Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Unable to create Access Rule for UDP 5060
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Unable to create Access Rule for UDP 5060 - 18.Oct.2005 12:01:00 PM
|
|
|
lmray
Posts: 7
Joined: 18.Oct.2005
Status: offline
|
Hi, I've been trying to create an access rule for UDP 5060 (SIP) traffic. I've defined 4 sip protocols Send/Send-Receive/Receive/Receive-Send and have captured the inbound traffic from my soft switch showing that I am getting 4 UDP send packets on port 5060. I've created an access rule to allow that traffic from the source IP to an IP on my back network. ISA is blocking the traffic but I can't determine why. Netmons on the back interface verify that the traffic is not getting through. Any thoughts?
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 2:24:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
It could be due to ISAs Connection Limits - the SIP phones seem to geenrate a flood of traffic causing ISA to drop it as a safeguard. In the Logging entry that shows the traffic getting denied, go into the View menu and select Add/Remove Columns and add the "Result Code" entry (you might move it to the top of the right hand list).
If you see something like CONNECION_LIMIT_EXCEEDED, go into Configuration\General\Define Connection Limits and add a custom entry for this IP address.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 2:43:00 PM
|
|
|
lmray
Posts: 7
Joined: 18.Oct.2005
Status: offline
|
Hi, Unfortunately that does not seem to be it. The switch is only sending four packets before it gives up.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 3:49:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
In the Monitoring\Logging, add an entry for Client IP Equals SwitchIP and see what IS Ais doing with the traffic - either hitting the Default Rule or some other safeguard.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 6:05:00 PM
|
|
|
lmray
Posts: 7
Joined: 18.Oct.2005
Status: offline
|
It is hitting the default rule. My access rule specifies the source and destination computers and the protocol (UDP 5060 Send) but it still is being blocked by the default rule.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 6:15:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Wait a sec...
quote:
I've created an access rule to allow that traffic from the source IP to an IP on my back network
Is the switch on the External side and the host you're sending this to on the Internal network?
If so, what Network Rule do you have in place for Internal to External?
If it's NAT, then you can't use an Access Rule to allow this traffic - you need to use a Server Publishing Rule.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 9:06:00 PM
|
|
|
lmray
Posts: 7
Joined: 18.Oct.2005
Status: offline
|
Correct, the switch is on the external side and there is a network rule routing external to internal without NAT.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 9:08:00 PM
|
|
|
lmray
Posts: 7
Joined: 18.Oct.2005
Status: offline
|
I have not put a rule in place for internal to external yet because I have not gotten the inbound traffic to pass yet. I was planning to create an internal to external network rule just for the switch destination without NAT.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 10:00:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
What is the rule for Internal to External though?
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 18.Oct.2005 10:10:00 PM
|
|
|
lmray
Posts: 7
Joined: 18.Oct.2005
Status: offline
|
There is a NAT internal to external network rule in place to support outbound web proxy at the moment.
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 19.Oct.2005 8:07:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
These 2 rules conflict - you can't have a Route from External to Internal and a NAT from Internal to External.
You need to delete the External to Internal = Route Network Rule, and then use a Server Publishing Rule and use the protocol you created for UDP 5060 Receive-Send.
[ October 19, 2005, 08:08 AM: Message edited by: ClintD ]
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 19.Oct.2005 10:52:00 AM
|
|
|
lmray
Posts: 7
Joined: 18.Oct.2005
Status: offline
|
It is desireable for us to retain the internal address for this SIP traffic. Can I define a more restrictive NAT rule that does not include the server in question?
|
|
|
|
|
RE: Unable to create Access Rule for UDP 5060 - 19.Oct.2005 11:32:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
It's possible to create a Network Rule for that server to Route to Internal (Network Rule From=Computer To=Internal Relationship=Route) - you can paint yourself into a corner pretty quick with these types of exemptions, but as long as you remember it, you'll be fine. Also, make sure it's listed before the Internal to External NAT rule.
An Access Rule should be allowed then.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
