The Firewall Traversal concept was always my challenge to demystify it with a simple words by looking inside the packet.
Because I never get a real example.
This article I wrote below, show you how the Firewall Traversal Concept works, and how it is possible to bypass the stateful function of ASA firewall to initiate inbound calls, in other words, connection initiated from lower security level to higher security with the integration of the Cisco Expressway series, using wireshark to show how the SIP invite are proxied through the Cisco Expressway Core and Edge, and very important the correspondance between the Firewall Traversal Connection established between the Cisco Expressway-C and Cisco Expressway-E, and the connection table of the ASA Firewall (we can display it using the show conn command).
I want to show you how th magic happens in real scenario, how a call initiated from outside to inside appears for the ASA as a PSEUDO return traffic for a connection initiated from inside (which is the Firewall Traversal Connection that corresponds to the entry in the connection table’s ASA)
By default, the firewall ASA allows connection initiated from higher security level to lower security level, the return traffic is allowed based on the connection table built from the first request. But the traffic initiated from a lower security level to higher security leve is blocked because it is initiated from an untrusted network or zone. This connection table can be displayed using the show conn command. The connection table is the basis of the Stateful Firewall.
In this scenario, if a call is initiated from the outside zone, in other words a lower security level 0 to DMZ with a higher security level 50, the call is blocked at the ASA-E ‘s perspective.
The Expressway series will allow the call through the Expressway-E located in the DMZ which is reachable through Internet using a static NAT configured on ASA-E.
Once the call arrives at the Expressway-E’s perspective, there is a problematic, as mentioned previously, when a call is initiated from a lower security level (in this case DMZ 50) to higher security level (in this case INSIDE 100), the call cannot be routed out to Inside zone.
The solution of this problematic for IP telephony is the firewall traversal feature or function between Expressway-C and Expressway-E, the firewall traversal connection is permanently established and maintained using keeplive between Expressway-C and Expressway-E
Cisco Expressway-E acts as a firewall traversal server while the Cisco Expressway-C acts as a firewall traversal client.
Once a traversal zone is configured between Cisco Expressway-C and Cisco Expressway-E. The firewall traversal connection is established through TLS, the Expressway-C as a client located in the Inside zone initiates the firewall traversal connection to the Expressway-E located in the DMZ zone, since this connection is coming from a higher security level to a lower security level, the ASA-C upon receiving this connection build an entry in the connection table.
Below we can see that the status of the Firewall traversal connection is Active on Cisco Expressway-C 10.1.5.20, this connection is established with the Cisco Expressway-E 172.16.1.21 with TCP port 7001, this is the destination port of the Cisco Expressway-E.
Below the Cisco Expressway-E shown the status of the firewall traversal connection with the status Active with Cisco Expressway-C 10.1.5.20 and the destination port 25006.
To understand the concept of the firewall traversal concept, let’s verify the firewall ASA-C, in other words let’s display the connection table using the show conn command. As expected, an entry is added from Inside zone to DMZ zone, the source IP is 10.1.5.20 (Cisco Expressway-C) and the source port is 25006. The destination IP is 172.16.1.21 (Cisco Expressway-E) and the destination port is 7001, this means that if an inbound connection with source IP : port=172.16.1.21 : 7001 and destination : port = 10.1.5.20 : 25006 is received from DMZ to Inside (from lower security level to higher security level), the firewall, this connection is allowed. This is the idea behind the firewall traversal concept.
Let’s do in depth analysis using wireshark, the Cisco Jabber is already registered using the MRA feature into CUCM through the Cisco Expressway series.
The Cisco Jabber client initiates a call to the US Phone located in the corporate network, it sends a SIP invite, the SIP invite reaches the Cisco Expressway-E which is reachable with a public IP address.
The Cisco Expressway-E receives the SIP invite and generate a new SIP invite with the source IP : port=172.16.1.21 : 7001 and destination : port = 10.1.5.20 : 25006, it sends the SIP invite to ASA-C, the ASA-C checks its connection table if there is an entry that matches this connection, and of course the magic happens, this connection is already there, for the ASA-C’s perspective, this is a legitimate return traffic for a pseudo connection initiated from inside, even if the SIP invite is initiated from the Cisco Jabber, in other words from the outside, the Cisco Expressway-E modifies the L3/L4 headers to match the firewall traversal connection, in other words the entry of the connection table of the ASA.
The Cisco Expressway-C receives the SIP invite from Cisco Expressway-E and generates another SIP invite with the source IP : port=10.1.5.20 : 25002 and destination : port = 10.1.5.15 : 5060.
For CUCM’s perspective the SIP invite is originated from the Cisco Expressway-C, in other words Expressway-C is the calling, because simply, when Cisco Jabber registered into the CUCM using the Mobility and Remote Access MRA feature, the IP address of the CSF phone is 10.1.5.20, the IP address of Cisco Expressway-C as shown in the phone page of CUCM.
To confirm, expand the Session Initiation Protocol, in the Message Body, the Connection Information (C) send to establish an RTP media connection is 10.1.5.20 the Cisco Expressway-C.
The CUCM 10.1.5.15 sends a SIP Invite to the US Phone 10.1.5.101 and the US Phone sends a 180 Ringing message as shown below.