cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
10
Helpful
2
Replies

ASA in front of ISR for SIP Trunk possible?

jsulliva
Level 1
Level 1

Can anyone share if they had success in putting an ASA in front of an ISR for a SIP trunk?

 

I had a problem with double NAT.  Currently, an ISR router is in front of the network with the trunk to avoid double NAT. 

 

Configurations or links to ASA configuration would be helpful.

 

 

2 Accepted Solutions

Accepted Solutions

Dennis Mink
VIP Alumni
VIP Alumni

Essentially, your CUBE will be listening to 5060 or 5061 (when using TLS). on top of that you have RTP that will flow through that same ASA. with SIP inspect configured on your ASA there is no need to explicitly open up high port 16000-32000 (roughly) for RTP.  I run this set up on our VCS and works perfectly and is essentially no different from a CUBE.

 

 

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Hi,

 

I am doing this without problems. You need to disable SIP inspection and make sure that you configure SIP IPs in a policy map with TCP state bypass enabled.

 

Regarding the ports to be allowed on ASA, it depends on what services are running. Check this link.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90_chapter_01.html

View solution in original post

2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

Essentially, your CUBE will be listening to 5060 or 5061 (when using TLS). on top of that you have RTP that will flow through that same ASA. with SIP inspect configured on your ASA there is no need to explicitly open up high port 16000-32000 (roughly) for RTP.  I run this set up on our VCS and works perfectly and is essentially no different from a CUBE.

 

 

Please remember to rate useful posts, by clicking on the stars below.

Hi,

 

I am doing this without problems. You need to disable SIP inspection and make sure that you configure SIP IPs in a policy map with TCP state bypass enabled.

 

Regarding the ports to be allowed on ASA, it depends on what services are running. Check this link.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90_chapter_01.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: