12-06-2012 12:44 PM - edited 03-11-2019 05:34 PM
Hello,
I am hoping someone can help me out to get this VC traffic through this network. I am quite new to ASAs, and I feel I am making a tonne of headway on it (much thanks to everyone here!), just seem to be caught on this one issue.
The setup: The VCS Expressway is currently sitting within the DMZ (ip 172.16.10.10) which is NAT'd to 208.118.125.130. The internal VCS Control is pointed to the the VCS Expressway within the DMZ (as it is designed to do).
I have accessability from the DMZ to the internal network. And from the DMZ to outside seems works partially (more on that below).
The problem:
Calls signalling is able to get through my network, but not media. IE, the call initiates, but media does not connect. Furthermore, I registered an internal endpoints (10.2.20.118) to the DMZ expressway (172.16.10.10). The registration works fine, but again, when I call to another endpoint (internal GK registed endpoint to external GK registered endpoint) the call sets up, but media doesnt establish.
Think anyone can take a peek at this?
Here is the network topology, and below that is the run config.
ASA Version 8.0(4)
!
hostname igniteCSGfw
enable password awUSpLuFs5wdhqJE encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 inside-network
name 172.16.10.10 VCSE
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 208.118.125.130 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz_inside
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
object-group service DM_INLINE_SERVICE_2
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object icmp echo
service-object icmp echo-reply
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_3
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp eq domain
service-object tcp eq www
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_4
service-object icmp echo
service-object tcp-udp eq domain
service-object tcp eq www
service-object tcp eq https
service-object udp eq echo
service-object udp eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_0
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group network DMZ_out
object-group network DMZ-OUT
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object tcp eq https
service-object udp eq ntp
service-object tcp range 1024 65000
service-object tcp eq domain
service-object udp range 1024 65000
service-object udp eq domain
object-group service DM_INLINE_SERVICE_5
service-object tcp range 1024 65000
service-object udp range 1024 65000
service-object icmp
service-object tcp eq domain
service-object tcp eq https
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object tcp range 1024 65000
service-object tcp eq domain
service-object tcp eq https
service-object udp range 1024 65000
service-object udp eq domain
service-object udp eq ntp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any inside-network 255.0.0.0
access-list outside_access_in_1 extended permit ip any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 any inside-network 255.0.0.0
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 inside-network 255.0.0.0 any
access-list outside_int extended permit object-group DM_INLINE_SERVICE_5 any any
access-list dmz_int extended permit tcp host 172.16.31.10 any eq www
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_6 any inside-network 255.0.0.0
access-list dmz_inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz_inside 1500
mtu management 1500
ip local pool igniteVPN 192.168.0.100-192.168.0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (outside) 1 208.118.125.131 netmask 255.255.255.248
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,dmz_inside) inside-network inside-network netmask 255.0.0.0
static (dmz_inside,outside) interface VCSE netmask 255.255.255.255
access-group outside_int in interface outside
access-group inside_access_in_1 in interface inside
access-group dmz_inside_access_in in interface dmz_inside
route outside 0.0.0.0 0.0.0.0 208.118.125.129 1
route inside inside-network 255.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http inside-network 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside-network 255.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 management
telnet timeout 5
ssh inside-network 255.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl certificate-authentication interface outside port 443
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
group-policy ignite-vpn internal
group-policy ignite-vpn attributes
vpn-tunnel-protocol svc
username dlapierre password 4b08lUXku8U7NYzk encrypted privilege 15
username ignitecsg password 028ZcrY5F/cbezVk encrypted privilege 15
tunnel-group ignitecsg-vpn type remote-access
tunnel-group ignitecsg-vpn general-attributes
address-pool igniteVPN
default-group-policy ignite-vpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect http
inspect skinny
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b274dbeac756931c5498b59840d9c4a5
: end
igniteCSGfw#
12-07-2012 12:33 AM
Darren,
What are you using for signaling? SIP/H323?
M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: