SIP Question

erikgrissom — Mon, 11 Mar 2019 21:52:16 GMT

Hi.

i was setting up some access and portforward rules for a phone server that uses SIP.

and it is working fine, but when i disabled the rules i created everything was still working fine?

is the ASA5505 automaticly allowing sip traffic without acl and static routes?

i know that sip inspection is enabled on my device.

can any one please explaine this for me or is my firewall a open book!

//:Erik

SIP Question

Julio Carvajal — Thu, 17 Nov 2011 13:37:15 GMT

Hello Erick,

Are the phone calls being made from the inside to the outside? or from the outside to the inside?

The one that should work are the ones comming from the inside to the outside, because with the inspection the ASA is going to be a statefull device so it is going to open all the required ports dynamically when the other phone responses.

Hope this helps,

Julio

SIP Question

erikgrissom — Thu, 17 Nov 2011 13:39:35 GMT

hi. it seems to work both ways! even if i disble the acls

SIP Question

Julio Carvajal — Thu, 17 Nov 2011 13:51:28 GMT

Hello Erick,

So you do not have any access-list on the outside and the connections being made from the outside still work?

Regards,

Julio

SIP Question

erikgrissom — Thu, 17 Nov 2011 13:59:40 GMT

i hvae the acls but i disabled them for testing and it still worked.

here is my conf

: Saved
:
ASA Version 8.0(4)
!
hostname ASA-*
domain-name *.local
enable password alpAW2tEmckQnbKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 80.83.208.0 telavox
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.60.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ext-ip 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name *.local
object-group service vaxelprog_TCP tcp
port-object eq 35300
port-object eq sip
object-group service vaxelprog_UDP udp
port-object eq 35300
port-object eq sip
object-group service AllowSip_UDP udp
port-object range 16000 16100
object-group service AllowSip_TCP tcp
port-object range 16000 16100
access-list Outside_access_in extended permit icmp any any echo-reply
access-list Outside_access_in extended permit icmp any any source-quench
access-list Outside_access_in extended permit icmp any any unreachable
access-list Outside_access_in extended permit icmp any any time-exceeded
access-list Outside_access_in extended permit tcp any host ext-ip eq smtp
access-list Outside_access_in extended permit tcp any host ext-ip eq https
access-list Outside_access_in extended permit tcp any host ext-ip object-group vaxelprog_TCP
access-list Outside_access_in extended permit udp any host ext-ip object-group vaxelprog_UDP
access-list Outside_access_in extended permit tcp telavox 255.255.255.0 host ext-ip object-group AllowSip_TCP
access-list Outside_access_in extended permit udp telavox 255.255.255.0 host ext-ip object-group AllowSip_UDP
access-list Split_Tunnel_List_ACL remark ****** NAT Access List ******
access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******
access-list Split_Tunnel_List_ACL standard permit 192.168.60.0 255.255.255.0
access-list inside_nat0_outside extended permit ip any 10.0.0.0 255.255.255.0
access-list inside_out extended permit tcp host 192.168.60.1 any eq smtp
access-list inside_out extended deny tcp any any eq smtp
access-list inside_out extended permit ip any any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool mypool 10.0.0.100-10.0.0.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.60.1 smtp netmask 255.255.255.255 dns
static (inside,outside) tcp interface https 192.168.60.1 https netmask 255.255.255.255
static (inside,outside) tcp interface 35300 192.168.60.50 35300 netmask 255.255.255.255
static (inside,outside) tcp interface sip 192.168.60.50 sip netmask 255.255.255.255
static (inside,outside) udp interface sip 192.168.60.50 sip netmask 255.255.255.255
static (inside,outside) udp interface 35300 192.168.60.50 35300 netmask 255.255.255.255
static (inside,outside) udp interface 16000 192.168.60.50 16000 netmask 255.255.255.255
static (inside,outside) udp interface 16001 192.168.60.50 16001 netmask 255.255.255.255
static (inside,outside) udp interface 16002 192.168.60.50 16002 netmask 255.255.255.255
static (inside,outside) udp interface 16003 192.168.60.50 16003 netmask 255.255.255.255
static (inside,outside) udp interface 16004 192.168.60.50 16004 netmask 255.255.255.255
static (inside,outside) udp interface 16005 192.168.60.50 16005 netmask 255.255.255.255
static (inside,outside) udp interface 16006 192.168.60.50 16006 netmask 255.255.255.255
static (inside,outside) udp interface 16007 192.168.60.50 16007 netmask 255.255.255.255
static (inside,outside) udp interface 16008 192.168.60.50 16008 netmask 255.255.255.255
static (inside,outside) udp interface 16009 192.168.60.50 16009 netmask 255.255.255.255
static (inside,outside) udp interface 16010 192.168.60.50 16010 netmask 255.255.255.255
static (inside,outside) udp interface 16011 192.168.60.50 16011 netmask 255.255.255.255
static (inside,outside) udp interface 16012 192.168.60.50 16012 netmask 255.255.255.255
static (inside,outside) udp interface 16013 192.168.60.50 16013 netmask 255.255.255.255
static (inside,outside) udp interface 16014 192.168.60.50 16014 netmask 255.255.255.255
static (inside,outside) udp interface 16015 192.168.60.50 16015 netmask 255.255.255.255
static (inside,outside) udp interface 16016 192.168.60.50 16016 netmask 255.255.255.255
static (inside,outside) udp interface 16017 192.168.60.50 16017 netmask 255.255.255.255
static (inside,outside) udp interface 16018 192.168.60.50 16018 netmask 255.255.255.255
static (inside,outside) udp interface 16019 192.168.60.50 16019 netmask 255.255.255.255
static (inside,outside) udp interface 16020 192.168.60.50 16020 netmask 255.255.255.255
static (inside,outside) udp interface 16021 192.168.60.50 16021 netmask 255.255.255.255
static (inside,outside) udp interface 16022 192.168.60.50 16022 netmask 255.255.255.255
static (inside,outside) udp interface 16023 192.168.60.50 16023 netmask 255.255.255.255
static (inside,outside) udp interface 16024 192.168.60.50 16024 netmask 255.255.255.255
static (inside,outside) udp interface 16025 192.168.60.50 16025 netmask 255.255.255.255
static (inside,outside) udp interface 16026 192.168.60.50 16026 netmask 255.255.255.255
static (inside,outside) udp interface 16027 192.168.60.50 16027 netmask 255.255.255.255
static (inside,outside) udp interface 16028 192.168.60.50 16028 netmask 255.255.255.255
static (inside,outside) udp interface 16029 192.168.60.50 16029 netmask 255.255.255.255
static (inside,outside) udp interface 16030 192.168.60.50 16030 netmask 255.255.255.255
access-group inside_out in interface inside
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 213.115.100.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable 8443
http 0.0.0.0 0.0.0.0 outside
http 192.168.60.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 86400
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.60.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.60.254-192.168.60.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 444
group-policy vpnclientgroup internal
group-policy vpnclientgroup attributes
dns-server value 192.168.60.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List_ACL
default-domain value *.local
username nordiclo password L.JhbZhL/SmPj96Q encrypted
username nordiclo attributes
service-type remote-access
username admhenko password cdQRwUUCVQrNcELX encrypted privilege 15
username admerik password RtGfXNzv09UdQwvP encrypted privilege 15
tunnel-group vpnclientgroup type remote-access
tunnel-group vpnclientgroup general-attributes
address-pool mypool
default-group-policy vpnclientgroup
tunnel-group vpnclientgroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:be6e6368b162751379e5e6d60b9d7489
: end
asdm image disk0:/asdm-615.bin
asdm location telavox 255.255.255.0 inside
asdm location 192.168.60.50 255.255.255.255 inside
no asdm history enable

SIP Question

Julio Carvajal — Thu, 17 Nov 2011 14:04:18 GMT

Hello Erick,

Can you take out the access-lists and show us the running-config without it.

Also the connections are not being made from a VPN site right?

Regards.

Julio

topic SIP Question in Network Security

SIP Question

SIP Question

SIP Question

SIP Question

SIP Question

SIP Question