09-07-2010 01:03 PM - edited 03-11-2019 11:36 AM
I have an ASA firewall placed at the perimeter network and host in the inside network.
I have only allowed these host to make voip calls using 3rd Party Voip service so-called Jumblo ( for info www.jumblo.com)
Below is the config.
>>access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
>>nat (inside) 10 192.168.5.150 255.255.255.255
The call can be made success succefull. Perhaps the problem is that when call is placed he cannot hear the dial tone and remote client voice
I believe that I'd to configure something on ASA, to allow the traffice from outside to inside. But I am confused
Please Advise me.
09-08-2010 12:51 PM
The output of wireshark that you posted earlier , was it with or without any access list ?
Thanks
Manish
09-08-2010 12:52 PM
Also , post the current sh run & sh version of the device.
Thanks
Manish
09-08-2010 01:08 PM
I already posted the sh run in the previous reply with ASDM images
09-08-2010 01:54 PM
The ASDM output does show the ports being allowed but on the other hand i do not see any access-list or access group being applied on the interface. I know this could be annoying but we trying to help , sh post the out put of SH VERSION.
thanks
manish
09-08-2010 03:54 PM
Hello Samir,
I think we are missing something here. Let us do the following. I am
assuming that you have the capture configurations I had provided earlier in
the firewall.
access-list cap permit ip host 192.168.5.150 any
access-list cap permit ip any host 192.168.5.150
capture capin access-list cap interface inside
capture capin access-list cap interface inside
1. Turn off the inside host
2. Execute following command on the firewall: "clear capture capin"
3. Now turn on the inside host
4. Except Jumblo application, do not open anything else
5. Try to make a call
6. Now collect the capture output "show capture capin"
Hope this gives us a good pointer on where the packet is getting dropped.
Regards,
NT
09-08-2010 05:14 PM
Hello NT.
I'll try and let you know
Really I appreciate your efforts.
09-08-2010 07:04 PM
09-08-2010 07:15 PM
Hello,
Can you add port 80 to your object group?
object-group service Jumblo tcp-udp
port-object eq 80
Regards,
NT
09-08-2010 07:16 PM
Hello,
Please ignore my earlier post.
Regards,
NT
09-08-2010 07:17 PM
Hi
Its already added under the Jumblo object group
09-08-2010 07:37 PM
Hello Samir,
From the capture, it seems like the application is using some additional
ports:
100: 01:55:13.520755 10.1.1.2.49632 > 77.72.173.189.58056: udp 12
101: 01:55:14.520816 10.1.1.2.49632 > 77.72.173.189.58056: udp 12
102: 01:55:15.520862 10.1.1.2.49632 > 77.72.173.189.58056: udp 12
103: 01:55:16.520923 10.1.1.2.49632 > 77.72.173.189.58056: udp 12
104: 01:55:17.520984 10.1.1.2.49632 > 77.72.173.189.58056: udp 12
I also noticed that it is using some additional IP addresses
141: 01:55:25.900572 10.1.1.2.13045 > 80.239.235.232.80: udp 172
142: 01:55:25.930448 10.1.1.2.13045 > 194.120.0.232.80: udp 172
143: 01:55:25.940579 10.1.1.2.13045 > 62.41.83.232.80: udp 172
144: 01:55:25.960567 10.1.1.2.13045 > 195.219.64.232.80: udp 172
145: 01:55:25.980555 10.1.1.2.13045 > 77.72.168.232.80: udp 172
146: 01:55:26.010482 10.1.1.2.13045 > 208.167.230.117.80: udp 172
147: 01:55:26.020628 10.1.1.2.13045 > 80.239.235.232.80: udp 172
148: 01:55:26.040891 10.1.1.2.13045 > 194.120.0.232.80: udp 172
149: 01:55:26.070476 10.1.1.2.13045 > 62.41.83.232.80: udp 172
150: 01:55:26.080623 10.1.1.2.13045 > 195.219.64.232.80: udp 172
151: 01:55:26.100595 10.1.1.2.13045 > 77.72.168.232.80: udp 172
152: 01:55:26.120919 10.1.1.2.13045 > 208.167.230.117.80: udp 172
153: 01:55:26.150489 10.1.1.2.13045 > 80.239.235.232.80: udp 172
154: 01:55:26.160651 10.1.1.2.13045 > 194.120.0.232.80: udp 172
155: 01:55:26.181234 10.1.1.2.13045 > 62.41.83.232.80: udp 172
156: 01:55:26.210484 10.1.1.2.13045 > 195.219.64.232.80: udp 172
So, I guess the best way is to open up 10.1.1.2 to all external IP addresses
on the set of ports. Otherwise, you can try to include above IP addresses in
your Jumblo object group.
Regards,
NT
09-08-2010 07:54 PM
09-08-2010 08:00 PM
Hello Samir,
Can you open up the inside host for all internet addresses on the Jumblo
ports? Also, include port "58056" in the object group.
Regards,
NT
09-09-2010 09:02 AM
Hi Samir/NT,
It appears that the application uses Random ports as destination ports rather than just the few mentioned on the JUMBLO web-site regarding external firewalls. as we all saw that the wireshark capture caught port 24670 and you saw port 58056 in the captures setup on the firewall.
I think you should give a call to JUMBLO and confirm which destination ports needs to be open some times , the information on the web site is not edited for long time. But looking at the different/ unmentioned destination ports i think it uses random ports for connectivity.
Thanks
Manish
09-12-2010 02:42 AM
Hi Manish and NT,
Sorry for the delay in my responding back but I was actually on vacation.
Absolutely it uses random ports, ok then i will try to contact jumb
Big thanks for your efforts. I really appreciate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide