Escenario de VoIP a través de un firewall ZBF
Fecha: 29 de abril del 2015 Clase: CCNA Security
Escenario
Este
escenario es una implementación de firewall basado en zonas (ZBF)
correspondiente al módulo 5 de CCNASEc
versión
1.1, donde se configuraron dos zonas: segura (192.168.1.0/24) que nuestra LAN e
insegura (172.16.0.0/24) que
es
una LAN no administrada por nosotros, pero que debemos acceder a servisores y
que luego se agregó la situación
de
implemntar VoIP, donde debemos permitir la señalización H.323 entre ambas
centrales VoIP, implementadas
mediante
routers con call manager express (CME).
Este
escenario se realizó en Packet Tracer y se verificó con equipos reales: Cisco
2801 para el ZBF y 1760 para CME.
El archivo
está disponible como Prueba ZBF con
VoIP.pkt en ftp.vilarrasa.com.ar
user y pass: ccna.
1.- Verificación inicial del funcionamiento de la telefonía IP
Se verifica
en el entorno local, entre el teléfono y el router con call manager sin pasar
por el firewall.
El protocolo
que utilizan los teléfonos localmente es SCCP (Skinny).
VoIP_1#sh ephone
ephone-1
Mac:0040.0B47.E119 TCP socket:[1] activeLine:0 REGISTERED in SCCP ver 12 and Server in ver 8
mediaActive:0
offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:192.168.1.3 1025 7960 keepalive 43
max_line 2
button
1: dn 1 number 100 CH1 IDLE
VoIP_1#
VoIP_2#sh ephone
ephone-1
Mac:0001.C966.A163 TCP socket:[1] activeLine:0 REGISTERED in SCCP ver 12 and Server in ver 8
mediaActive:0
offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:172.16.0.3 1025 7960 keepalive 43
max_line 2
button
1: dn 1 number 200 CH1 IDLE
VoIP_2#
2.- Agregado del class-map que clasifica el tráfico de
señalización entre los CME:
Firewall#config t
Firewall(config)#class-map type inspect match-any
VoIP_Signal
Firewall(config-cmap)#match protocol h323
Firewall(config-cmap)#exit
Firewall(config)#
3.- Agregado del class-map que clasifica el tráfico de voice
(audio) entre los CME:
Firewall#config t
Firewall(config-cmap)#class-map type inspect match-any VoIP_Voice
Firewall(config-cmap)#match protocol udp
Firewall(config-cmap)#exit
Firewall(config)#
4.- Asociamos los class-map a la política de tráfico saliente
hacia la red 172.16.0.0/24:
Firewall(config)#policy-map type inspect policy1
Firewall(config-pmap)#class type inspect VoIP_Signal
Firewall(config-pmap-c)#inspect
Firewall(config-pmap-c)#class type inspect VoIP_Voice
Firewall(config-pmap-c)#inspect
Firewall(config-pmap-c)#exit
Firewall(config-pmap)#exit
Firewall(config)#
5.- Asociamos los class-map a la política de tráfico entrante
desde la red 172.16.0.0/24:
Firewall(config)#policy-map type inspect policy2
Firewall(config-pmap)#class type inspect VoIP_Signal
Firewall(config-pmap-c)#inspect
Firewall(config-pmap-c)#class type inspect VoIP_Voice
Firewall(config-pmap-c)#inspect
Firewall(config-pmap-c)#exit
Firewall(config-pmap)#exit
Firewall(config)#
6.- Realización de una llamada entre el interno 100 (izquierda,
zona segura) al 200 (derecha, zona insegura):
Esta
comunicación utiliza el zone-pair segura-insegura asociado a la policy1, esto
genera tráfico H.323.
Al descolgar
y atender la llamada se comienza a utilizar el canal RTP, con la voz
propiamente dicha.
7.- Verificación en el firewall:
Firewall#show policy-map
type inspect zone-pair sessions
Zone-pair: segura-insegura
Service-policy inspect : policy1 (para llamadas desde el interno 100 al 200)
Class-map: saliente (match-any)
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ICMP (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map:
VoIP_Signal (match-any)
Match:
protocol h323 (este es el
canal de señalización (conversación) entre gateways VoIP)
8
packets, 327 bytes
30
second rate 0 bps
Inspect
Established Sessions
Session 139927312 (192.168.1.2:1025)=>(172.16.0.2:1720)
tcp SIS_OPEN/TCP_ESTAB
Created 00:03:09, Last heard 00:02:32
Bytes sent (initiator:responder) [534:0]
Class-map:
VoIP_Voice (match-any)
Match:
protocol udp (este es el canal
RTP para la voz propiamente dicha)
11
packets, 330 bytes
30
second rate 0 bps
Pass
Established Sessions
Session 140124328 (192.168.1.2:1026)=>(172.16.0.2:1026)
udp SIS_OPEN
Created 00:02:32, Last heard 00:00:02
Bytes sent (initiator:responder) [660:0]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: insegura-segura
Service-policy inspect : policy2 (para llamadas entrantes)
Class-map: entrante (match-any) (para acceder al LAN server)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map:
VoIP_Signal (match-any) (no hay sesiones
porque en esta comunicación el trafico al
Match:
protocol h323
originarse en el
interno 100 es sólo de retorno)
8
packets, 327 bytes
30
second rate 0 bps
Inspect
Class-map:
VoIP_Voice (match-any)
Match:
protocol udp
11
packets, 330 bytes
30
second rate 0 bps
Pass
Class-map: ICMP (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Drop
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Firewall#
8.- Realización de una llamada entre el interno 200 (derecha, zona
insegura) al 100 (izquierda, zona segura):
Esta
comunicación utiliza el zone-pair insegura-segura asociado a la policy2.
9.- Verificación de la policy2:
Firewall#show policy-map
type inspect zone-pair sessions
Zone-pair: segura-insegura
Service-policy inspect : policy1
Class-map: saliente (match-any)
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ICMP (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Signal (match-any)
Match: protocol h323
14 packets, 573 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 139927312 (192.168.1.2:1025)=>(172.16.0.2:1720)
tcp SIS_OPEN/TCP_ESTAB
Created 00:04:36, Last heard 00:01:02
Bytes sent (initiator:responder) [615:0]
Class-map: VoIP_Voice (match-any)
Match: protocol udp
14 packets, 420 bytes
30 second rate 0 bps
Pass
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: insegura-segura
Service-policy inspect : policy2
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map:
VoIP_Signal (match-any)
Match:
protocol h323 (este es el
canal de señalización (conversación) entre gateways VoIP)
14 packets, 573 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 141127656 (172.16.0.2:1025)=>(192.168.1.2:1720)
tcp SIS_OPEN/TCP_ESTAB
Created 00:00:57, Last heard 00:00:26
Bytes sent (initiator:responder)
[205:126]
Class-map:
VoIP_Voice (match-any)
Match:
protocol udp (este es el canal
RTP para la voz propiamente dicha)
14 packets, 420 bytes
30 second rate 0 bps
Pass
Established Sessions
Session 140124328 (172.16.0.2:1027)=>(192.168.1.2:1027)
udp SIS_OPEN
Created 00:00:26, Last heard 00:00:11
Bytes sent (initiator:responder) [60:60]
Class-map: ICMP (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Drop
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Firewall#
10.- Pruebas de verificación
con equipos reales:
Para ganar
tiempo con las pruebas, en reemplazo de los teléfonos IP, se utilizaron
softphones Cisco IP communicator
en
dos notebooks y se realizó la captura de tráfico mediante Wireshark y un port
mirror en el switch.
Puede observarse
el diálogo H.323 entre los gateways VoIP, el puerto TCP 1720 corresponde a
H.323 y H.225 es parte de la suite H.323.
11.- Verificación del ZBF:
Firewall#sh policy-map type inspect zone-pair
sessions
Zone-pair: segura-insegura
Service-policy inspect :
policy1
Class-map: VoIP_Voice
(match-any)
Match: protocol udp
0 packets, 0 bytes (no se utilizó este class-map)
30 second rate 0 bps
Inspect
Class-map: ICMP (match-any)
Match: protocol icmp
3 packets, 108 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Signal
(match-any)
Match: protocol h323
7 packets, 168 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 64332304 (192.168.1.2:16824)=>(172.16.0.2:17984) h323-RTP-audio SIS_OPEN
Created 00:00:05, Last heard 00:00:00
Bytes sent (initiator:responder) [9536:9216]
Session 64331824 (192.168.1.2:16825)=>(172.16.0.2:17985) h323-RTCP-audio SIS_OPEN
Created 00:00:03, Last heard 00:00:00
Bytes sent (initiator:responder) [264:224]
Session 643325BC (192.168.1.2:24669)=>(172.16.0.2:1720) h323
SIS_OPEN
Created 00:01:48, Last heard 00:00:05
Bytes sent (initiator:responder) [656:742]
Pre-generated
Sessions (se generaron
sesiones UDP derivadas del propio H.323)
Pre-gen session 6433156C 192.168.1.2[1024:65535]=>172.16.0.2[17985:17985]
h323-RTCP-audio
Pre-gen session 64331ADC 172.16.0.2[1024:65535]=>192.168.1.2[16825:16825]
h323-RTCP-audio
Pre-gen session 64331D94 172.16.0.2[1024:65535]=>192.168.1.2[16824:16824]
h323-RTP-audio
Pre-gen session 6433204C 172.16.0.2[1024:65535]=>192.168.1.2[16825:16825]
h323-RTCP-audio
Class-map: saliente
(match-any)
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Pass
0 packets, 0 bytes
Class-map:
class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: insegura-segura
Service-policy inspect :
policy2
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Signal (match-any)
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Voice (match-any)
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Pass
0 packets, 0 bytes
Class-map: ICMP (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Drop
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Firewall#
12.- Contraprueba, se desafectó de las policy1 y 2 el class-map de
voice (audio):
Firewall(config)#policy-map type inspect policy1
Firewall(config-pmap)#no class type inspect VoIP_Voice
Firewall(config-pmap)#exit
Firewall(config)#policy-map type inspect policy2
Firewall(config-pmap)#no class type inspect VoIP_Voice
Firewall(config-pmap)#^Z
Firewall#
13.- Verificación:
Se estableció
la comunicación sin problemas de audio entre ambos softphones.
Firewall#sh policy-map type inspect zone-pair
sessions
Zone-pair: segura-insegura
Service-policy inspect :
policy1 (no existe el class-map VoIP_Voice)
Class-map: ICMP (match-any)
Match: protocol icmp
3 packets, 108 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Signal
(match-any)
Match: protocol h323
7 packets, 168 bytes
30 second rate 0 bps
Inspect
Established
Sessions
Session 6433156C (172.16.0.2:17131)=>(192.168.1.2:17359) h323-RTCP-audio SIS_OPEN
Created 00:00:10, Last heard 00:00:00
Bytes sent (initiator:responder) [336:528]
Session 64331824 (192.168.1.2:17358)=>(172.16.0.2:17130) h323-RTP-audio SIS_OPEN
Created 00:00:10, Last heard 00:00:00
Bytes sent (initiator:responder) [16704:16352]
Session 643325BC (192.168.1.2:24669)=>(172.16.0.2:1720) h323 SIS_OPEN
Created 00:11:08, Last heard 00:00:10
Bytes sent (initiator:responder) [1009:1138]
Pre-generated
Sessions
Pre-gen session 64332304 192.168.1.2[1024:65535]=>172.16.0.2[17131:17131]
h323-RTCP-audio
Pre-gen session 6433204C 172.16.0.2[1024:65535]=>192.168.1.2[17359:17359]
h323-RTCP-audio
Pre-gen session 64331D94 172.16.0.2[1024:65535]=>192.168.1.2[17358:17358]
h323-RTP-audio
Pre-gen session 64331ADC 192.168.1.2[1024:65535]=>172.16.0.2[17131:17131]
h323-RTCP-audio
Class-map: saliente (match-any)
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Pass
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: insegura-segura
Service-policy inspect : policy2
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Signal (match-any)
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ICMP (match-any)
Match: protocol icmp
1 packets, 36 bytes
30 second rate 0 bps
Drop
1
packets, 36 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Firewall#
14.- Llamada en sentido inverso (interno 200 a 100):
Firewall#sh policy-map type inspect zone-pair
sessions
Zone-pair: segura-insegura
Service-policy inspect : policy1
Class-map: ICMP (match-any)
Match: protocol icmp
4 packets, 144 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Signal (match-any)
Match: protocol h323
7 packets, 168 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 643325BC (192.168.1.2:24669)=>(172.16.0.2:1720) h323 SIS_OPEN
Created 00:14:33, Last heard 00:00:15
Bytes sent (initiator:responder) [1059:1188]
Class-map: saliente (match-any)
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Pass
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: insegura-segura
Service-policy inspect : policy2
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: VoIP_Signal
(match-any)
Match: protocol h323
3 packets, 72 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 64331ADC (172.16.0.2:61553)=>(192.168.1.2:1720) h323 SIS_OPEN
Created 00:00:11, Last heard 00:00:08
Bytes sent (initiator:responder) [303:420]
Session 64331D94 (172.16.0.2:18416)=>(192.168.1.2:17086) h323-RTP-audio SIS_OPEN
Created 00:00:08, Last heard 00:00:00
Bytes sent (initiator:responder) [13312:13312]
Session 64330FFC (172.16.0.2:18417)=>(192.168.1.2:17087) h323-RTCP-audio SIS_OPEN
Created 00:00:07, Last heard 00:00:03
Bytes sent (initiator:responder) [224:264]
Pre-generated
Sessions
Pre-gen session 6433204C 172.16.0.2[1024:65535]=>192.168.1.2[17087:17087]
h323-RTCP-audio
Pre-gen session 64332304 192.168.1.2[1024:65535]=>172.16.0.2[18417:18417]
h323-RTCP-audio
Pre-gen session 643312B4 192.168.1.2[1024:65535]=>172.16.0.2[18416:18416]
h323-RTP-audio
Pre-gen session 64330D44 192.168.1.2[1024:65535]=>172.16.0.2[18417:18417]
h323-RTCP-audio
Class-map: ICMP (match-any)
Match: protocol icmp
1 packets, 36 bytes
30 second rate 0 bps
Drop
1 packets, 36 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Firewall#
Por los
resultados de las capturas y el monitoreo del firewall se determina que el
flujo de tráfico es el siguiente:
15.- Configuración de equipos (en Packet Tracer):
Firewall#sh runn (sólo lo mas relevante)
!
version
12.4
!
hostname
Firewall
!
class-map
type inspect match-any saliente
match
protocol dns
match
protocol ftp
match
protocol http
class-map
type inspect match-any ICMP
match
protocol icmp
class-map
type inspect match-any entrante
match
protocol http
class-map
type inspect match-any VoIP_Signal
match
protocol h323
class-map
type inspect match-any VoIP_Voice
match
protocol udp
!
policy-map
type inspect policy2
class
type inspect entrante
inspect
class
type inspect VoIP_Signal
inspect
class
type inspect VoIP_Voice
pass
class
type inspect ICMP
drop
!
policy-map
type inspect policy1
class
type inspect saliente
inspect
class
type inspect ICMP
inspect
class
type inspect VoIP_Signal
inspect
class
type inspect VoIP_Voice
pass
!
zone
security segura
zone
security insegura
zone-pair
security segura-insegura source segura destination insegura
service-policy
type inspect policy1
zone-pair
security insegura-segura source insegura destination segura
service-policy
type inspect policy2
!
!
interface
FastEthernet0/0
ip
address 192.168.1.1 255.255.255.0
zone-member
security segura
!
interface
FastEthernet0/1
ip
address 172.16.0.1 255.255.255.0
zone-member
security insegura
!
end
Firewall#
VoIP_1# sh runn (sólo lo mas relevante)
!
version
12.4
!
hostname
VoIP_1
!
ip
dhcp pool VoIP
network
192.168.1.0 255.255.255.0
default-router
192.168.1.1
option
150 ip 192.168.1.2
!
interface
FastEthernet0/0
ip
address 192.168.1.2 255.255.255.0
!
ip
route 0.0.0.0 0.0.0.0 192.168.1.1
!
dial-peer
voice 1 voip
destination-pattern
20.
session
target ipv4:172.16.0.2
!
telephony-service
max-ephones
10
max-dn
10
ip
source-address 192.168.1.2 port 2000
auto
assign 1 to 4
!
ephone-dn
1
number
100
!
ephone
1
device-security-mode
none
mac-address
0040.0B47.E119
type
7960
button
1:1
!
end
VoIP_1#
VoIP_2# sh runn (sólo lo mas relevante)
!
version
12.4
!
hostname
VoIP_2
!
ip
dhcp pool VoIP
network
172.16.0.0 255.255.255.0
default-router
172.16.0.1
option
150 ip 172.16.0.2
!
interface
FastEthernet0/0
ip
address 172.16.0.2 255.255.255.0
!
ip
route 0.0.0.0 0.0.0.0 172.16.0.1
!
dial-peer
voice 1 voip
destination-pattern
10.
session
target ipv4:192.168.1.2
!
telephony-service
max-ephones
10
max-dn
10
ip
source-address 172.16.0.2 port 2000
auto
assign 1 to 4
!
ephone-dn
1
number
200
!
ephone
1
device-security-mode
none
mac-address
0001.C966.A163
type
7960
button
1:1
!
end
VoIP_2#
(2015)
Smoking chala with uncle Ernst
Rosario,
Argentina