topic Re: ASA 5505 Blocking Return Traffic in Network Security

ASA 5505 Blocking Return Traffic

deca24 — Mon, 23 Sep 2019 20:44:06 GMT

Hi All,

I am having a bit of an issue here. I am also basically a beginner at working on enterprise level firewalls. I am trying to get a VOIP phone system working with one of the systems features that allow mobile phones to connect and make and receive calls. I have included all the access ports in an ACL that allow and forward to the VOIP server.

access-list Outside_access_in extended permit udp any4 object Allworx eq 2088
access-list Outside_access_in extended permit object-group TCPUDP any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any object Allworx range 15000 15511
access-list Outside_access_in extended permit tcp any object Allworx eq 8081

access-list Outside_access_in extended permit tcp any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any object Allworx range 16384 32767

I have also created the NAT translations:

object network Allworx
nat (inside,outside) static interface service udp sip sip

object network Allworx2
nat (inside,outside) static interface service tcp 8081 8081
object network Allworx3
nat (inside,outside) static interface service tcp sip sip
object network Allworx4
nat (inside,outside) static interface service udp 2088 2088

object service Allworx-V-Ports
service tcp destination range 15000 15511
object service Allworx-V-Ports2
service tcp destination range 16384 32767

I am not sure why, but the return traffic seems to be stopped by this rule:

nat (inside,outside) after-auto source dynamic any interface

It seems to work except for the voice ports. The ASA is blocking the return voice traffic on ports 16384-32767 for sure.

One thing I am curious about is if I remove the line 'nat (inside,outside) after-auto source dynamic any interface', how does that impact the rest of the network?

Hopefully someone can help me with this issue and help me understand what I am doing wrong.

Thank you in advance! !

Scott

Re: ASA 5505 Blocking Return Traffic

bhargavdesai — Tue, 24 Sep 2019 05:33:07 GMT

I am not expert with VOIP. But i saw that your configuration does not have PAT (range 15000 15511 and range 16384 32767) statement for all the ports configured in ACL Outside_access_in

I would request you first look at the below links to configure PAT for necessary ports (Which I am not sure beyond SIP)

https://www.petenetlive.com/KB/Article/0001111

https://www.exigent.net/blog/troubleshooting/how-to-configure-a-cisco-asa-5505-for-voip/

You can also do a Static NAT IP to IP and then control ports through access list in Outside_access_in.

HTH

### RATE ALL HELPFUL RESPONSES ###

Re: ASA 5505 Blocking Return Traffic

deca24 — Tue, 24 Sep 2019 15:37:44 GMT

Thank you for the heads up, I forgot to copy that part into the post. I did have those ports open and forwarded to the phone system. However, the exigent link you included had a small bit of information that I had not seen as of yet. It was the default sip inspection that was killing the traffic. Once that was disabled, the traffic became what was expected. So the real resolution was:

policy-map global_policy
class inspection_default
no inspect sip

Thank you for the heads up! ! !