Sip Trunk Between Two ASA´s

Christian Quiroga · ‎07-31-2014

Hello All,

Can any help me to confirm if is possible to establish a SIP trunk between two CUCM 9.1 through Cisco ASA.

Please see the attach picture.

Do i need a special license for this in ASA ?

Can point me to the correct documentation for this deployment ?

ASA Version: 8.4(2) and ASA Version 9.1(2)

Thanks for your response.

Ayodeji Okanlawon · ‎07-31-2014

I dont see any issues with it other than the fact that you will need to set up your firewall to allow sip and rtp packets between the sites. The only issue will be with the firewall..as long as you configure it properly, I don't see any issues at all

Please rate all useful posts

Christian Quiroga · ‎08-01-2014

Thanks for your response man..

Can you point me to the correct documentation about setup the firewall to allow sip and rtp packets.

Thanks...

islam.kamal · ‎08-02-2014

Hello

1- you have to enable port 5060 for the access list which will permit traffic between the two sites to ITSP.

2-You have to enable SIP & RTP traffic into inspection to allow SIP traffic and RTP .

3- Kindly find the below documents , i hope to be useful for you.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82446-enable-voip-config.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_voicevideo.html#wp1204403

http://www.exigent.net/blog/troubleshooting/how-to-configure-a-cisco-asa-5505-for-voip/

note: if you get any issues , kindly check the below blog for Cisco support community for security devices who are so expert .

https://supportforums.cisco.com/community/4561/security

Thanks

Please rate all useful information

mmoulson1 · ‎08-05-2014

If you have access to both ASA's I would just create a site-2-site VPN between them with some NAT exempt! It's a 2min job using the wizard on the ASA then you are not messing around with opening ports etc.

Plus your pushing your voice over a VPN tunnel rather than just out onto the internet!

If you do go down the road of port forwarding watch out for port 5060:

http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

You don't want to find yourself with a BIG phone bill for calls you didn't make!

Good luck!

Gordon Ross · ‎08-01-2014

Just bear in mind that SIP (& RTP) don't always play nice with NAT.

If you're not having to NAT, and you're just running a transparent VPN tunnel with the ASAs, then it should work fine.

If you need to NAT, then you should consider a SIP Session Border Controller (e.g. Cisco CUBE)

GTG

PS - ASA's have protocol inspection that tries to help by looking deep into the packets and rejecting/cleaning packets. Unfortunately, it doesn't always work well, so consider switching it off...

Please rate all helpful posts.

Christian Quiroga · ‎08-01-2014

Hi Thanks for your response.

I don´t have VPN tunnel with the ASAs, so i think that the second option is good for me (NAT).

Can you point me to the correct documentation about configuring it or if you have an example about this please point me to it.. i have a CUBE for Site A and Site B but i don´t know how configure it for this purpose.

Thanks for your response and help on this.