cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

213
Views
15
Helpful
9
Replies
Beginner

Cisco IP Phone 7900 and NAT

Hello,

We need to configure a IP Phone with public address and to do it we need to configure some NATs. The SIP Server is at Internet.

One of the solutions that is possible is to use a SIP Proxy. Does anyone knows if Cisco ASA can be configured as a SIP Proxy?

Is there any special requests to this NAT works? The idea is configure the private address on the data vlan.

 

Thanks.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

No ASA cannot be a SIP proxy.

No ASA cannot be a SIP proxy.  Cisco has CUSP product and now virtual CUSP that can server as proxy.  The obvious issue with NATing SIP traffic is that you need to have SIP aware NAT devices along the path as without that SDP content of the SIP message does not reflect proper media IP addresses and for that reason it is not recommended to NAT SIP traffic.

View solution in original post

9 REPLIES 9
Hall of Fame Master

No ASA cannot be a SIP proxy.

No ASA cannot be a SIP proxy.  Cisco has CUSP product and now virtual CUSP that can server as proxy.  The obvious issue with NATing SIP traffic is that you need to have SIP aware NAT devices along the path as without that SDP content of the SIP message does not reflect proper media IP addresses and for that reason it is not recommended to NAT SIP traffic.

View solution in original post

VIP Advisor

Hi, Adding to above, you need

Hi,

 

Adding to above, you need to make sure that you allow signaling and media ports to the internet. The problem here that the called party can be random (I am assuming) and the media uses wide range of UDP ports. In this you are exposing your VoIP subnet to internet (security concern)

Highlighted
Beginner

Thanks for all answers.I'm

Thanks for all answers.

I'm guessing about this "SIP aware NAT". Is possible to configure it on ASA?
I´m still trying to figure out how to deploy it with few infrastructure changes.
 

Collaborator

The ASAs & CUCM supported a

The ASAs & CUCM supported a feature called IP Phone Proxy. It allowed the phone to treat the ASA as its CUCM and the ASA would proxy the phone's traffic back to the real CUCM. The ASA licensing was very expensive, though.

 

GTG

Please rate all helpful posts.
VIP Advisor

Gordon, ASA Phone Proxy

Gordon,

 

ASA Phone Proxy service is basically an SSL VPN connection from SSL-Capable phones to CUCM cluster. It will enable encrypted/authenticated phones to connect to non-secure cluster (basically mixed mode). ASA won't act as SIP proxy. This is totally different.

 

Collaborator

Not quite. ASA Phone proxy is

Not quite. ASA Phone proxy is as I described. (see www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/unified_comm_phoneproxy.html )

 

Some IP Phones (7965, 9971) have an inbuilt AnyConnect VPN client.

 

(And the new 78xx & 88xx phones support remote access via Jabber/Expressway MRA)

 

GTG

Please rate all helpful posts.
VIP Advisor

Thx Gordon for sharing it. We

Thx Gordon for sharing it. We might be having same understanding with different interpretation. ASA won't be a SIP proxy server for sure. Please see this from the document you shared:

"

the phone proxy behaves in the following ways:

 

- The TLS connections from the phones are terminated on the ASA and a TCP connection is initiated to the Cisco UCM ----- converting secure signaling to non-secure signaling

- SRTP sent from external IP phones to the internal network IP phone via the ASA is converted to RTP ----- converting secure media to non-secure media

......

the phone proxy performs the following major functions:

- Terminates TLS signaling from the phone and initiates TCP or TLS to Cisco UCM

- Inserts itself into the media path by modifying the Skinny and SIP signaling messages

"

You can't point 3rd party SIP client to ASA with Phone Proxy feature because it doesn't perform signaling. It just relays packets.

 

Note: When I said SSL VPN, I wasn't specific to anyconnect VPN. SSL VPN can be client or clientless. Phones which don't support anyconnect client will use clientless SSL VPN.

 

 

 

Hall of Fame Master

Before VPN client was

Before VPN client was supported on Cisco phones, phony proxy feature was available on ASA with proper licensing to proxy TFTP/signaling traffic between CUCM and phones so that they can be used outside of the network. To my understanding that proxy feature was only specific for CUCM communication and not a SIP proxy.

VIP Advisor

Thx Chris for confirming. I

Thx Chris for confirming. I have to admit that I am impressed with the depth of your knowledge :)

 

Glad to see people like you on the forum.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here