ASA5500 blocking SPA504G SIP traffic?

Similar Messages

• SIP Traffic in CRS-3 Carrier Grade NAT (CGN) with PAT

  Hello
  Does the SIP traffic through the module CGN works? We use PAT in the module.
  Thank you for your comments
  Rodolfo

  Hi Rodolfo,
  yes, SIP can be used with no issue through CGN system without the need of any particular ALG if SBC performs media-latching.
  Take a look at this preso:
  http://www.cisco.com/web/CA/events/pdfs/CNSF2011-IPv6-Transition-for-SPs-Chris-Metz.pdf
  Kind regards,
  N.

• Blocking all IGMP traffic

  Hello,
  I?m hoping someone may have the answer to this. I am trying to block ALL types of IGMP traffic on a particular interface on at 3560-24-TS-S.
  We have a Summit 5i switch acting as a core switch for 400 users which all (VLAN 3) participate in a multicast group sourced from one of the servers on the same VLAN 3. All the equipment is managed via VLAN 3. From this Summit 5i core switch we have an untagged hand off to a Cisco 3560 - 24-TS-S which also has 400 DIFFERENT users participating in a multicast group sourced from a server physically connected to this Cisco switch but on VLAN 6. All equipment on this switch is also managed via VLAN 3. The problem I believe is that this handoff between the Summit 5i and the Cisco 3560 are having IGMP querying conflicts and it?s causing multicast troubles on both VLAN 3 and VLAN 6. I did setup the port as protected, blocked "unknown" unicast, multicast traffic and issued a no IP IGMP snooping vlan 3. But still having troubles.
  I am using IGMP v2 and source filtering is not available until v3 so I am not sure how to block ALL IGMP traffic to try and help isolate this as 2 separate networks but still being managed on the same.
  Any help is greatly appreciated...
  Regards,
  Robert

  You can try this and control the IGMP queries on a given interface.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swmcast.htm#wp1177268
  To disable groups on an interface, use the no ip igmp access-group interface configuration command.
  This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2:
  Switch(config)# access-list 1 255.2.2.2 0.0.0.0
  Switch(config-if)# interface gigabitethernet0/1
  Switch(config-if)# ip igmp access-group 1
  HTH-Cheers,
  Swaroop

• Help troubleshoot sip traffic

  Hello,
  I have a problem with a small IP telephony system (sip) and i'm using a cisco 881 router as router/firewall.
  The problem is that sometimes you can not call in. It happens only occasionally and when it does our ip phone provider says that there is no response from our ip phone/switch back to them on the internet.
  We have an ip-phone/switch-device on our local network. We we receive calls they are first routed to our ip phone provider which then sends it to us.
  It can work 20 times and then it is a call that can not get to us.
  How should I start debugging? Is there any logging for SIP traffic so I can send logs to a syslog server?
  Thanks for any suggestions.

  So if was troubleshooting this the first question I would ask would be is this a new set up or something that was working fine and is now having problems.
  If new set up post the configs and strip out passwords.
  If was working and you now have problems start running debugs to see if you can isolate issue.
  SIP Debug Commands that Support Output Filtering
  debug ccsip all
  debug ccsip calls
  debug ccsip events
  debug ccsip messages
  debug ccsip preauth
  debug ccsip states

• Block / Deny ICMP Traffic cisco asa 5512-x

  hi expert
  I have cisco asa 5512x for configure as firewall and sslvpn.
  my customer want block/Deny icmp traffic from interface outside without block anything.
  i've configure form cli :
  icmp deny any outside
  but from outside can't open sslvpn url and asdm.

  Hi,
  Access for the Anyconnect/ASDM does not depend on the ICMP permit/deny commands on the ASA device.
  If you want to block the Pings to the ASA interface use the command:-
  icmp deny any outside etc.
  What do you mean by "i can ping from outside." Plzz explain.
  Thanks and Regards,
  Vibhor Amrodia

• RV110W Blocks all inbound traffic

  I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly. Anybody seen this before?

  Hi David,
  Please call the Small Business Support Center and speak with an engineer. The phone numbers for the support center is located here: https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Regards,
  Cindy Toy
  Cisco Small Business Community Manager
  for Cisco Small Business Products
  www.cisco.com/go/smallbizsupport
  twitter: CiscoSBsupport

• Block all incoming traffic and Active FTP

  Will setting the firewall to Block all incoming traffic break Active FTP Connections?
  The firewall will normally dynamically create exceptions for the Connection using the Application Layer Gateway, but will the profile override these?

  Hi TribleTrouble,
  Do you have any issue about FTP active mode?
  If the clients are part of your domain, push the FTP firewall rules via GPO to your clients allowing FTP inbound sockets
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=TCP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=UDP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  For Windows 7, the entire networking stack was rewritten and several security measures were taken to further secure Windows.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Blocking all ipv6 traffic

  Good morning -  I have an issue that has happened twice - and I need some advice.  I have a 4506 running version 12.2(46)SG. We recently encountered an issue where I BELIEVE the issue to be IPV6 sending out a broadcast storm, and completely flooded the core switch  - bad enough that I couldn't even console into the device.  After removing all connections that were plugged in when the switch went down.  After everything was back up, we found that it was a laptop with ipv6 enabled - exactly the same scenario as last time.  What we found after the first incident was that a faulty NIC driver caused the ipv6 broadcast storm.
  At any rate, as we do not use IPv6 for anything at all, I want to block all IPv6 traffic.  I know there are different ways to do it, but I'm reaching out to see what ideas you may have also...
  Thx in advance for any input!

  Joel,
  If VACLs with IPv6 ACLs are supported on your platform then I would probably use VACLs, as they allow a filter to be applied flatly to the entire VLAN. Your other option would be to configure per-port ACLs which is cumbersome and bloats the configuration unnecessary.
  With IPv6 ACLs, be sure to block ICMPv6 explicitly. As far as I remember, some ICMPv6 messages are allowed even if they are not explicitly permitted in the ACL (usually the RD and ND messaging).
  If your platform allowed filtering all incoming packets by MAC ACLs, yet another way would be to use VACLs with MAC ACLs, blocking all traffic with the EtherType of 0x86DD. However, newer platforms apply MAC ACLs only to non-IP traffic so they would have no effect on frames carrying IPv6 packets. You need to consult the documentation to your device.
  In any way, VACLs would be my personal preferred choice at this point.
  Best regards,
  Peter

• CoreSync.exe blocks all network traffic while (slowly) syncing my Creative Cloud files

  Hello folks,
  Since the latest Creative Cloud update (I'm using version 1.9.0.465 as of this writing), I've been unable to successfully sync my Creative Cloud Files folder.
  First things first, as other forum users have posted elsewhere, when the update installed itself, my Creative Cloud Files folder was moved from my chosen location to its default location (C:\Users\MyUserName) and I've been unable to put it back where I wanted it.
  However, more pressingly, I noticed that every time I booted my computer, neither my wife nor I were able to access the Internet.  After a couple days' trial and error I realized that Creative Cloud was trying (unsuccessfully) to sync about seven files (totaling about 750MB) to the cloud, and anytime the sync was actively working, my network access was completely blocked.  Even the Creative Cloud desktop app itself couldn't access the Internet to authenticate my apps or Typekit fonts.
  I have managed to get much smaller files (1MB, 5MB, up to 15MB) to sync successfully, however this takes a really long time, and no one on my network can manage to load a web page on their device until the sync is complete.
  Right now I've got syncing paused, and everything on my network is working fine.
  For some additional info, I've attached a screen grab of my Networking tab from Task Manager:
  The big spikes in that graph are me and my wife loading up tons of web content-- YouTube videos, a million tabs of who-knows-what, all acting normally.  Then I hit Resume on CC's sync operation, my activity line clamps way down, and no one can load any Internet content anywhere.  After that, I released my computer's IP address from the command prompt, at which point Creative Cloud Desktop returned a connection failure, and I quit the app.  When I renewed my IP address, I noticed our network access was still blocked, even though Creative Cloud was not running.  I traced the problem back to CoreSync.exe, which had continued running even after I'd quit Creative Cloud.  The moment I ended the CoreSync.exe process, everything was back to normal... until I restarted the Creative Cloud app, which in turn restarted CoreSync.exe.  It was only after pausing CC's sync operation that we were able to use the Internet again.
  So!  To sum up, here are my two issues:
  Syncing is entirely broken, and prevents everyone on my network from using the Internet while CC spins its wheels.
  For some reason, following the same update, I'm unable to change the location of my Creative Cloud Files folder.
  Some things I've tried:
  Uninstalling & reinstalling the Creative Cloud Desktop app-- no change
  Clearing my archived files on creative.adobe.com in case there was some weird argument happening between my live/syncing files and my archived files-- no change
  Manually adding CoreSync.exe to my Windows Firewall whitelist-- no change
  Finally, I can recreate this issue on my second computer, running the same version of Creative Cloud but running off wireless instead of Ethernet.  Same symptoms-- feed it a file to sync, and everyone's Internet access is gone until the sync operation [eventually] finishes.
  I'm completely stumped and very frustrated.  I rely heavily on CC's file syncing feature, and as it's the only cloud storage product I'm actually paying for, I'm not willing to abandon it for another service like DropBox.  I'm willing to try just about anything-- and in the meantime I'm just wishing Creative Cloud Desktop app updates weren't compulsory; the last build I'd installed here was working perfectly fine.
  My basic system specs in case it's helpful:
  Windows 7 Professional x64 SP1
  2x Intel Xeon E5-2670 @ 2.6GHz
  64GB DDR3 RAM
  nVidia Quadro 4000
  Any insights would be incredibly appreciated!  Thanks in advance.

  Heyo Dave,
  Thanks so much for your reply and suggestions.  Here's what I've discovered after some more noodling.
  I'm no networking guy, but I can't seem to find anything about my modem or router that would explain why my upstream traffic is being throttled using CC-- especially since it's all the same hardware I was using last week before I updated CC.
  In addition, I've tried test uploading a couple of files using DropBox, Google Drive, and WeTransfer.com, and neither process interrupts Internet use on my network.
  With all that said, I did go in and pull back my Transfer Speed settings in CC from Maximum to Low, and that made a big difference!  Syncing continued to work, and our other network requests were working just fine.  I managed to get my upload speed set as high as Medium; High and Maximum both kill my network within seconds of being set.
  So I'm not sure what was done to the CC application in this release to supposedly enable us to "Sync Files and Fonts faster" (from the release notes), but whatever it is, it's got my uploads capping at 100Kbps (compared to a minimum 350Kbps using Google Drive) unless no one in my home wants to check their email for the next hour.  That's a significant bummer for me, as my After Effects projects regularly swell to ~50MB toward the end of a project.
  I'd like to submit a big report here, since really the only variable at play in this situation was the Creative Cloud update.  However, unfortunately it looks like the bug report form is down...  I'll have to try again later.
  In the meantime, if there are any other suggestions for experiments I can run on this beast, I'm happy to oblige and report back in case other folks with similar issues can get some relief!
  Thanks again,
  Jared

• Block guest mDNS traffic on business LAN

  For my company, I am running a Cisco 5508 WLC with a 4400 WLC as a guest anchor in our DMZ.  There is a guest SSID and several business SSID's for internal equipment.  Guest traffic should be tunneled out to the 4400 controller where [the client] gets its IP address and is sent out to the internet.  No internal corporate access is possible.  However, when I do a packet capture from my wired PC, I'm seeing traffic generated by different iPhones.  It appears to be mostly IPv6 mDNS or ICMPv6 traffic.  How would this traffic make it onto the corporate wired network, when it should be staying on the guest network?  None of the iPhones have been setup on the business SSIDs, so I know it isn't legit traffic.  Is there a setting in the WLC that will block this?  Will an ACL work?
  These are examples of some of the traffic that wireshark is capturing:
  349          7.794875          fe80::e77:1aff:fe3c:f81          ff02::fb          MDNS          253          Standard query response PTR, cache flush Tonyas-iPhone-2.local PTR, cache flush Tonyas-iPhone-2.local
  356          7.802667          fe80::e77:1aff:fe3c:f81          ff02::fb          MDNS          151          Standard query ANY Tonyas-iPhone-2.local, "QU" question ANY Tonyas-iPhone-2.local, "QU" question
  361          7.806964          fe80::e77:1aff:fe3c:f81          ff02::fb          MDNS          151          Standard query ANY Tonyas-iPhone-2.local, "QM" question ANY Tonyas-iPhone-2.local, "QM" question
  Both controllers are running software version 6.0.196.0.  I also have a WCS server running version 7.0.220.
  Thanks!
  Joe P.

  Well, you are asking a valid question but unfortunately I don't know the answer. I tried to find in config guide and multicast design guide if there disabling mylticast affects only L3 multicat or both L3 and L2 multicast but I unfortunately could not find an answer.
  Just one hint came to my mind, do you have Ipv6 bridging enabled under your WLAN (under advanced tab)?
  I think it is enabled so you may try disabling it. That would possibly stop the IPv6 traffic.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wp1345783
  HTH
  Amjad

• Trying to capture SIP traffic via a Network Protocol Analyzer

  Hello
  I am trying to use WireShark to capture n/w traffic.
  Im running my OCMS instance on 127.0.0.1:5060, and am able to see the SIP msgs in the traffic.log and system.log files.
  However, the same doesnt show up in the protocol analyzer as a registered interface.
  Hence, is it possible to capture this traffic on the loopback IP?
  Furthermore, I changed my OCMS instance to my ethernet IP, since WireShark listens to it.
  However, I see that only SIP msgs sent from another box are recorded. Hence, if 2 clients talk on the same machine, the sip msgs r not registered. Why should that be the case?
  Message was edited by:
  A.J.

  Hi A.J,
  There is no way to capture any packages in a loopback. This is a limitation of Windows OS.
  And you can't capture network traffic within the same machine (or network interface)
  Regards,
  Juan

• How do you block or filter traffic to udp port 192?

  We are a company trying to stay an "apple office". We use an airport express for our networking and have recently been trying to become PCI "Payment Card Industry" Compliant for our credit card terminal that uses our wireless network. A company hired by the credit card processing company is running scans on our system and we keep failing because of UDP port 192. The specific message they are sending us is:
  "Synopsis : The remote host is a wireless access point. Description : The remote host is an Airport, Airport Extreme or Airport Express wireless access point. It is possible to gather information about the remote base station (such as its connection type or connection time) by sending packets to UDP port 192. An attacker connected to this network may also use this protocol to force the base station to disconnect from the network if it is using PPPoE, thus causing a denial of service for the other users. Solution: Filter incoming traffic to this port and make sure only authorized hosts can connect to the wireless network this base station listens on."
  I have tried changing all the settings using the Airport Utility including creating a closed network; un-checking allow setup over WAN, un-checking allow SNMP; using 128 bit encryption. I looked all over apple discussions and the internet and can't find a solution. The testing company told me that I need to find out how to filter traffic to udp port 192 or block the port altogether. Any help or guidance is greatly appreciated as we keep failing these scans.

  Hi All. I am having the exact same problem with my PCI payment card industry compliance - where I will now be charged a monthly fee because I cannot alleviate this port 192 problem with my airport extreme base station. They very much consider it a security risk and won't budge. They want me to filter/block incoming traffic on this 192 port, I don't know what to do to satisfy their requirements. I have searched and read all the main discussions but, none actually offer a solution - just folks like us looking for help. I also closed network by un-allowing all options in airport utility. I also de-selected automatic date and time stamp. I would very much appreciate any possible suggestions as prefer to remain a long time loyal mac user but cannot afford the monthly fee to be imposed. There's gotta be a solution. I thought mac was ahead of the game in this (and all) areas. Thanks.

• RV180 ALG blocks inbound sip messages

  Hi,
  I have a sip gateway connect to the LAN side of RV180 router which has ALG enabled.  I have no problem to make and receive calls but sometime I see the router does not forward the 'Bye' message from the VOIP service provider to the sip gateway.
  Attached a wireshark capture on both WAN and LAN of RV180.
       sip gateway ip: 192.168.30.100
       RV180 WAN ip: 206.108.192.53
       VOIP provider ip: 66.237.65.67 and 65.175.129.133
  In the capture frame 4292, a 'Bye' message reaches the WAN of RV180 but it never forward the 'Bye' to the sip gateway with internal ip
  All settings in RV180 are default with only ALG enabled.
  I tried to setup Access Rule or Port Forward but none seems to work.  Not sure if they are over-ruled by ALG?
  With ALG enabled, is it possible to have individual Access Rule?  If there are conflicts between ALG and Access Rule, which has higer priority?         

  Topic bump, as the behaviour has begun occurring again.
  My ISA550w has once again begun silently filtering inbound SIP UDP OPTIONS messages, which are used by my trunk provider to verify that my VOIP switch is alive and responding.
  As stated above, ACL rules explicitly permit the forwarding of this traffic to my VOIP switch, which resides behind the firewall.
  From time to time, and apparently for no reason at all, the firewall begins silently dropping this traffic.  No hits are recorded in the firewall logs despite the fact that logging of this traffic is turned on.
  Previously, disabling all security services appeared to deal with this.  In addition, all "attack protection" options have been turned off.
  I can see that the UDP traffic from my SIP provider is hitting the firewall and getting dropped, as it pops up in packet captures run on the WAN1 interface.  When the ISA550w is displaying this behaviour, the traffic is not forwarded to the VOIP switch.
  The only "fix," such as it is, for this product is to reset the configuration to factory defaults and then restore the set config from XML backup.
  In addition, occasionally the SSL VPN for our remote phones dies, producing timeouts on connect.  The box again needs to be reset -- albeit without uploading the config -- to fix this.
  Whatever it is, it's a bug, the type of which does not present itself on "real" IOS devices.  Once those are configured properly, they stay configured properly.
  If anyone can recommend a "real" IOS box with the same feature set as this piece of junk, I would appreciate it.  I'd also happily buy a firewall product from any competitor so long as it presents a compatible SSL VPN server capable of being accessed by the SPA525G2 phone.
  Ugh.

• Blocking p2p application traffic and tunneling

  I need help ........
  We have taken two ASA with AIP card, and have configured Active/Active , but user are using p2p and tunneling softwares . how can we block p2p and tunneling traffic ..
  plz anyone reply me..........
  regards

  If you are using Firewall software 12.4(9)T and above, it has integrated policies to block or rate limit p2p application traffic using dynamically updateable application
  definitions for newer p2p applications. KaZaA, Gnutella, BitTorrent, and eDonkey are currently supported.
  You may also see this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml

• Redirect / Block non https traffic

  I have a quick question. Today I setup teaming 2.0 on SLES10.
  After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
  Any other thoughts?
  Cool product by the way!
  Tha
  Dennis

  Dennis,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/