Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 1236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need some advice on whether the issue is on my side or vendor side. UTM Firewall Rules.

Davroc Ltd

Hello, 

So we have this software called TIM plus. It's for phone reporting.

We're trying to get it to link up to a hosted 3CX system.

Here's what I've got setup:

I’m trying to see if we can get our current phone reporting software to work with 3CX. It should be supported.

 

We’ve gone off of this one here:

https://docs.tri-line.com/pages/viewpage.action?pageId=17399838

 

The IP address in the CDR in the 3CX right now, is one of our external IP’s.

 

I’ve got firewall rules set to bypass it if it’s coming from the IP address of 3CX. (WDSSRV is the server that’s also running the phone reporting software)

 

 

Just with the above, the firewall drops the packets.

 

So I’ve setup a DNAT so any traffic from our 3CX hosted IP that’s trying to get to port 33555 on that external IP , gets redirected to the TIM server.

 

 

That seems to work, since the server now sees traffic coming from that IP.

 

 

 So in terms of traffic coming in, it looks like it’s allowing it through.

  

I’m haven’t got a tonne of experience with tracing packets, so I can’t say for sure but I think, the problem is now where 3CX is hosted. If have a look at the bit above Wireshark, the reporting from TIM, it says “Connection is forcefully rejected”

  

Here’s what’s set up with TIM:

 

Here’s what’s on 3CX

 

 

To me, it looks like the kit that’s running in front of 3CX, is blocking the traffic from us, but what are your opinions?

I’m not sure if the firewall is still stopping some sort of traffic from coming through or not.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Davroc Ltd,

    Thank you for reaching out to Sophos Community.

    The configuration seems fine.

    Checking the packet flow on port 33555 would help to narrow down the reported issue.

    ==> Login to SSH and run the below command

    utm:/root # tcpdump -nei any port 33555

    ==> Initiate the connection request from 3CX and share session output here or in PM.

  • 0 in reply to FormerMember

    Hi Yash,

    Please see the output of the command as requested:

    <M> utm1:/home/login # tcpdump -nei any port 33555
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
09:56:07.752065 Out 00:1a:8c:f0:bb:60 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47206 > 10.100.100.170.33555: Flags [S], seq 3076400635, win 29200, op tions [mss 1460,sackOK,TS val 415800217 ecr 0,nop,wscale 7], length 0
09:56:07.752532  In 00:15:5d:65:50:5c ethertype IPv4 (0x0800), length 62: 10.100.100.170.33555 > 198.244.149.117.47206: Flags [R.], seq 0, ack 3076400636, win 0 , length 0
09:56:07.752805 Out 00:1a:8c:f0:bb:61 ethertype IPv4 (0x0800), length 56: OfficeExtIP.33555 > 198.244.149.117.47206: Flags [R.], seq 0, ack 3076400636, win 0,  length 0
09:56:17.757060  In 8c:90:d3:03:8d:42 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47212 > OfficeExtIP.33555: Flags [S], seq 2074768086, win 29200, opti ons [mss 1460,sackOK,TS val 415802718 ecr 0,nop,wscale 7], length 0
09:56:17.757372 Out 00:1a:8c:f0:bb:60 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47212 > 10.100.100.170.33555: Flags [S], seq 2074768086, win 29200, op tions [mss 1460,sackOK,TS val 415802718 ecr 0,nop,wscale 7], length 0
09:56:17.758087  In 00:15:5d:65:50:5c ethertype IPv4 (0x0800), length 62: 10.100.100.170.33555 > 198.244.149.117.47212: Flags [R.], seq 0, ack 2074768087, win 0 , length 0
09:56:17.758384 Out 00:1a:8c:f0:bb:61 ethertype IPv4 (0x0800), length 56: OfficeExtIP.33555 > 198.244.149.117.47212: Flags [R.], seq 0, ack 2074768087, win 0,  length 0
09:56:27.761020  In 8c:90:d3:03:8d:42 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47216 > OfficeExtIP.33555: Flags [S], seq 3589019566, win 29200, opti ons [mss 1460,sackOK,TS val 415805219 ecr 0,nop,wscale 7], length 0
09:56:27.761319 Out 00:1a:8c:f0:bb:60 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47216 > 10.100.100.170.33555: Flags [S], seq 3589019566, win 29200, op tions [mss 1460,sackOK,TS val 415805219 ecr 0,nop,wscale 7], length 0
09:56:27.761819  In 00:15:5d:65:50:5c ethertype IPv4 (0x0800), length 62: 10.100.100.170.33555 > 198.244.149.117.47216: Flags [R.], seq 0, ack 3589019567, win 0 , length 0
09:56:27.762048 Out 00:1a:8c:f0:bb:61 ethertype IPv4 (0x0800), length 56: OfficeExtIP.33555 > 198.244.149.117.47216: Flags [R.], seq 0, ack 3589019567, win 0,  length 0
09:56:37.765502  In 8c:90:d3:03:8d:42 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47220 > OfficeExtIP.33555: Flags [S], seq 3020742513, win 29200, options [mss 1460,sackOK,TS val 415807720 ecr 0,nop,wscale 7], length 0
09:56:37.765712 Out 00:1a:8c:f0:bb:60 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47220 > 10.100.100.170.33555: Flags [S], seq 3020742513, win 29200, options [mss 1460,sackOK,TS val 415807720 ecr 0,nop,wscale 7], length 0
09:56:37.766219  In 00:15:5d:65:50:5c ethertype IPv4 (0x0800), length 62: 10.100.100.170.33555 > 198.244.149.117.47220: Flags [R.], seq 0, ack 3020742514, win 0, length 0
09:56:37.766338 Out 00:1a:8c:f0:bb:61 ethertype IPv4 (0x0800), length 56: OfficeExtIP.33555 > 198.244.149.117.47220: Flags [R.], seq 0, ack 3020742514, win 0, length 0
^C
15 packets captured
18 packets received by filter
0 packets dropped by kernel

  • FormerMember
    +1 FormerMember in reply to Davroc Ltd

    Hi Davroc Ltd,

    As per the packet flow, the request coming from 3CX(198.244.149.117) on destination port 33555 is getting rejected by the internal server 10.100.100.170

    ==> Incoming request from 3CX server to UTM with destination port 33555 

    09:56:17.757060 In 8c:90:d3:03:8d:42 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47212 > OfficeExtIP.33555: Flags [S], seq 2074768086, win 29200, opti ons [mss 1460,sackOK,TS val 415802718 ecr 0,nop,wscale 7], length 0

    ==> Request sent OUT to internal server 10.100.100.170

    09:56:17.757372 Out 00:1a:8c:f0:bb:60 ethertype IPv4 (0x0800), length 76: 198.244.149.117.47212 > 10.100.100.170.33555: Flags [S], seq 2074768086, win 29200, op tions [mss 1460,sackOK,TS val 415802718 ecr 0,nop,wscale 7], length 0

    ==> 10.100.100.170 rejected the request and sent Reset[R.] to UTM.

    09:56:17.758087 In 00:15:5d:65:50:5c ethertype IPv4 (0x0800), length 62: 10.100.100.170.33555 > 198.244.149.117.47212: Flags [R.], seq 0, ack 2074768087, win 0 , length 0

    ==> UTM forwarded reset packet back to 3CX server.

    09:56:17.758384 Out 00:1a:8c:f0:bb:61 ethertype IPv4 (0x0800), length 56: OfficeExtIP.33555 > 198.244.149.117.47212: Flags [R.], seq 0, ack 2074768087, win 0, length 0

  • 0 in reply to FormerMember

    Thank you,

    I've managed to sort it out now, I wanted to make sure that it wasn't the firewall that was blocking the connection.

Unfiltered HTML