[c-nsp] iChat AV and Cisco CBAC/NAT
Jared Mauch
jared at puck.nether.net
Thu Mar 15 13:58:54 EST 2007
On Thu, Mar 15, 2007 at 09:35:51AM -0700, matthew zeier wrote:
>
> I switched off using a Linux box running iptables to a 3845.
>
> I have ACLs permitting certain traffic into the "office" network and am
> relying on CBAC.
>
> Since switching, users complain that iChat AV no longer works (iChat
> works, just AV fails). I'm not seeing any hits in the logs.
>
> Any clues? My inspect rules are below as well as the interface config.
Yes, I had some home user that was using IOS nat (SIP Aaware)
and replacing it with 'dumb' nat solved the problem. Looking at the debugs
on the router it appeared to be an IOS bug in parsing/processing of the SDP
message that is part of the nat translation stuff.
If you're bored, open a tac case and make them fix it. the debugs
point to this problem parsing the SDP, but evidentally the
error isn't bad enough to syslog it during normal operations.. (Yet
it should be because it was unable to process the SDP).
Another case of a developer picking to not "out" a bug
easier to require you to load some debug code to fix some obvious
processing issues.
Cisco doesn't actually care about SIP though from what I
can tell as some of their devices (eg: 7970) don't handle SIP
messages properly. I don't think they test with anything but their
own internal suites which appear to be buggy. I was able to crash
some older sip phones in the past by sending them a well formatted
and innocious options message in the past.
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list