Results 1 to 3 of 3

Thread: Jitter using Cisco 5505 Firewall

  1. #1

    Unhappy Jitter using Cisco 5505 Firewall

    Hiya folks, hope you're all well. Has anyone experience of sitting an Epygi behind a Cisco 5505 firewall?

    I freaked my client out by showing him the constant Chinese IP registration attempts and he's insisting on a Cisco Firewall. Another party is putting the Firewall in but our first attempts resulted in serious Jitter (+50%) on every call. The Firewall is using SPI to create 'pinholes' - the traffic is succeeding but Variation Delay goes to over a second (traced via Wireshark). I've turned off the firewall and IDS, but left NAT on as I have different private networks on the Epygi LAN & WAN.

    It's odd as the Cisco has pretty recent firmware and seemed straight forward to set up. I've enclose the build if anyone has any ideas......

    The only thing I can think of is that there are incorrect SIP timers?!?

    Cheers Andy


    ASA Version 8.2(1)
    !
    hostname ciscoasa
    enable password ********** encrypted
    passwd *********** encrypted
    names
    name 192.168.1.1 pi-wh-fw1 description pi-wh-fw1
    name ***.***.***.*** xxxxxx description Legacy SIP gateway
    name ***.***.***.*** sip.voip-unlimited.net

    description Current SIP gateway
    name 10.0.2.42 epygi description epygi VoIP Server
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.2.2 255.255.255.0
    !
    interface Vlan2
    description Company Name VoIP 2 Bonded ASDL
    nameif outside
    security-level 0
    ip address 94.***.***.*** 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    object-group network SIP-Gateway-Peers
    description Group of known SIP gateway peers
    network-object host nebbiu
    network-object host sip.voip-unlimited.net

    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service SIP-RTP tcp-udp
    description SIP RTP ports as provided by Andy
    port-object range 6000 6099
    object-group service SIP2 tcp-udp
    description Potential SIP port in use as requested by Andy
    port-object eq 5061
    access-list outside_access_in remark SIP Gateway peers firewall ACL
    access-list outside_access_in extended permit object-group TCPUDP any interface outside eq sip log
    access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group SIP-RTP log
    access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group SIP2 log
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface sip epygi sip netmask 255.255.255.255
    static (inside,outside) udp interface sip epygi sip netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 94.***.***.*** 1
    route inside 10.0.2.0 255.255.255.0 10.0.2.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 10.0.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 10.0.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 10.0.2.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcprelay server pi-wh-fw1 inside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username david password ********** encrypted privilege 15
    !
    class-map inespection_default
    match default-inspection-traffic
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect sip
    !
    prompt hostname context

  2. #2

    Default

    Andy, tell them to stop being so agressive on the firewall, tell them that traffic from IP addy of the ITSP and your Quadro is aok.. lock sip and rtp traffic down to those IP's only, where a user needs to use remote telephone connectivity, tell them they can only do so via VPN, and leave it at that.

    just my thoughts mate


    Regards

    Kev

  3. #3

    Default

    Kev,
    I started off down this track, only allowing SIP traffic originating from my ITSP - sip.voip-unlimited.net. Problem was the call traffic didn't come from one source but had the source IPs of the users' IPPbx kit and addresses of other ITSPs.

    Andy

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Quadro Firewall
    By cit in forum 'How Do I' Questions
    Replies: 4
    Last Post: 09-17-2009, 10:25 AM
  2. Firewall and X-lite/QCM
    By AsIntented in forum Troubleshooting and Problems
    Replies: 5
    Last Post: 05-15-2009, 03:30 PM
  3. Firewall - Name Resolution
    By timmeah in forum Troubleshooting and Problems
    Replies: 1
    Last Post: 05-02-2008, 10:21 PM
  4. Cisco IP phones 7940
    By bsnquadro in forum Hardware Interoperability
    Replies: 3
    Last Post: 02-22-2008, 01:52 AM
  5. Cisco 7941
    By centina in forum Hardware Interoperability
    Replies: 0
    Last Post: 11-28-2007, 11:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •