Hi All,

I am having a bit of an issue here. I am also basically a beginner at working on enterprise level firewalls. I am trying to get a VOIP phone system working with one of the systems features that allow mobile phones to connect and make and receive calls. I have included all the access ports in an ACL that allow and forward to the VOIP server.

access-list Outside_access_in extended permit udp any4 object Allworx eq 2088
access-list Outside_access_in extended permit object-group TCPUDP any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any object Allworx range 15000 15511
access-list Outside_access_in extended permit tcp any object Allworx eq 8081

access-list Outside_access_in extended permit tcp any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any object Allworx range 16384 32767

I have also created the NAT translations:

object network Allworx
nat (inside,outside) static interface service udp sip sip

object network Allworx2
nat (inside,outside) static interface service tcp 8081 8081
object network Allworx3
nat (inside,outside) static interface service tcp sip sip
object network Allworx4
nat (inside,outside) static interface service udp 2088 2088

object service Allworx-V-Ports
service tcp destination range 15000 15511
object service Allworx-V-Ports2
service tcp destination range 16384 32767

I am not sure why, but the return traffic seems to be stopped by this rule:

nat (inside,outside) after-auto source dynamic any interface

It seems to work except for the voice ports. The ASA is blocking the return voice traffic on ports 16384-32767 for sure.

One thing I am curious about is if I remove the line 'nat (inside,outside) after-auto source dynamic any interface', how does that impact the rest of the network?

Hopefully someone can help me with this issue and help me understand what I am doing wrong.

Thank you in advance! !

Scott