topic Re: problem in asa vpn between 2 branches in Network Security

problem in asa vpn between 2 branches

hunterman — Fri, 21 Feb 2020 16:51:56 GMT

Hello everyone, I have 2 branches connected by vpn with ASA cisco firewall "5506 x and 5526 x", setup with branches voip server Asterisk server,all configure as well working, The ip phone's calling in branch 1 as well and the audio working fine as local between ip phone's, The ip phone's calling in branch 2 as well and the audio working fine as local between ip phone's, when i calling between 2 branches with used vpn by asa, The extension can call between 2 branches from 2 way but the problem was in branch 1 can make hear audio from extension in branch 2 BUT branch 2 can't hear the branch 1 and the same time can talking (the extension can hear directly from extension in branch 2)? I search in google and found the problem in RTP in asa how can solve the problem? Any help

Re: problem in asa vpn between 2 branches

Abheesh Kumar — Tue, 26 Feb 2019 10:19:36 GMT

Hi,
One way Voice is normally a routing issue, Please check both the voice subnets are allowed on the interesting traffic of VPN.
If you allowed all these subnets then Try disabling SIP inspection and check.
policy-map global_policy
class inspection_default

no inspect sip

HTH
Abheesh

Re: problem in asa vpn between 2 branches

hunterman — Wed, 27 Feb 2019 05:37:17 GMT

Thank you for your replay

I'm checked in ASA and already we don't have SIP inspect "no SIP inspect", And checked the all subnets was corrected and the 2 branches was reachable, IF you know that the ping between the 2 branches it's working and http and other services it's worked but only the problem in voip,

Any advice and help

THANKS

Re: problem in asa vpn between 2 branches

Dennis Mink — Wed, 27 Feb 2019 07:48:56 GMT

So if you are saying you can route between phones by means of pinging between phones. Then as a test open up all high udp rtp ports between the two phones and test again. I would suggest to turn sip inspection on. Unless you have a good reason not to.

Re: problem in asa vpn between 2 branches

hunterman — Wed, 27 Feb 2019 10:26:53 GMT

I'm checked in ASA and capture the photo below to see the problem and how can resolve that, You can see the photo after the replay comment.

Re: problem in asa vpn between 2 branches

hunterman — Wed, 27 Feb 2019 10:28:44 GMT

Re: problem in asa vpn between 2 branches

hunterman — Wed, 27 Feb 2019 10:30:59 GMT

Re: problem in asa vpn between 2 branches

hunterman — Wed, 27 Feb 2019 10:31:51 GMT

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse

flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to

NAT reverse path failure.

An attempt to connect to a mapped host using its actual address was rejected.

Re: problem in asa vpn between 2 branches

hunterman — Thu, 28 Feb 2019 10:37:41 GMT

Dear Dennis Mink,
After i checked more than times, I'm solved the problem with your method, The solving when i added SIP inspection and enabled it in ASA firewall the call between 2 branches was working fine from 2 way. and the audio was working between them,
Thank you for your helping me.
I will rate your answer

Re: problem in asa vpn between 2 branches

Dennis Mink — Thu, 28 Feb 2019 11:57:03 GMT

no problem, you can mark the comment as the solution. good to hear

Re: problem in asa vpn between 2 branches

hunterman — Fri, 01 Mar 2019 09:10:02 GMT

The problem was back again and the sniffer inside of asa was the error message,
The message: Asymmetric NAT
" %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to
NAT reverse path failure."
Can you help me again