tunnel0
    ip address 10.254.0.9 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1360
    tunnel source XXXXXXXXXXXXXXXXXX
    tunnel destination XXXXXXXXXXXXXXXXXX
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile VTI
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ES_WAN$
    ip address XXXXXXXXXXXXXXXXXXXX
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map CTMAP
    !
    interface Vlan1
    description internal LAN
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXXXXXXXXXXX
    ip route 192.168.15.0 255.255.255.0 Tunnel0
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat pool SERVER 192.168.0.2 192.168.0.2 netmask 255.255.255.0 type rotary
    ip nat pool PHONE1 192.168.0.201 192.168.0.201 netmask 255.255.255.0 type rotary
    ip nat pool PHONE2 192.168.0.202 192.168.0.202 netmask 255.255.255.0 type rotary
    ip nat pool PHONE3 192.168.0.203 192.168.0.203 netmask 255.255.255.0 type rotary
    ip nat inside source list 100 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443
    ip nat inside destination list PHONE1 pool PHONE1
    ip nat inside destination list PHONE2 pool PHONE2
    ip nat inside destination list PHONE3 pool PHONE3
    ip nat inside destination list SERVER pool SERVER
    !
    ip access-list extended NAT
    deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
    permit ip 192.168.0.0 0.0.0.255 any
    ip access-list extended NAT2
    deny ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
    permit ip 192.168.0.0 0.0.0.255 any
    ip access-list extended PHONE1
    permit tcp any any range 6000 6001
    permit udp any any range 6000 6001
    permit tcp any any eq 9000
    permit tcp any any eq 5090
    permit udp any any eq 5090
    permit tcp any any eq 5003
    permit udp any any eq 5003
    permit udp any any eq 9000
    ip access-list extended PHONE2
    permit udp any any range 30000 30031
    permit udp any any range 40000 40159
    ip access-list extended PHONE3
    permit tcp any any eq telnet
    ip access-list extended SERVER
    permit tcp any any eq 443
    permit tcp any any eq 987
    permit tcp XXXXXXXXXXXXXX 0.0.0.31 hostXXXXXXXXXXXXXXXX eq smtp

  • #2
    Re: Forwarding Range of UDP Ports, Cisco 870

    One way audio is usually a filtering issue. Make sure your crypto ACL matches the voip traffic in both directions as only traffic matched is encrypted and sent over the tunnel.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Forwarding Range of UDP Ports, Cisco 870

      thanks for the reply!

      would

      ip access-list extended VPNACL
      permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255


      not cover it?

      Does permit ip command not include UDP?

      I'll check the other side of the tunnel today. Any word on forwarding UDP?

      Comment


      • #4
        Re: Forwarding Range of UDP Ports, Cisco 870

        Yeah that ACL covers anything 192.168.0.0/24 going to 192.168.6.0/24. Permit ip includes everything ip/tcp/udp etc....


        Also when dealing with GRE tunnels your traffic would be encapsulated with the GRE header after encryption so you would match on GRE traffic in your ACL's (Protocol 47) There really isn't a reason to run GRE tunnels anymore as you incure more overhead. If you need a routable interface you could just use an ip in ip tunnel and save the 8 bytes per packet
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Forwarding Range of UDP Ports, Cisco 870

          Thanks for the advice.

          The site in question ( 192.168.6.0/24 ) where the issue with the one way call exists is not where the IPSEC over GRE tunnel exists.

          I will check the other side but I'm fairly certain the ACL is correct there as well, I'm able to ping both ways through the VPN, fair assumption?

          Now, what I will say is that the tech who setup the router at the other site (about an hour way), had to double NAT the router, could that be the cause?

          Comment


          • #6
            Re: Forwarding Range of UDP Ports, Cisco 870

            Double NAT could be an issue. Best to avoid that if possible. What are you using for call management system. Cisco UCM? Some other software? RTP has a very wide range of dynamic udp ports (16,384-32767) I usually open that whole range up as its dynamic.


            Here is a good link for troubleshooting 1 way audio with cisco voip

            http://www.cisco.com/en/US/tech/tk65...8009484b.shtml
            Last edited by auglan; 7th January 2013, 20:11.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Forwarding Range of UDP Ports, Cisco 870

              again..thanks for all of the information....

              how about the forwarding of UDP ports?

              This phone system, for some bizarre reason, uses multiple private ip addresses that need various UDP ports forwarded to the individual private IP's

              Comment


              • #8
                Re: Forwarding Range of UDP Ports, Cisco 870

                Forwarding udp should not be an issue I wouldnt think. What protocol is being used for the voice and call control and setup? If its rtp I gave you the range of ports it uses. You need to check logs and run some debugs to see where the issue is (on both ends)
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Forwarding Range of UDP Ports, Cisco 870

                  I ask about forwarding UDP because they have a VoIP phone they want to run from home..and their will be no S2S VPN between their home and main office...it's a Samsung OS7200 so I'm researching..the phone guy doesn't know much about ip telephony so he's not much help..just trying to forward the ports he suggested

                  Comment


                  • #10
                    Re: Forwarding Range of UDP Ports, Cisco 870

                    UDP forwarding should be fine with or without a vpn. The problem is that if this is done over a standard internet connection you may run into call quality issues as you have no SLA with your ISP. Make sure you prioritize your voice traffic. Will there be some form of authentication in place for the endpoints? I wouldnt run any voice over the internet if there isn't some form of authentication/security in place.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: Forwarding Range of UDP Ports, Cisco 870

                      is the config correct for forwarding of UDP Ports....

                      Comment


                      • #12
                        Re: Forwarding Range of UDP Ports, Cisco 870

                        As long as you have the required ports used by the application then yes it looks fine.
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment

                        Working...
                        X