Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3512
Views
0
Helpful
2
Replies

We need to enable SIP from outside to inside (ASA 5505)

ralf.rottmann
Level 1
Level 1

‎05-15-2012 03:38 AM - edited ‎03-11-2019 04:07 PM

Hi there,

We recently purchases the Cisco ASA 5505 to get familiar with it, possibly buying more appliances for our branch offices. However, since the appliance is installed, our SIP telephones no longer register with our SIP service provider.

The SIP phones are all on 10.0.1.0/24 while the SIP provider is external via the outside network. I copied our configuration below. Can anybody advise how to enable SIP for all 10.0.1.0/24 hosts and ports 5060, 5160, 5260, 5360?

This matter is pretty urgent...

gcxfw# show running-config

: Saved

:

ASA Version 8.4(3)

!

hostname gcxfw

domain-name ***

enable password *** encrypted

passwd *** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 12

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 195.14.245.70 255.255.255.224

!

interface Vlan12

nameif dmz

security-level 50

ip address 10.0.2.1 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 194.8.194.60

name-server 213.168.112.60

domain-name ***

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-10.0.1.0

subnet 10.0.1.0 255.255.255.0

object network obj-10.0.2.0

subnet 10.0.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (dmz,outside) source dynamic obj_any interface

nat (inside,dmz) source static obj-10.0.1.0 obj-10.0.1.0 destination static obj-10.0.2.0 obj-10.0.2.0

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 195.14.245.65 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

    ***

  quit

telnet timeout 5

ssh 10.0.1.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 194.8.194.60 213.168.112.60

dhcpd auto_config inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username *** password *** encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

hpm topN enable

Cryptochecksum:3636b3a4cffda0c099e3e65ba598164f

: end

Labels:
0 Helpful
2 Replies 2

ralf.rottmann
Level 1
Level 1

‎05-15-2012 03:57 AM

We solved half of the issue by enabling sip inspect as outlined in the documentation. However, in addition, we need to enable it for port 5160 (5060 is working). How can we do that?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ralf.rottmann

‎05-15-2012 09:33 AM

class-map SIP

match port tcp eq 5160

policy-map global_policy

class SIP

Inspect SIP

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card