Support
Community

Public IP

Ok, thanks for the info.  Is there a debug command I can use to determine if RTP traffic is getting blocked?  I normally use:

debug sip stack messages

debug isdn l2-formatted

You probably want the firewall turned on as it is used under-the-hood for quite a bit of the functionality of the box.

Create an access-list as follows:

ip access-list standard sip-allow-list

  permit host X.X.X.X

  permit host Y.Y.Y.Y

  permit host Z.Z.Z.Z

Then apply that to your SIP connections:

ip sip access-class sip-allow-list in

You don't need to worry about RTP, it can come from any media gateway of the SIP providers.  It is generally a good thing that RTP go directly to the media gateway.  This tends to minimize latency of routing it through the SIP provider's network.

When you enable the firewall for the first time, you'll want to do so from the console or be careful not to lock yourself out if enabling it remotely. 

Thanks for the input.  So the "permit host" addresses would be the signaling addresses provided by the SIP provider, and not including any RTP addresses?  Would we not need a rule to handle the RTP servers or is this handled on-the-fly by way of the SIP header as mentioned by @unified, above?

That's handled automatically.  You want to restrict SIP to known hosts and reject all others to avoid the possibility of someone exploiting your system to place expensive international calls.  RTP is set up within the SIP header as mentioned by @unified.

Ok, thanks.  Our experience so far has been that even with the firewall off, the only signaling addresses from which it will accept traffic are those specified in the SIP trunk settings either under "sip-server primary" or "sip-server secondary".  However, this is good information for when we enable the firewall.

jonathanblack wrote: Ok, thanks.  Our experience so far has been that even with the firewall off, the only signaling addresses from which it will accept traffic are those specified in the SIP trunk settings either under "sip-server primary" or "sip-server secondary".  However, this is good information for when we enable the firewall.

You may be very unpleasantly surprised when you get a phone bill if you don't lock down SIP to known and authorized servers.  I haven't tested simply adding the SIP ACL with firewall not enabled, it may work.  Please lock it down.  Despite their name, the scanners out there aren't very friendly.

The main reason we haven't already is that when we turned on the firewall on a 908e Gen1 unit, after several hours it seemed to stop accepting traffic at all.  Restarting the unit restored service, but then it happened again a few hours later.  We finally turned the firewall back off and the problem went away.

We might try again with a secondary unit and see if we can make it work reliably.

Are you referring to the "ip access-list" and "ip sip access-class" commands that @jayh mentioned above?  Will those two commands work without the firewall enabled?  If so, this may be a good option for us in light of the prior problems we've had with the firewall.

Sounds promising, but just to confirm: None of that will impact RTP traffic?  The reason I ask is because in the original problem that generated this post, the SIP provider is telling us that RTP traffic is being blocked.  When they proxied the RTP traffic through their IP (which I have entered as a "sip-server secondary"), the traffic comes through.

RTP traffic to a remote media server on a random IP different from the defined SIP server won't be affected.  It will just work.  By limiting the SIP servers with an access list you will protect against fraud. 

I've just confirmed with the SIP provider that it isn't blocking RTP traffic from "non-registered" IP addresses.  And we're unable to reliably replicate the problem, so I'm going to assume the problem is on the provider's side and close this out.  Thanks to both of you, and , for your input and assistance!