Firewall issues passing traffic between VoIP switches.

SGregg · March 28, 2012, 7:26pm

Hello All,

I have replaced a failed router with an RB-750G. It’s sole task is to route network traffic between two network segments.
I configured IP’s to the interfaces and NAT. It has been working fine for all traffic so far. Today I installed a new ShoreTel VoIP switch on the “other” segment and it is failing to communicate with the primary switch on this segment. I can Ping one switch from the other & back. It appears that we are routing & passing ICMP back & forth but the switches wont talk. The manufacturer had me try a “lsp_ping” which failed. Thier conclusion was that I have a network issue. The only device between the two switches is the RB750 so I assumed that it was blocking traffic. I looked at the firewall settings and found what appear to be default rules in place. One by one I removed them all but it made no difference. I can still pass a variety of traffic between the two segments but apparently not “LSP”. The vendor did give me a list of UDP ports that must be open (5004, 5440-5445). If I have no firewall rules in place I am not sure what else to do to insure that this traffic will pass.

Any suggestions would be appreciated.

Stephen

SGregg · March 28, 2012, 9:59pm

Well I reset the router to default, added IP’s for the two interfaces, set a gateway and enabled masquerading. Still doesn’t work.

I also tried moving the VoIP switch from the 10.7.0.0 network to the 10.7.3.0 network, changed the IP & gateway and tested. It worked fine.

I moved it back to the 10.7.0.0 ntework & changed IP back. Same failure.

Any suggestions? Maybe the masquerading has something to do with it???

SGregg · March 29, 2012, 2:22pm

Anyone??

biomesh · March 29, 2012, 2:54pm

Have you tried the config without masquerading?

Have you tried torch or the packet sniffer to look at traffic between subnets? Lan traces can help identify issues you normally see.

JJCinAZ · March 29, 2012, 2:57pm

If you’re just routing traffic between network segments, then you shouldn’t be using any NAT. It sounds like issues with NAT and misunderstanding of the VoIP protocols involved. Assuming you’re using SIP, you cannot just “open ports” to get things to work. SIP is just call control. There are also the protocols used to carry the voice, video, or data being described in the SDP package of the SIP messages, e.g. RTP, RTCP, UDPTL, etc.

SGregg · March 29, 2012, 3:46pm

I have and I see TCP traffic but no UDP at all.

SGregg · March 29, 2012, 3:50pm

Primary protocol is MGCP. Need to pass UDP 5004 (media stream) and 5440-5445 (call control). If not NAT can you suggest the correct configuration?

Thanks

SGregg · March 29, 2012, 4:27pm

I am pouring over documentation and loosing IQ points by the minute. At this rate I had better cancel my appearance on “Are you smarter than a 5th grader?”…

I am looking at disabling NAT (which has been meeting our need until now) and implimenting static routes. Should be rather simple but I have managed to confuse myself to the point that I am not getting there.

10.7.3.0/24----[10.7.3.1(ether2)-Mikrotik-(ether1)-10.7.0.4]-----10.7.0.0/24-----[10.7.0.1-Cisco ASA-201.201.201.1]----Internet

Cisco ASA contains static route 10.7.3.0/24 - 10.7.0.4GW

biomesh · March 29, 2012, 5:04pm

If the 750G is the router between subnets, you don’t need any nat or firewall for routing. If you assign each interface an address, you will get a “dynamic” static route added.

i.e.

/ip address add address=10.7.0.2/24 disabled=no interface=ether2 network=10.7.0.0
/ip address add address=10.7.3.2/24 disabled=no interface=ether3 network=10.7.3.0

and this will result in(disregard the ether1):

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ether1 1
1 ADC 10.7.0.0/24 10.7.0.2 ether2 0
2 ADC 10.7.3.0/24 10.7.3.2 ether3 0

If your devices are set to the router addresses as the default gw (10.7.X.2) then you should have no issues routing between subnets. If you have connectivity elsewhere, then add an address to another interface and you can set that as the default gw (0.0.0.0/0) so that any you can connect to any non directly connected network.

biomesh · March 29, 2012, 5:11pm

Try:

/ip address add address=10.7.0.4/24 disabled=no interface=ether1 network=10.7.0.0
/ip address add address=10.7.3.1/24 disabled=no interface=ether2 network=10.7.3.0

/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.7.0.1 scope=30 target-scope=10

Make sure your VOIP switches point to the 750G addresses and not the cisco as the default GW - otherwise it won’t work without a route added to the cisco device(one that tells cisco that 10.7.0.4 can route the 10.7.3.0 network). ** I see this route was already added

SGregg · March 29, 2012, 5:28pm

biomesh:

If the 750G is the router between subnets, you don’t need any nat or firewall for routing. If you assign each interface an address, you will get a “dynamic” static route added.

i.e.

/ip address add address=10.7.0.2/24 disabled=no interface=ether2 network=10.7.0.0
/ip address add address=10.7.3.2/24 disabled=no interface=ether3 network=10.7.3.0

and this will result in(disregard the ether1):

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ether1 1
1 ADC 10.7.0.0/24 10.7.0.2 ether2 0
2 ADC 10.7.3.0/24 10.7.3.2 ether3 0

If your devices are set to the router addresses as the default gw (10.7.X.2) then you should have no issues routing between subnets. If you have connectivity elsewhere, then add an address to another interface and you can set that as the default gw (0.0.0.0/0) so that any you can connect to any non directly connected network.

Thank you for your reply.

I am not sure I understand what your are explaining. My network is as follows:

Network A: 10.7.3.0/24
Gateway: 10.7.3.1

Network B: 10.7.0.0/24
Gateway: 10.7.0.1

Internet via Network B router

10.7.3.0/24----[10.7.3.1(ether2)-Mikrotik-(ether1)-10.7.0.4]-----10.7.0.0/24-----[10.7.0.1-Cisco ASA-201.201.201.1]----Internet

Current Routing table:

[admin@MikroTest] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADC 10.7.0.0/24 10.7.0.4 ether1 0
1 ADC 10.7.3.0/24 10.7.3.1 ether2 0
[admin@MikroTest] >

I expect I should have:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADC 0.0.0.0/24 0.0.0.0 10.7.0.1 0

SGregg · March 29, 2012, 5:34pm

I am a little slow. I was typing my response to your first post when you posted the second. I now have:

[admin@MikroTest] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 S 0.0.0.0/0 10.7.0.1 1
1 ADC 10.7.0.0/24 10.7.0.4 ether1 0
2 ADC 10.7.3.0/24 10.7.3.1 ether2 0
[admin@MikroTest] >

Is this correct?

biomesh · March 29, 2012, 5:42pm

That looks okay to me. Make sure no NAT or firewall rules are enabled. If you want them added later - test connectivity without them first then add rules slowly and test often. If this is an internal network - no nat or firewall rules will be needed.

SGregg · March 29, 2012, 5:51pm

OK.

I have just the two IP addresses applied and allowed dynamic routs to be applied then added default route. Tried changing gateway on voice switch(B) from 10.7.0.4 to 10.7.0.1 (do have route in Cisco 10.7.3.0/24—>10.7.0.4).

I am passing traffic from A to B and A to Internet via B. All good except voice switch B cannot ping anything on network A or see voice switch A.

Also, no NAT and no firewall rules.

biomesh · March 29, 2012, 6:04pm

Are the voip devices connected directly to the 750G or are they connected to a switch?

Can any other device on the 10.7.0 network connect to 10.7.3.x network via 10.7.0.1 as a default gw?

SGregg · March 29, 2012, 8:47pm

Had to check on that…

No I can’t. Looks like the trouble may in the Access Control rules in the Cisco. The route is there and I can ping 10.7.3.x hosts from the Cisco but not from other hosts on the 10.7.0.x network. I tried the Packet Tracer function in ASDM and it fails on the second pass through the ACL when trying to route traffic to 10.7.0.4.

SGregg · March 30, 2012, 1:51pm

Biomesh,

Thanks for your help on this. I really appreciate you taking the time to give a hand. Looks like the root problem is with my Cisco gear.

How are you on Cisco ASA

Take care

Stephen

biomesh · March 30, 2012, 2:21pm

Not a cisco person, but if the voip devices just need to communicate with each other, you should just be able to change the default gw of each device to the RB750. The RB750 will route traffic between voip devices. If all devices on the network need to connect to the voip devices on both subnets, you will either have to fix the ASA or change the default GW for the 10.7.0.0 network for all devices to point to 10.7.0.4. I’m not sure how much traffic you have and if the 750 will be able to handle it, but it is an option.

SGregg · April 3, 2012, 12:14am

I need for VoIP devices on several routed segments to communicate with each other so I should get the Cisco issue resolved.

For initial testing I set the switch on teh 10.7.0.0 network with 10.7.0.4 as gateway and it could ping the switch on the 10.7.3.0 network but could not pass UDP traffic. With all of my tinkering I managed to break that as well. When I left on Friday I could not get the switches to see each other in any way. This morning I come in and they are working fine… There was a power failure at the 10.7.3.0 facility that lasted longer than my UPS’s.

I hate mystery fixes…

Still need to fix the ACL issue. Any ASA wizards out there?