cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2021
Views
0
Helpful
5
Replies

Cisco ASA 3CX Problem

Ozgur Karatas
Level 1
Level 1

Hello all,

we bought and started to use 3CX Server and SIP Server working in local networks, not problem.
so we are having a problem from the outside 3CX client (iphone, android softphone).

I have read this web site:

http://www.3cx.com/blog/docs/ports-used/

I install create rules Cisco ASA, Why does not connect WAN users SIP server?

Help me plase, Regards.

Access-List:

object-group service 3CX
service-object tcp destination eq 5000
service-object tcp destination eq 5001
service-object tcp destination eq 5060
service-object udp destination eq 5060
service-object tcp destination eq 5061
service-object tcp destination eq 5090
service-object udp destination eq 5090
service-object udp destination range 9000 9049
service-object tcp destination eq 4156

access-list outside-in extended permit object-group 3CX any object sipserver
access-group outside-in in interface outside

NAT:

object network sipserver
host 10.0.4.2

object service 3CX_Management 
service tcp destination eq 5000

object service 3CX_Management_HTTPS
service tcp destination eq 5001

object service 3CX_SIP_TCP
service tcp destination eq 5060

object service 3CX_SIP_UDP
service udp destination eq 5060

object service 3CX_Secure_SIP
service tcp destination eq 5061

object service 3CX_Tunnel_Protocol_TCP
service tcp destination eq 5090

object service 3CX_Tunnel_Protocol_UDP
service udp destination eq 5090

object service 3CX_Media_Server
service udp destination range 9000 9049

object service 3CX_Data_Communication
service tcp destination eq 4156

nat (inside,outside) source static sipserver interface service 3CX_Management 3CX_Management
nat (inside,outside) source static sipserver interface service 3CX_Management_HTTPS 3CX_Management_HTTPS
nat (inside,outside) source static sipserver interface service 3CX_SIP_TCP 3CX_SIP_TCP
nat (inside,outside) source static sipserver interface service 3CX_SIP_UDP 3CX_SIP_UDP
nat (inside,outside) source static sipserver interface service 3CX_Secure_SIP 3CX_Secure_SIP
nat (inside,outside) source static sipserver interface service 3CX_Tunnel_Protocol_TCP 3CX_Tunnel_Protocol_TCP
nat (inside,outside) source static sipserver interface service 3CX_Tunnel_Protocol_UDP 3CX_Tunnel_Protocol_UDP
nat (inside,outside) source static sipserver interface service 3CX_Media_Server 3CX_Media_Server
nat (inside,outside) source static sipserver interface service 3CX_Data_Communication 3CX_Data_Communication

5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

Use the packet tracer on the ASA, to see if your access list is being hit by your 3cx client.

also, check the log on your sip server to see if it is receiving register requests from your clients.

 

also, it might be wise to post an error message of some sort in this post.  Good luck

 

 

Please remember to rate useful posts, by clicking on the stars below.

Hello minkdennis;

I use packet-tracer and I have tested. This below result:

asa# packet-tracer input outside tcp 8.8.8.8 5060 10.0.4.2 5060

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.4.0        255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit object-group 3CX any object sipserver
object-group service 3CX
 service-object tcp destination eq 5000
 service-object tcp destination eq 5001
 service-object tcp destination eq sip
 service-object udp destination eq sip
 service-object tcp destination eq 5061
 service-object tcp destination eq 5090
 service-object udp destination eq 5090
 service-object udp destination range 9000 9049
 service-object tcp destination eq 4156
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static sipserver interface service 3CX_SIP_TCP 3CX_SIP_TCP
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ACL is letting it through and your static nat is being hit  (phase 5)

 

OK, so are you seeing a register attempt, on your SIP proxy?

Please remember to rate useful posts, by clicking on the stars below.

Hello,

 

The problem is solved. Thank you.

 

Regards

 

Ozgur

Hello dear minkdennis,

 

Mr. Murat KAYAPINAR helping me and He is tested GNS3 and sent me config. The following configuration has worked successfully:

- ASA 9.1 later:

! Arayuz tanimlamasi yapiliyor
interface GigabitEthernet0
 description WAN
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 description LAN
 nameif inside
 security-level 100 
 ip address 10.10.10.1 255.255.255.0
! Nat icin object tanimlaniyor
object service Console_Management
 service tcp source range 5000 5001
object service Data_Communications
 service tcp source eq 4156
object service Tunnel_Protocol
 service tcp source eq 5090
object service Phone_Systems
 service udp source range sip 5061
object service Media_Server
 service udp source range 9000 9049
! NAT islemi uygulaniyor
object network voipserver
host 10.10.10.2
nat (inside,outside) source static  voipserver  voipserver  service Console_Management Console_Management
nat (inside,outside) source static  voipserver  voipserver  service Data_Communications Data_Communications
nat (inside,outside) source static  voipserver  voipserver  service Tunnel_Protocol Tunnel_Protocol
nat (inside,outside) source static  voipserver  voipserver  service Phone_Systems Phone_Systems
nat (inside,outside) source static  voipserver  voipserver  service Media_Server Media_Server
! ACL icin object-group olusturuluyor
object-group service voipservice
 service-object tcp destination eq 5000
 service-object tcp destination eq 5001
 service-object tcp destination eq 4156
 service-object tcp destination eq 5090
 service-object udp destination eq sip
 service-object udp destination eq 5061
 service-object udp destination range 9000 9049
! ACL tanimlaniyor
access-list out-in extended permit icmp any object voipserver echo log
access-list out-in extended permit object-group voipservice any object voipserver log
! ACL uygulaniyor
access-group out-in in interface outside