[SOLVED] Cisco ASA 5505 Deny UDP

Al3xand3r — Tue, 12 Mar 2019 05:01:30 GMT

Hello Everyone!

I'm relatively new to Cisco ASA firewalls and I recently came across an issue which I wasn't able to google. I'm using 5505 with 8.2 firmware to act as a simple firewall for Asterisk. I'm having no problems doing the inbound calls - signaling and sip traffic works fine. However, when I'm trying to dial out - I'm having issues with both - audio and signalling events. My asterisk is behind the firewall with natted external IP. When I'm trying to analyze the log I see the following:

Nov 03 2014 06:17:19: %ASA-4-106023: Deny udp src outside:207.223.70.133/61776 dst inside200:50.244.X.Y/18864 by access-group "outside2inside" [0x0, 0x0]

Where 50.244.X.X my external IP and outside2inside is the access list which has the following lines:

access-list outside2inside extended permit udp host 64.136.174.30 any
access-list outside2inside extended permit udp 207.223.0.0 255.255.0.0 host 192.168.200.203

here's the static section:

static (inside200,outside) 50.244.X.Y 192.168.200.203 netmask 255.255.255.255

My question is why is it blocking the udp traffic with destination as 50.244.X.Y instead of 192.168.200.203?

Thanks in advance.

In 8.2 ASA code, you need to

jj27 — Tue, 04 Nov 2014 02:37:20 GMT

In 8.2 ASA code, you need to reference the public IP in your access-list. In this case, you are allowing UDP to 192.168.200.203 when you should be allowing to 50.244.x.x.

Try changing that and see if it works.

Thank you for your answer! I

Al3xand3r — Tue, 04 Nov 2014 21:09:38 GMT

Thank you for your answer! I tried that before but for whatever reason only power cycle of 5505 helped to solve it.

I still have issues with outbound calls though. It doesn't block any incoming connections because of any access-lists but it still tearing some of them down. Here's the excerpt from my log:

Nov 04 2014 04:29:33: %ASA-6-302015: Built outbound UDP connection 41 for outside:64.136.174.30/5060 (64.136.174.30/5060) to inside200:192.168.200.203/5060 (50.244.X.Y/5060)
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-302016: Teardown UDP connection 30 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:02:52 bytes 0
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-7-609001: Built local-host outside:207.223.70.132
Nov 04 2014 04:29:34: %ASA-6-302015: Built inbound UDP connection 45 for outside:207.223.70.132/48906 (207.223.70.132/48906) to inside200:192.168.200.203/16478 (50.244.X.Y/16478)
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-302016: Teardown UDP connection 44 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:00:02 bytes 0
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:39: %ASA-6-302015: Built outbound UDP connection 47 for outside:207.223.70.132/48907 (207.223.70.132/48907) to inside200:192.168.200.203/16479 (50.244.X.Y/16479)
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:43: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:43: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:46: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:46: %ASA-6-302016: Teardown UDP connection 48 for outside:64.136.174.30/5060 to inside200:192.168.200.203/0 duration 0:00:02 bytes 0
Nov 04 2014 04:29:46: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-302016: Teardown UDP connection 46 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:00:11 bytes 0
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:53: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:29:53: %ASA-7-609001: Built local-host TWFirewall:192.168.200.203
Nov 04 2014 04:29:53: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:29:53: %ASA-6-302016: Teardown UDP connection 52 for outside:64.136.174.30/5060 to inside200:192.168.200.203/0 duration 0:00:03 bytes 0
Nov 04 2014 04:29:56: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:29:56: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:00: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:30:00: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:04: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:30:04: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message

I would appreciate any advice on how to proceed from here

Thank you!

I finally found out what was

Al3xand3r — Wed, 05 Nov 2014 14:40:21 GMT

I finally found out what was the issue with the outgoing calls. Disabling inspect sip did the trick.

topic I finally found out what was in Network Security

[SOLVED] Cisco ASA 5505 Deny UDP

In 8.2 ASA code, you need to

Thank you for your answer! I

I finally found out what was