07-31-2014 09:45 AM - edited 03-16-2019 11:35 PM
Hello All,
Can any help me to confirm if is possible to establish a SIP trunk between two CUCM 9.1 through Cisco ASA.
Please see the attach picture.
Do i need a special license for this in ASA ?
Can point me to the correct documentation for this deployment ?
ASA Version: 8.4(2) and ASA Version 9.1(2)
Thanks for your response.
07-31-2014 03:38 PM
I dont see any issues with it other than the fact that you will need to set up your firewall to allow sip and rtp packets between the sites. The only issue will be with the firewall..as long as you configure it properly, I don't see any issues at all
08-01-2014 02:57 PM
Thanks for your response man..
Can you point me to the correct documentation about setup the firewall to allow sip and rtp packets.
Thanks...
08-02-2014 04:39 AM
Hello
1- you have to enable port 5060 for the access list which will permit traffic between the two sites to ITSP.
2-You have to enable SIP & RTP traffic into inspection to allow SIP traffic and RTP .
3- Kindly find the below documents , i hope to be useful for you.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82446-enable-voip-config.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_voicevideo.html#wp1204403
http://www.exigent.net/blog/troubleshooting/how-to-configure-a-cisco-asa-5505-for-voip/
note: if you get any issues , kindly check the below blog for Cisco support community for security devices who are so expert .
https://supportforums.cisco.com/community/4561/security
Thanks
Please rate all useful information
08-05-2014 07:52 AM
If you have access to both ASA's I would just create a site-2-site VPN between them with some NAT exempt! It's a 2min job using the wizard on the ASA then you are not messing around with opening ports etc.
Plus your pushing your voice over a VPN tunnel rather than just out onto the internet!
If you do go down the road of port forwarding watch out for port 5060:
http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html
You don't want to find yourself with a BIG phone bill for calls you didn't make!
Good luck!
08-01-2014 02:53 AM
Just bear in mind that SIP (& RTP) don't always play nice with NAT.
If you're not having to NAT, and you're just running a transparent VPN tunnel with the ASAs, then it should work fine.
If you need to NAT, then you should consider a SIP Session Border Controller (e.g. Cisco CUBE)
GTG
PS - ASA's have protocol inspection that tries to help by looking deep into the packets and rejecting/cleaning packets. Unfortunately, it doesn't always work well, so consider switching it off...
08-01-2014 02:54 PM
Hi Thanks for your response.
I don´t have VPN tunnel with the ASAs, so i think that the second option is good for me (NAT).
Can you point me to the correct documentation about configuring it or if you have an example about this please point me to it.. i have a CUBE for Site A and Site B but i don´t know how configure it for this purpose.
Thanks for your response and help on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide