视频会议流量穿越ASA 问题 [EVE兄分享经验 - established命令]
==========================================================
问题描述:
配置说明
用户总部有视频会议server,中间连有ASA,ASA的outside接口连接7206,然后7206通过SDH连接到其他分部,ASA跑路由模式,版本7.0(6),默认inspect H323和rtsp是打开的,inside用户和分布2821后的网络通信,做的是bypass nat也就是nat (inside) 0 access-list nonat这种方式,这样inside后的网段和分部后的网段通信就不会做NAT了,同时不会产生xlate表,还写了access-list out permit ip any any应用到outside接口的in方向
拓扑
视频会议server---------inside-ASA-outside-----7206-------------2821-------视频会议server
SDH 分布路由器
故障现象:
iniside的视频会议server去拨分部的视频会议server可以拨通,但是视频时断时续,声音也差不多.
分部的视频会议serverxx拨不进inside后的视频会议server
sh h323可以看到两个终端的地址,请教高手们该如何处理,本人有以下几种方案不知是否可行
1,用established命令对tcp 1720进行放行回来的udp range 16383-16384,同时打开inspect XDMCP
2,关闭inspect H323,干脆手动放开tcp 1720和udp ,由于用户outside连的SDH连路安全性要求不是很高
3,升级版本
防火墙的配置如下:
ASA Version 7.0(7)
!
hostname ciscoasa
domain-name sinopharmholding.com
enable password <removed>
names
dns-guard
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.8.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif SDH
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address *.*.*.120 255.255.255.240
ospf network point-to-point non-broadcast
ospf authentication null
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
ospf network point-to-point non-broadcast
ospf authentication null
management-only
!
passwd <removed>
ftp mode passive
clock timezone CST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network nonat
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
network-object 138.20.1.0 255.255.255.0
network-object 172.168.72.0 255.255.255.0
network-object 1.1.1.0 255.255.255.252
network-object 197.18.0.0 255.255.0.0
network-object host 192.167.1.3
network-object host 61.129.61.51
network-object host 61.129.61.50
network-object host 61.129.61.63
network-object 192.168.103.0 255.255.255.0
object-group service 115 tcp
port-object eq www
port-object eq smtp
port-object eq ssh
port-object eq pop3
object-group service 116 tcp
port-object eq www
port-object eq ftp
port-object eq ftp-data
port-object eq 10000
object-group service 117 tcp
port-object eq www
object-group service 121 tcp
port-object eq ftp-data
port-object eq ftp
object-group service 114 tcp
port-object eq www
access-list all extended permit ip any any
access-list nonat extended permit ip 172.16.8.0 255.255.255.0 object-group nonat
access-list nonat extended permit ip 168.1.0.0 255.255.255.0 object-group nonat
access-list nonat extended permit ip 172.16.24.0 255.255.255.0 object-group nonat
access-list jituan extended permit ip 172.16.8.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list outside extended permit tcp any host *.*.*.115 object-group 115
access-list outside extended permit tcp any host *.*.*.116 object-group 116
access-list outside extended permit tcp any host *.*.*.117 object-group 117
access-list outside extended permit tcp any host *.*.*.121 object-group 121
access-list outside extended permit tcp any host *.*.*.114 object-group 114
access-list outside extended permit ip any host *.*.*.118
access-list outside extended permit ip any host *.*.*.119
access-list outside extended permit ip any host *.*.*.122
access-list outside extended permit ip any host *.*.*.124
access-list outside extended permit tcp any host *.*.*.120 eq 46661
access-list outside extended permit udp any host *.*.*.120 eq 46661
access-list outside extended permit icmp any any
access-list split extended permit ip 168.1.0.0 255.255.0.0 any
access-list split extended permit ip 172.16.0.0 255.255.0.0 any
access-list ty1 extended permit tcp any host 172.16.8.247 eq 5900
access-list ty2 extended permit tcp any host 172.16.8.52 eq 3389
access-list liuliang extended permit ip any 168.1.0.0 255.255.252.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu SDH 1500
mtu outside 1500
mtu management 1500
ip local pool admin 172.16.18.8-172.16.18.15
ip local pool ty 172.16.4.1-172.16.4.250 mask 255.255.255.0
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.8.0 255.255.255.0
nat (inside) 1 172.16.24.0 255.255.255.0 tcp 40 40
nat (inside) 1 168.1.0.0 255.255.252.0 tcp 30 30
static (inside,outside) tcp *.*.*.115 smtp 172.16.8.13 smtp netmask 255.255.255.255
static (inside,outside) tcp *.*.*.115 www 172.16.8.13 www netmask 255.255.255.255
static (inside,outside) tcp *.*.*.115 pop3 172.16.8.13 pop3 netmask 255.255.255.255
static (inside,outside) tcp *.*.*.115 ssh 172.16.8.13 ssh netmask 255.255.255.255
static (inside,outside) tcp *.*.*.116 www 168.1.0.4 www netmask 255.255.255.255
static (inside,outside) tcp *.*.*.121 ftp 172.16.8.249 ftp netmask 255.255.255.255
static (inside,outside) tcp *.*.*.121 ftp-data 172.16.8.249 ftp-data netmask 255.255.255.255
static (inside,outside) tcp *.*.*.116 10000 168.1.0.9 10000 netmask 255.255.255.255
static (inside,outside) tcp *.*.*.121 59000 172.16.8.249 5900 netmask 255.255.255.255
static (inside,outside) tcp *.*.*.14 www 172.16.8.249 www netmask 255.255.255.255
static (inside,outside) tcp *.*.*.116 ftp 168.1.0.6 ftp netmask 255.255.255.255
static (inside,outside) tcp *.*.*.122 www 172.16.8.56 www netmask 255.255.255.255
static (inside,outside) tcp *.*.*.122 8585 172.16.8.56 8585 netmask 255.255.255.255
static (inside,outside) tcp *.*.*.117 www 172.16.8.20 www netmask 255.255.255.255
static (inside,outside) tcp *.*.*.124 www 172.16.8.54 www netmask 255.255.255.255
static (inside,outside) tcp *.*.*.116 ftp-data 168.1.0.6 ftp-data netmask255.255.255.255
static (inside,outside) tcp interface 46661 172.16.8.18 46661 netmask 255.255.255.255
static (inside,outside) udp interface 46661 172.16.8.18 46661 netmask 255.255.255.255
static (inside,SDH) 172.16.8.0 172.16.8.0 netmask 255.255.255.0
static (inside,outside) *.*.*.118 172.16.8.22 netmask 255.255.255.255
static (inside,outside) *.*.*.119 168.1.0.234 netmask 255.255.255.255
access-group all in interface SDH
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.113 1
!
router ospf 100
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy default internal
group-policy default attributes
wins-server value 172.16.8.11
dns-server value 172.16.8.11 202.96.209.6
webvpn
group-policy split internal
group-policy split attributes
wins-server value 172.16.8.11
dns-server value 172.16.8.11 202.96.209.6
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
username cccp password <removed> privilege 15
username cccp attributes
group-lock value admin
webvpn
username admin password <removed>
username admin attributes
group-lock value admin
webvpn
username sunying password <removed>
username sunying attributes
vpn-filter value ty2
group-lock value ty
webvpn
username tongyu password <removed>
username tongyu attributes
vpn-filter value ty1
group-lock value ty
webvpn
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.8.0 255.255.255.0 inside
http 168.1.0.31 255.255.255.255 inside
snmp-server host inside 172.16.8.18 community sinopharm
no snmp-server location
no snmp-server contact
snmp-server community sinopharm
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set client esp-des esp-md5-hmac
crypto ipsec transform-set linksys esp-3des esp-md5-hmac
crypto dynamic-map linksys 65535 set transform-set linksys client
crypto map cisco 1 match address jituan
crypto map cisco 1 set peer 203.86.85.104
crypto map cisco 1 set transform-set linksys
crypto map cisco 65530 ipsec-isakmp dynamic linksys
crypto map cisco interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 65530 authentication pre-share
isakmp policy 65530 encryption des
isakmp policy 65530 hash md5
isakmp policy 65530 group 2
isakmp policy 65530 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 60 retry 2
tunnel-group 203.86.85.104 type ipsec-l2l
tunnel-group 203.86.85.104 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 2
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
default-group-policy split
tunnel-group admin ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 2
tunnel-group ty type ipsec-ra
tunnel-group ty general-attributes
address-pool ty
default-group-policy default
tunnel-group ty ipsec-attributes
pre-shared-key *
telnet 172.16.8.0 255.255.255.0 inside
telnet 168.1.0.31 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map liuliang
match access-list liuliang
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map liuliang
class liuliang
police 2000000
!
service-policy global_policy global
Cryptochecksum:bda08bc615af7a3165d209ad23aa3951
视频流量是通过名为SDH的接口和inside接口的
还有什么办法吗?
----
兄弟,把防火墙扯了做过测试么? 能够确定是防火墙的问题么?根据我以前做MCU的经验。推荐两种方法,不知道是否可行:
1.把内部的inside的视频服务器做STATIC
2.把防火墙配置成透明模式。
如果ASA单纯做流量防御,状态检测,包检测的话透明模式就可以的。
----
1,没ASA是正常的,现在就是没ASA,他们正在使用中,而且CISCO的文挡明确声明H323不允许static nat的
2,透明模式无法做VPN,上面有remote vpn和ssl vpn
--------------
问题解决:
简单描述下现象
总部的视频系统可以拨通分部,但是分部的视频会议系统无法拨入到总部,视频和声音都没有
在此分享下trouble过程
1,首先强调ASA 5540版本号是7.0(7)的,默认情况下视频流量无法穿越ASA,该流量是H323的
2,sh h323 ras可以看到网守和客户断的地址,show service-policy global 发现H323部分有21个drop,不是很大
3,直接关闭inspect h323无效,outside的IN方向挂permit ip any any的列表,没有效果
解决方法
由于我关闭了inspect H323,必须要手动做出动态放行端口的动作,所以使用如下命令
1,established TCP 1720 0 permitto UDP 16384 32767 permitfrom UDP 16384 32767
2,打开inspect XDMCP
最终双向视频正常,具体原理说来话长,有机会再写
总结:感觉这是不是7.0(7)BUG啊,我认为ASA默认应该不需要做任何动作让H323过的,因为有inspect H323,而且我另一客户的ASA 5520透明模式,同样视频会议过不了,最终一直把ASA闲置着,一直都不敢用(对方非常重视),另外对于ASA的问题我发现还有很多问题存在,比如ASA 5520(7.2)透明模式在1000M下,丢包很严重(在2个客户出现同样的问题),不知道8.0是否改善,同时今天那台7.0(7)的ASA又出怪毛病了,竟然外网无法访问内部SERVER,荤倒,都快疯了,怪事尽给我遇到,希望TAC的老大们帮忙啊
视频会议流量穿越ASA问题后续原理解释
ASA/PIX系列从6.3开始就有监控引擎了,这个监控引擎的作用
1,通过协商动态分配连接资源,自动生成conn,xlate以及ACL
2,监控应用层的一些命令(安全保护)
我先解释下ASA/PIX的处理过程
当一个数据包到达ASA并请求一个连接时,ASA检查自身的ACL,如果允许这个连接,就创建一个连接项(CONNECT),然后ASA进程查找自身的(inspection)数据库,确定是否需要对此连接进行特别的处理,应用检查对数据包进行必要的修正(fixup),然后再传给目的地,会话建立成功,ASA会将识别出属于此绘画的后续数据包进行转发处理。
比如FTP,FTP是资格特殊的应用,它是用21作为目的端口,但回应的时候会用到随机端口号
client--------in-ASA-out-------ftp server
1,客户端用tcp 21端口号去连接服务器,这是{dy}信道,它的作用是用户认证,罗列清单(有些什么文件),同时在{dy}信道理包含了PORT字段告诉服务器你来连接我的什么地址,还有端口号(这个端口号是cilent随机产生的)
2,第二信道是由服务器主动发起的,但是由于此时外部进来的数据目的地址的端口号是内部client告诉ftp服务器的随机端口号,而一般我们配置outside的in方向列表是只会放些知名的端口号,而此时这个随机目的端口号的流量是无法进入内网的,所以会被丢弃,这就造成了FTP无法通过ASA
解决方案
CISCO在7.X里使用inspect ftp来解决这个问题,它的原理就是当client告诉服务器你来连接我的什么地址,还有端口号时,ASA通过7层监控来监控这个请求,这样ASA可以看到里面的client产生的随机端口来放行回来的流量
eve的解决办法
由于7.0(6)的inspect H323出现了某些问题,导致无法使回来的流量过ASA,所以只能手动来监控
1,由于我关闭了inspect H323,必须要手动做出动态放行端口的动作,所以使用如下命令
established TCP 1720 0 permitto UDP 16384 32767 permitfrom UDP 16384 32767------(里面德0表示any)
命令意义:源是any目的是1720出去的时候,放开回来的udp 16384-32767端口号
命令的意义动态放端口命令
establish A B C permitto D E permitfrom D F
使用协议A(TCP|UDP)目的端口B,源端口C,那么就允许回来的协议是D(TCP|UDP)目的端口是E,源端口是F的流量回来
2,打开inspect XDMCP
因为这个established命令需要打开这个做支持,单其实默认是打开的,这里只是提一下
为什么使用udp 16384 32767
答:因为H323会使用H225的TCP 1720来创建TCP初始化连接,然后使用H.225来协商{zh1}RTP流使用的UDP端口号(RTP的端口号是协商出来的),而RTP得端口号是16384-32767里的偶数端口,这个端口+1后的奇数端口就是给RTCP用的,所以要放回这个范围的端口号
加上如上命令后,H323就正常了,但是这个理论上讲ASA应该不用配置就能让H323过的,可能是BUG吧,但是有一点,ASA的监控引擎毕竟支持的协议还是有限,如果你的客户那里遇到了ASA不支持的协议,而且正好这个协议的很多端口号需要协商的时候,这个命令正好有用,^_^CISCO还是为自己留了后路了,感觉还是蛮使用的,在此公享给大家,手酸死了,不敲了,有疑问可以继续跟贴问哦
