cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3715
Views
5
Helpful
9
Replies

SIP, AnyConnect, and ASA Firewall

PNI-ITRNP
Level 1
Level 1

I am the ASA Firewall Administrator where I work, and recently our Telephony group has changed their outbound calling to use SIP. In that we also use AnyConnect VPN Phones none of these (as long as they use a Secure Profile – which encrypts the signaling and payload) cannot make outbound calls.

Well, let me re-phrase that, they can make an outbound call but they hear no audio. AnyConnect VPN Phones that are not using a secure profile work fine.

Obviously this is an issue with the Firewall per se, something I am not doing or something I am doing! Not sure. In that I am not a Telephony guy not sure what to look at! When we first put in SIP the engineer said I needed to add some routes for the SIP Cubes and a NAT rule, both of which were added. However, at the time our testing efforts were performed with a phone that was not using a secure profile.

I know there is a TLS Proxy feature in the ASA – would this solve my issue? I’m thinking yes, because it would allow the ASA to decrypt the traffic, but I want to make sure this is the solution.

If not, what do I need to do, allow, or configure in the ASA Firewall to allow encrypted calls outbound?

Thank you for any assistance any one can provide!

9 Replies 9

George Thomas
Level 10
Level 10

Do you have SRTP/SIP inspection, can you try turning that off?

Please rate useful posts.

Yes, SIP inspection is on. Did you mean "RTSP"? Here are the inspects that are configured:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect h323 h225 
  inspect h323 ras 

 

You could try removing inspect sip. Taking a step back, if you put a phone with the secure profile on your network and make sure traffic doesn't go through the firewall, do you get audio? By cannot make outbound calls, did you mean callfails?
Please rate useful posts.

Here are scenarios I have tested:

Internal Cisco 7965 IP Phone w/Secure or Non-Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – No Issues

 

AnyConnect VPN Phone - Cisco 7965 IP Phone w/Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – Call Works – No Audio

 

AnyConnect VPN Phone - Cisco 7965 IP Phone w/Non-Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – No Issues

 

AnyConnect Laptop – With Cisco Softphone – IP Communicator w/Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – No Issues

 

The Only scenario that fails is when the call is initiated on an AnyConnect phone that has a secure profile. And the call signaling seems to go through because the phone rings, but when the caller answers there is no audio in either direction.

OK, let me know if my thinking is correct, but I think what is happening is that the SIP call is automatically negotiating down to unencrypted between the AnyConnect call and SIP.

Now based on that I am assuming that the firewall could be dropping the traffic because the AnyConnect phone is going out encrypted, but the return payload is coming back unencrypted.

What I have noticed is that signaling and payload work on the way out encrypted, it’s the return traffic that is unencrypted and based on that and knowing the firewall is stateful it must be dropping the traffic.

Our Network admin was able to verify that voice traffic was indeed coming back, but it was unencrypted because he could playback the G.711 audio and hear the voice call. Had it come back encrypted he would not have been able to hear the voice call.

Hi,

I have the below problem.

 

IPPhone to IPPhone in LAN environment.

IP Phone to IPPhone/External Num - Call will get connected, But Blank Audio over Anyconnect VPN to ASA and then to Call Manager. 

 

Please suggest.

Check routing and natting on your ASA. Ideally you should exempt VPN
traffic from outside NAT on ASA. Then check your ACLs to make sure that
traffic isn't blocked. Check you crypto ACLs to make sure that audio
traffic between softclient and IP Phone is part of the crypto tunnel. Check
your routing.

Thanks for the response.

There is not NAT configuration on Anyconnect ASA. The ACL also doesn't denies the traffic to the Call Manager.

Could you please help, how to verify the crypto tunnel to check the communcation.

Hi, Yes I identified the missing routes for certain Voice subnets and split tunnel entries, which corrected it.