topic Re: SIP trough ASA in Network Security

SIP trough ASA

tandrejevic — Fri, 21 Feb 2020 14:34:01 GMT

Hello !

I have VoIP SIP servers in my internal network. Now I want to provide SIP softphones to register on servers and use internal VoIP resources. I put on ASA with public address between Internet and my intranet. Also, I NAT-ed address off my servers to public address and,with ACL allowed any address outsdie to connect to SIP servers. I turned SIP inspection off. Well, softphones are registred on servers,I can place the call and everything looks fine.But,after 60 sec,Phones lose registration...Why?Please help me, it is pretty urgent.

Re: SIP trough ASA

Flavio Miranda — Tue, 24 Oct 2017 20:38:25 GMT

Hello @tandrejevic

And why do you think ASA is the problem? Do you have some evidence of it?

Which Voip system do you have? Asterisk ?

-If I helped you somehow, please, rate it as useful.-

Re: SIP trough ASA

tandrejevic — Tue, 24 Oct 2017 20:58:27 GMT

Hello

Thanks for your interest. We have Avaya system and if I put softphone in inside ASA (in intranet exactly) everything works fine...Also,if I

Denied due to NAT reverse path failure

try trace on ASA ,I get massage ,,denied due to NAT reverse path failure"

I heve done NAT with:

object network-object SM1

host 192.168.1.15

nat (inside,outside) static 217.X.X.15

and configured ACL

access-list OUTSIDE permit tcp any host 192.168.1.15 eq 5061

I tried with

access-list OUTSIDE permit ip any host 192.168.1.15

but,with same result.

What I am missing ?

Thanks in advance!

Re: SIP trough ASA

Flavio Miranda — Tue, 24 Oct 2017 21:16:46 GMT

Everything I´ve been reading so far about SIP through ASA says that you need to perform inspect.

"To support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_voicevideo.html#wp1204403

You said above that you turned inspection off, right?

-If I helped you somehow, please, rate it as useful.-

Re: SIP trough ASA

tandrejevic — Tue, 24 Oct 2017 21:24:13 GMT

Hi,

yes,I turned sip inspection off...But before I had turned off - situation was same...I will read post in the link which you send me. Tomorrow I will try again to turn sip inspection on. Do you mind that sip timeouts in basic ASA configuration have some influence in my problem ?

kind regards

Re: SIP trough ASA

Flavio Miranda — Tue, 24 Oct 2017 21:42:49 GMT

I think so. Although you problem is related to phone registration and not voice communication itself.

Is there any debug on the Avaya side to help you why phone loses connection?

-If I helped you somehow, please, rate it as useful.-

Re: SIP trough ASA

tandrejevic — Tue, 24 Oct 2017 21:46:07 GMT

Flavio,

just one more question ... Our server actually uses port 5061 (tls). Is it
sip inspection enough? How I can add inspection port 5061 ?

Thanks for your time.

Re: SIP trough ASA

tandrejevic — Tue, 24 Oct 2017 21:50:02 GMT

Flavio

I will try to see what Avaya ,,says"...Thanks anyway.