09-23-2019 01:44 PM
Hi All,
I am having a bit of an issue here. I am also basically a beginner at working on enterprise level firewalls. I am trying to get a VOIP phone system working with one of the systems features that allow mobile phones to connect and make and receive calls. I have included all the access ports in an ACL that allow and forward to the VOIP server.
access-list Outside_access_in extended permit udp any4 object Allworx eq 2088
access-list Outside_access_in extended permit object-group TCPUDP any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any object Allworx range 15000 15511
access-list Outside_access_in extended permit tcp any object Allworx eq 8081
access-list Outside_access_in extended permit tcp any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any4 object Allworx eq sip
access-list Outside_access_in extended permit udp any object Allworx range 16384 32767
I have also created the NAT translations:
object network Allworx
nat (inside,outside) static interface service udp sip sip
object network Allworx2
nat (inside,outside) static interface service tcp 8081 8081
object network Allworx3
nat (inside,outside) static interface service tcp sip sip
object network Allworx4
nat (inside,outside) static interface service udp 2088 2088
object service Allworx-V-Ports
service tcp destination range 15000 15511
object service Allworx-V-Ports2
service tcp destination range 16384 32767
I am not sure why, but the return traffic seems to be stopped by this rule:
nat (inside,outside) after-auto source dynamic any interface
It seems to work except for the voice ports. The ASA is blocking the return voice traffic on ports 16384-32767 for sure.
One thing I am curious about is if I remove the line 'nat (inside,outside) after-auto source dynamic any interface', how does that impact the rest of the network?
Hopefully someone can help me with this issue and help me understand what I am doing wrong.
Thank you in advance! !
Scott
Solved! Go to Solution.
09-23-2019 10:33 PM
I am not expert with VOIP. But i saw that your configuration does not have PAT (range 15000 15511 and range 16384 32767) statement for all the ports configured in ACL Outside_access_in
I would request you first look at the below links to configure PAT for necessary ports (Which I am not sure beyond SIP)
https://www.petenetlive.com/KB/Article/0001111
https://www.exigent.net/blog/troubleshooting/how-to-configure-a-cisco-asa-5505-for-voip/
You can also do a Static NAT IP to IP and then control ports through access list in Outside_access_in.
HTH
### RATE ALL HELPFUL RESPONSES ###
09-23-2019 10:33 PM
I am not expert with VOIP. But i saw that your configuration does not have PAT (range 15000 15511 and range 16384 32767) statement for all the ports configured in ACL Outside_access_in
I would request you first look at the below links to configure PAT for necessary ports (Which I am not sure beyond SIP)
https://www.petenetlive.com/KB/Article/0001111
https://www.exigent.net/blog/troubleshooting/how-to-configure-a-cisco-asa-5505-for-voip/
You can also do a Static NAT IP to IP and then control ports through access list in Outside_access_in.
HTH
### RATE ALL HELPFUL RESPONSES ###
09-24-2019 08:37 AM
Thank you for the heads up, I forgot to copy that part into the post. I did have those ports open and forwarded to the phone system. However, the exigent link you included had a small bit of information that I had not seen as of yet. It was the default sip inspection that was killing the traffic. Once that was disabled, the traffic became what was expected. So the real resolution was:
policy-map global_policy
class inspection_default
no inspect sip
Thank you for the heads up! ! !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide