Cisco ASA 3CX Problem

Ozgur Karatas · ‎08-20-2014

Hello all,

we bought and started to use 3CX Server and SIP Server working in local networks, not problem.
so we are having a problem from the outside 3CX client (iphone, android softphone).

I have read this web site:

http://www.3cx.com/blog/docs/ports-used/

I install create rules Cisco ASA, Why does not connect WAN users SIP server?

Help me plase, Regards.

Access-List:

object-group service 3CX
service-object tcp destination eq 5000
service-object tcp destination eq 5001
service-object tcp destination eq 5060
service-object udp destination eq 5060
service-object tcp destination eq 5061
service-object tcp destination eq 5090
service-object udp destination eq 5090
service-object udp destination range 9000 9049
service-object tcp destination eq 4156

access-list outside-in extended permit object-group 3CX any object sipserver
access-group outside-in in interface outside

NAT:

object network sipserver
host 10.0.4.2

object service 3CX_Management
service tcp destination eq 5000

object service 3CX_Management_HTTPS
service tcp destination eq 5001

object service 3CX_SIP_TCP
service tcp destination eq 5060

object service 3CX_SIP_UDP
service udp destination eq 5060

object service 3CX_Secure_SIP
service tcp destination eq 5061

object service 3CX_Tunnel_Protocol_TCP
service tcp destination eq 5090

object service 3CX_Tunnel_Protocol_UDP
service udp destination eq 5090

object service 3CX_Media_Server
service udp destination range 9000 9049

object service 3CX_Data_Communication
service tcp destination eq 4156

nat (inside,outside) source static sipserver interface service 3CX_Management 3CX_Management
nat (inside,outside) source static sipserver interface service 3CX_Management_HTTPS 3CX_Management_HTTPS
nat (inside,outside) source static sipserver interface service 3CX_SIP_TCP 3CX_SIP_TCP
nat (inside,outside) source static sipserver interface service 3CX_SIP_UDP 3CX_SIP_UDP
nat (inside,outside) source static sipserver interface service 3CX_Secure_SIP 3CX_Secure_SIP
nat (inside,outside) source static sipserver interface service 3CX_Tunnel_Protocol_TCP 3CX_Tunnel_Protocol_TCP
nat (inside,outside) source static sipserver interface service 3CX_Tunnel_Protocol_UDP 3CX_Tunnel_Protocol_UDP
nat (inside,outside) source static sipserver interface service 3CX_Media_Server 3CX_Media_Server
nat (inside,outside) source static sipserver interface service 3CX_Data_Communication 3CX_Data_Communication

Dennis Mink · ‎08-20-2014

Use the packet tracer on the ASA, to see if your access list is being hit by your 3cx client.

also, check the log on your sip server to see if it is receiving register requests from your clients.

also, it might be wise to post an error message of some sort in this post. Good luck

Please remember to rate useful posts, by clicking on the stars below.

Ozgur Karatas · ‎08-20-2014

Hello minkdennis;

I use packet-tracer and I have tested. This below result:

asa# packet-tracer input outside tcp 8.8.8.8 5060 10.0.4.2 5060

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.4.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit object-group 3CX any object sipserver
object-group service 3CX
service-object tcp destination eq 5000
service-object tcp destination eq 5001
service-object tcp destination eq sip
service-object udp destination eq sip
service-object tcp destination eq 5061
service-object tcp destination eq 5090
service-object udp destination eq 5090
service-object udp destination range 9000 9049
service-object tcp destination eq 4156
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static sipserver interface service 3CX_SIP_TCP 3CX_SIP_TCP
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Dennis Mink · ‎08-21-2014

ACL is letting it through and your static nat is being hit (phase 5)

OK, so are you seeing a register attempt, on your SIP proxy?

Please remember to rate useful posts, by clicking on the stars below.

Ozgur Karatas · ‎08-21-2014

Hello,

The problem is solved. Thank you.

Regards

Ozgur

Ozgur Karatas · ‎08-22-2014

Hello dear minkdennis,

Mr. Murat KAYAPINAR helping me and He is tested GNS3 and sent me config. The following configuration has worked successfully:

- ASA 9.1 later:

! Arayuz tanimlamasi yapiliyor

interface GigabitEthernet0

description WAN

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet1

description LAN

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

! Nat icin object tanimlaniyor

object service Console_Management

service tcp source range 5000 5001

object service Data_Communications

service tcp source eq 4156

object service Tunnel_Protocol

service tcp source eq 5090

object service Phone_Systems

service udp source range sip 5061

object service Media_Server

service udp source range 9000 9049

! NAT islemi uygulaniyor

object network voipserver

host 10.10.10.2

nat (inside,outside) source static voipserver voipserver service Console_Management Console_Management

nat (inside,outside) source static voipserver voipserver service Data_Communications Data_Communications

nat (inside,outside) source static voipserver voipserver service Tunnel_Protocol Tunnel_Protocol

nat (inside,outside) source static voipserver voipserver service Phone_Systems Phone_Systems

nat (inside,outside) source static voipserver voipserver service Media_Server Media_Server

! ACL icin object-group olusturuluyor

object-group service voipservice

service-object tcp destination eq 5000

service-object tcp destination eq 5001

service-object tcp destination eq 4156

service-object tcp destination eq 5090

service-object udp destination eq sip

service-object udp destination eq 5061

service-object udp destination range 9000 9049

! ACL tanimlaniyor

access-list out-in extended permit icmp any object voipserver echo log

access-list out-in extended permit object-group voipservice any object voipserver log

! ACL uygulaniyor

access-group out-in in interface outside