Check Point 1100 SIP Configuration and Troubleshooting Dropped the packets due to "Violated Unidirectional Connection" - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, December 9, 2017

Check Point 1100 SIP Configuration and Troubleshooting Dropped the packets due to "Violated Unidirectional Connection"

One request came up for a simple internet SIP connection to SIP provide Goldline. There are VoIP devices involved in this task, such as Cisco Router AS5350 and IP PBX, also Check Point 1100 firewall used to protect this connection.

Topology





Configuration

Cisco Universal Gateway AS5350 
The Cisco AS5300 Series Universal Gateways are the only universal port-ready, one rack-unit (RU) dual T1/E1 gateways that provide carrier-class reliability in a modular design. Service provider data and voice applications are also supported, including:

  • Voice over broadband termination
  • Long distance
  • Prepaid calling card
  • Local access
  • Hosted IP telephony
  • Call center solutions
  • ASP hosting and termination
  • Unified communications
  • Access VPN
  • Dial access
  • TDM switching

r_voip#sh ver
Cisco Internetwork Operating System Software 
IOS (tm) 5350 Software (C5350-IS-M), Version 12.3(10e), RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 18-Aug-05 17:00 by ssearch
Image text-base: 0x60008AFC, data-base: 0x61700000

ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1)
BOOTLDR: 5350 Software (C5350-BOOT-M), Version 12.2(2)XB2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

r_voip uptime is 20 hours, 11 minutes
System returned to ROM by power-on
System restarted at 14:34:21 EDT Wed Dec 6 2017
System image file is "flash:c5350-is-mz.123-10e.bin"

cisco AS5350 (R7K) processor (revision T) with 262144K/131072K bytes of memory.
Processor board ID JAE0940MBBX
R7000 CPU at 250MHz, Implementation 39, Rev 2.1, 256KB L2, 2048KB L3 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Primary Rate ISDN software, Version 1.1.
Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x32,
 Board Hardware Version 3.35, Item Number 800-5171-02,
 Board Revision D0, Serial Number JAE0940MBBX,
 PLD/ISP Version 2.2,  Manufacture Date 29-Sep-2005.
Processor 0x14, MAC Address 0x0141C3F6F2A
Backplane HW Revision 1.0, Flash Type 5V
2 FastEthernet/IEEE 802.3 interface(s)
54 Serial network interface(s)
60 terminal line(s)
2 Channelized T1/PRI port(s)
512K bytes of non-volatile configuration memory.
65536K bytes of processor board System flash (Read/Write)
16384K bytes of processor board Boot flash (Read/Write)

Configuration register is 0x2102




r_voip#sh run
Building configuration...

Current configuration : 7758 bytes
!
! Last configuration change at 10:42:03 EDT Thu Dec 7 2017 by gi-de
! NVRAM config last updated at 10:44:22 EDT Thu Dec 7 2017 by gi-de
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
!
hostname r_voip
!
boot-start-marker
no boot startup-test
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
logging console notifications
enable secret 5 $1$AqCc$Yws4cMk4IVz2yPhXrH2Y0
enable password 7 1531031E55393F7526600C72346
!
username yssso password 7 1531031E55393F7526600C72346
username gssss_gl password 7 052C572B7273692526347431B33252E262D2677
username gssss password 7 1069585421445F3D5C55A6A
username tadmin password 7 003001053B7C07393911D5E48
!
!
resource-pool disable
clock timezone EDT -5
spe default-firmware spe-firmware-1
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip name-server 8.8.8.8
!
isdn switch-type primary-dms100
isdn logging
!
voice call send-alert
voice call convert-discpi-to-prog
voice call carrier capacity active
voice rtp send-recv
!
voice service pots 
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
!
voice service voip 
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
 sip
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
 codec preference 3 g729r8
!
!
!         
!
!
!
!
!
!
!
fax interface-type fax-mail
!
!
trunk group  ALLT1
 description ALL T1 on the system
!
!
!
controller T1 3/0
 framing esf
 linecode b8zs
 cablelength short 133
 pri-group timeslots 1-24
!
controller T1 3/1
 framing esf
 linecode b8zs
 cablelength short 133
 pri-group timeslots 1-24
!
class-map match-all voip
  match  dscp cs6 
  match not  dscp cs1 
!
!
policy-map QoS_VoIP
  class voip
   set dscp cs1
!
!
!
interface FastEthernet0/0
 description calls to and from Goldline
 ip address 100.100.100.26 255.255.255.0
 service-policy input QoS_VoIP
 service-policy output QoS_VoIP
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 ip address 172.16.9.222 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/0
 no ip address
 shutdown
 clockrate 2000000
!
interface Serial0/1
 no ip address
 shutdown
 clockrate 2000000
!
interface Serial3/0:23
 no ip address
 trunk-group ALLT1
 isdn switch-type primary-dms100
 isdn protocol-emulate network
 isdn incoming-voice modem
 isdn guard-timer 10000
 isdn T306 10000
 isdn T310 40000
 isdn send-alerting
 isdn sending-complete
 isdn channel-id invert extend-bit
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/1:23
 no ip address
 trunk-group ALLT1
 isdn switch-type primary-dms100
 isdn protocol-emulate network
 isdn incoming-voice modem
 isdn guard-timer 10000
 isdn T306 10000
 isdn T310 40000
 isdn send-alerting
 isdn sending-complete
 isdn channel-id invert extend-bit
 no keepalive
 no fair-queue
 no cdp enable
!
interface Async1/00
 no ip address
!
interface Async1/01
 no ip address
!
interface Async1/02
 no ip address
!
interface Async1/03
 no ip address
!
interface Async1/04
 no ip address
!
interface Async1/05
 no ip address
!
interface Async1/06
 no ip address
!
interface Async1/07
 no ip address
!
interface Async1/08
 no ip address
!
interface Async1/09
 no ip address
!
interface Async1/10
 no ip address
!
interface Async1/11
 no ip address
!
interface Async1/12
 no ip address
!
interface Async1/13
 no ip address
!
interface Async1/14
 no ip address
!
interface Async1/15
 no ip address
!
interface Async1/16
 no ip address
!
interface Async1/17
 no ip address
!
interface Async1/18
 no ip address
!
interface Async1/19
 no ip address
!
interface Async1/20
 no ip address
!
interface Async1/21
 no ip address
!
interface Async1/22
 no ip address
!
interface Async1/23
 no ip address
!
interface Async1/24
 no ip address
!
interface Async1/25
 no ip address
!
interface Async1/26
 no ip address
!
interface Async1/27
 no ip address
!
interface Async1/28
 no ip address
!
interface Async1/29
 no ip address
!
interface Async1/30
 no ip address
!
interface Async1/31
 no ip address
!
interface Async1/32
 no ip address
!
interface Async1/33
 no ip address
!
interface Async1/34
 no ip address
!
interface Async1/35
 no ip address
!
interface Async1/36
 no ip address
!
interface Async1/37
 no ip address
!
interface Async1/38
 no ip address
!
interface Async1/39
 no ip address
!
interface Async1/40
 no ip address
!
interface Async1/41
 no ip address
!
interface Async1/42
 no ip address
!
interface Async1/43
 no ip address
!
interface Async1/44
 no ip address
!
interface Async1/45
 no ip address
!
interface Async1/46
 no ip address
!
interface Async1/47
 no ip address
!
interface Async1/48
 no ip address
!
interface Async1/49
 no ip address
!
interface Async1/50
 no ip address
!
interface Async1/51
 no ip address
!
interface Async1/52
 no ip address
!
interface Async1/53
 no ip address
!
interface Async1/54
 no ip address
!
interface Async1/55
 no ip address
!
interface Async1/56
 no ip address
!
interface Async1/57
 no ip address
!
interface Async1/58
 no ip address
!
interface Async1/59
 no ip address
!
interface Group-Async0
 no ip address
 no group-range
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip route 100.100.100.0 255.255.255.0 FastEthernet0/0
ip route 172.16.9.0 255.255.255.0 FastEthernet0/1
no ip http server
!
!
access-list 1 permit 204.101.238.5
access-list 1 permit 162.248.168.71
access-list 1 permit 162.248.168.74
access-list 1 permit 162.248.168.73
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 1 deny   any
!
!
!
voice-port 3/0:D
!
voice-port 3/1:D
!
!
!
dial-peer voice 1 pots
 trunkgroup ALLT1
 description Incoming calls from Test PRI accept
 incoming called-number .
 direct-inward-dial
!
dial-peer voice 100 voip
 tone ringback alert-no-PI
 description Outgoing calls to Goldline
 huntstop
 preference 1
 destination-pattern ..........T
 progress_ind setup enable 3
 voice-class sip rel1xx disable
 session protocol sipv2
 session target ipv4:162.248.168.71
 dtmf-relay rtp-nte
 fax rate 9600
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
 ip qos dscp cs1 media
 ip qos dscp cs1 signaling
 no vad
!
dial-peer voice 101 voip
 description Incoming calls from Goldline
 incoming called-number ....
 voice-class codec 1
 voice-class sip rel1xx disable
 session protocol sipv2
 session target ipv4:162.248.168.71
 dtmf-relay rtp-nte
 fax rate 9600
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
 ip qos dscp cs1 media
 ip qos dscp cs1 signaling
 no vad
!
dial-peer voice 11 pots
 trunkgroup ALLT1
 description Incoming call from Goldline to T1
 preference 1
 destination-pattern ....
 progress_ind setup enable 3
 progress_ind alert enable 8
 progress_ind progress enable 8
 progress_ind connect enable 8
 forward-digits all
!
!
num-exp ....# ....
num-exp .....# .....
num-exp ......# ......
num-exp .......# .......
num-exp ........# ........
num-exp .........# .........
num-exp ..........# ..........
num-exp ...........# ...........
num-exp ............# ............
num-exp .............# .............
num-exp ..............# ..............
num-exp ...............# ...............
gateway 
!
sip-ua 
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 logging synchronous level 5
 history size 256
line 1/00 1/59
 modem InOut
!
scheduler allocate 10000 400
ntp clock-period 17180072
ntp update-calendar
ntp server 206.108.0.133
ntp server 158.69.125.231
ntp server 162.213.212.10
end




Check Point 1100

Basic configuration is recorded at the post "Check Point 1100 Appliance Configuration Step by Step". In this SIP connection to Goldline, there are following firewall configuration to be done manually, not auto generated:
  • Manually NAT-ing (port-forwarding) :Check Point 1100 WAN Interface IP 19.24.14.12 will have port forwarding enabled to 100.100.100.26 




  • Allow Inbound Connection from 162.248.168.71 to 19.24.14.12's udp port 5060
  • Allow Inbound Connection from 162.248.168.73 and 162.248.168.74 to 19.24.14.12's udp port range 5070-35000



  • Allow Outbound Connection from 100.100.100.26 to Internet, nat-ing on Check Point WAN interface IP 19.24.14.12 (Port-forwarding rule has enabled outbound traffic hiding behind the Gateway's external ip address)
  • QoS Rule: Traffic to Goldline voip gateway ip addresses (162.248.168.71, .73, .74), DSCP set to 8.  It is strongly recommended to verify Cisco and Check Point for TOS/QoS settings for both rtp and SIP signal. By default, the setting may be either DSCP EF (decimal 46) or TOS IP precedence 7. While these settings are fine on LAN, on Internet, the invervening routers will extra processing to remove the tags and then forward, when routers are too busy, it will simply discard packets. This will result in intermittent voice quality issues. the recommendation is either set the DSCP to CS1 (decimal 8) or TOS IP precedence 1 on the edge routers , or on the Check Point firewall traffic shaping to DSCP to CS1 (decimal 8), for the packets for Internet connection to Gold line. 
  • If SIP ALG feature is activated on the firewall/router, please turn it off. if logging is enabled for udp packets, call quality may degrade when router is saturated

  • Server Configurations









Notes:
Server access rules and nat rules also can be configured by auto generated way. But there was an issue I found, I could do statically nat to a different public ip address than gateway interface ip. But outbound traffic is still using gateway interface ip, which caused problem on SIP connection to Goldline. After many try, I gave up with statically NAT for server, and configured server with manually configuration of access policy and no NAT configuration.



Troubleshooting

There was an error in logs which shows some packets from SIP provider Goldline was dropped .

The reason is because of voilated unidirectional connection.

There are quite a few KB from Check Point website to discuss this error, especially UDP Traffic on 600 / 700 appliances is dropped due to "Violated Unidirectional Connection".

After I followed the solution to reboot the Cisco AS5350, the issue seems gone.















Reference:

No comments:

Post a Comment