ASA 5510 DMZ - Videoconferencing Calling Issues

Darren Lapierre · ‎12-06-2012

Hello,

I am hoping someone can help me out to get this VC traffic through this network. I am quite new to ASAs, and I feel I am making a tonne of headway on it (much thanks to everyone here!), just seem to be caught on this one issue.

The setup: The VCS Expressway is currently sitting within the DMZ (ip 172.16.10.10) which is NAT'd to 208.118.125.130. The internal VCS Control is pointed to the the VCS Expressway within the DMZ (as it is designed to do).

I have accessability from the DMZ to the internal network. And from the DMZ to outside seems works partially (more on that below).

The problem:

Calls signalling is able to get through my network, but not media. IE, the call initiates, but media does not connect. Furthermore, I registered an internal endpoints (10.2.20.118) to the DMZ expressway (172.16.10.10). The registration works fine, but again, when I call to another endpoint (internal GK registed endpoint to external GK registered endpoint) the call sets up, but media doesnt establish.

Think anyone can take a peek at this?

Here is the network topology, and below that is the run config.

ASA Version 8.0(4)

!

hostname igniteCSGfw

enable password awUSpLuFs5wdhqJE encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.0.0.0 inside-network

name 172.16.10.10 VCSE

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 208.118.125.130 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz_inside

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object tcp

service-object tcp eq domain

service-object tcp eq www

service-object tcp eq https

service-object udp eq domain

object-group service DM_INLINE_SERVICE_2

service-object tcp eq domain

service-object tcp eq www

service-object tcp eq https

service-object udp eq domain

service-object icmp echo

service-object icmp echo-reply

service-object udp eq ntp

object-group service DM_INLINE_SERVICE_3

service-object icmp echo

service-object icmp echo-reply

service-object tcp-udp eq domain

service-object tcp eq www

service-object udp eq ntp

object-group service DM_INLINE_SERVICE_4

service-object icmp echo

service-object tcp-udp eq domain

service-object tcp eq www

service-object tcp eq https

service-object udp eq echo

service-object udp eq ntp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_SERVICE_0

service-object icmp

service-object tcp eq www

service-object tcp eq https

object-group network DMZ_out

object-group network DMZ-OUT

object-group service DM_INLINE_SERVICE_6

service-object ip

service-object tcp eq https

service-object udp eq ntp

service-object tcp range 1024 65000

service-object tcp eq domain

service-object udp range 1024 65000

service-object udp eq domain

object-group service DM_INLINE_SERVICE_5

service-object tcp range 1024 65000

service-object udp range 1024 65000

service-object icmp

service-object tcp eq domain

service-object tcp eq https

service-object udp eq domain

service-object udp eq ntp

object-group service DM_INLINE_SERVICE_7

service-object ip

service-object tcp range 1024 65000

service-object tcp eq domain

service-object tcp eq https

service-object udp range 1024 65000

service-object udp eq domain

service-object udp eq ntp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any inside-network 255.0.0.0

access-list outside_access_in_1 extended permit ip any any

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 any inside-network 255.0.0.0

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 inside-network 255.0.0.0 any

access-list outside_int extended permit object-group DM_INLINE_SERVICE_5 any any

access-list dmz_int extended permit tcp host 172.16.31.10 any eq www

access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_6 any inside-network 255.0.0.0

access-list dmz_inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz_inside 1500

mtu management 1500

ip local pool igniteVPN 192.168.0.100-192.168.0.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

global (outside) 1 208.118.125.131 netmask 255.255.255.248

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,dmz_inside) inside-network inside-network netmask 255.0.0.0

static (dmz_inside,outside) interface VCSE netmask 255.255.255.255

access-group outside_int in interface outside

access-group inside_access_in_1 in interface inside

access-group dmz_inside_access_in in interface dmz_inside

route outside 0.0.0.0 0.0.0.0 208.118.125.129 1

route inside inside-network 255.0.0.0 10.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http inside-network 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet inside-network 255.0.0.0 inside

telnet 192.168.0.0 255.255.0.0 management

telnet timeout 5

ssh inside-network 255.0.0.0 inside

ssh 192.168.0.0 255.255.0.0 management

ssh timeout 60

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl certificate-authentication interface outside port 443

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc enable

group-policy ignite-vpn internal

group-policy ignite-vpn attributes

vpn-tunnel-protocol svc

username dlapierre password 4b08lUXku8U7NYzk encrypted privilege 15

username ignitecsg password 028ZcrY5F/cbezVk encrypted privilege 15

tunnel-group ignitecsg-vpn type remote-access

tunnel-group ignitecsg-vpn general-attributes

address-pool igniteVPN

default-group-policy ignite-vpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect http

inspect skinny

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b274dbeac756931c5498b59840d9c4a5

: end

igniteCSGfw#

Marcin Latosiewicz · ‎12-07-2012

Darren,

What are you using for signaling? SIP/H323?

M.