10-16-2012 09:40 PM - edited 03-11-2019 05:10 PM
I am new to using the ASA 5505 appliance. I have successfully configured it so far, but the one piece that eludes me and I can't find an example of configuring SIP with internal (DMZ security level 50)) VoIP phones to an external call manager (external, security level 0) without using NAT. I have an internal VLAN to an internal B2 router (and mangement) on eth0/7, an external VLAN (/30 to an extenal B1 border router) and five different DMZ VLAN on ports eth0/1-eth0/5.
On the external router, the internal interface going to ASA5505 are separate sub-interfaces for each VLAN in the DMZ and one /30 VLAN to connect between the router and ASA. I am using vrf forwarding on the DMZ subinterfaces with IPSEC/GRE tunnels to keep the routing tables separate. I cannot have the different DMZ VLANs communicate with each other (that's why I am using vrf).
Everything works, all my tunnels are up, I can ping to the exteranal sites from the DMZ VLAN's and pass data, but I am stymied by setting up VoIP. When I used the wizard (big mistake) it setup up all sorts of certificates and NAT (since I really didn't know what I was doing at this point).
Anybody have any hints or suggestions on configuring VoIP from phones in the DMZ VLAN's to an external call manager?
I would include the current config, but I have to hand transcribe it since we don't allow usb connectivity. I might be able to provide it a little later.
I am using ASDM 6.4 and ASA IOS 8..4
Thanks in advance.
Peyton
Solved! Go to Solution.
10-17-2012 07:46 AM
packet-tracer input dmz udp dmz_phone_ip 5060 external_callmanager_ip 5060
10-16-2012 09:52 PM
Hello Peyton,
If you do have routable IPs for your DMZ nat should not be a problem when you go to the public internet,
Are you getting any logs or errors that make you think the ASA is the issue
Also do the following:
packet-tracer input dmz udp dmz_phone_ip 5060 external_callmanager_ip 5060
Any other question..Sure,,Just remember to rate all of the support answers.
Julio
10-17-2012 07:25 AM
Hello Julio,
I tried the command provided above but the ASA wasn't happy with it.
Before we tried the state bypass for VoIP, we were getting resets due to RST ACK without SYN so I was pretty sure it is the ASA..
Now the logs show the following :
build tcp state-bypass conneciton 15156 from MTMD:160.5.22.254/51234 to MTMD;160.2.32.1/2000
teardown tcp state-bypass connection 14794 fro MTMD:160.5.22.254/14794 to MTMD:160.2.32.1/53102 duration 1:00:04 bytes 0 connection time out
teardown udp connection 15142 for MTMD:160.5.22.254/53082 to MTMD:160.2.32.1/69 duration 0:02:01 bytes 0
teardown udp connection 15141 for MTMD:160.2.32.1/0 to MTMD:160.5.22.254/53081 duration 0:02:17 bytes 0
teardown udp connection 15140 for MTMD:160.5.22.254/53081 to MTMD:160.2.32.1/69 duration 0:02:01 bytes 100
Please excuse the length and any typos, I had to hand transcribe the configuration.
Saved
:
ASA Version 8.4(1)
!
:Saved
:
ASA Version 8.4(1)
!
hostname CFBL-FW
domain-name cfbl.cdsa.smil.mil
enable password asdl;fakldsf das encrypted
passwd adsklfjakl encrypted
names
!
! VLAN1 is a /0 to connect ASA to B2 internal router, router is 10.10.26.1/30
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.26.2 255.255.255.252
!
! VLAN 25 is a /30 to connect ASA to B1 external router, router 10.10.25.1/30
interface Vlan25
description Outside to B1
nameif Outside
security-level 0
ip address 10.10.25.2 255.255.255.252
!
!interface Vlan96
description BMC4I DMZ
nameif BMC4I
security-level 50
ip address 96.5.22.2 255.255.255.0
!
!interface Vlan97
description TPEX DMZ
nameif TPEX
security-level 50
ip address 97.5.22.2 255.255.255.0
!
!interface Vlan98
description CDEP DMZ
nameif CDEP
security-level 50
ip address 98.5.22.2 255.255.255.0
!
!interface Vlan99
description M&S DMZ
nameif M&S
security-level 50
ip address 99.5.22.2 255.255.255.0
!
!interface Vlan160
description MTMD DMZ
nameif MTMD
security-level 50
ip address 160.5.22.2 255.255.255.0
!
! Eth0/0 is outside access
!
interface Ethernet0/0
switchport access vlan 25
switchport trunk allowed vlan 25,96-99,160
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 96
!
interface Ethernet0/2
switchport access vlan 97
!
interface Ethernet0/3
switchport access vlan 98
!
interface Ethernet0/4
switchport access vlan 99
!
interface Ethernet0/5
switchport access vlan 160
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
!
ftp mode passive
!
dns server-group DefaultDNS
domain-name CFBL.CDSA.SMIL.MIL
!
same-security-traffic-permit intra-interface
!
object network AUS-BMC4I-Network
subnet 96.1.0.0 255.255.0.0
description Australian BMC4I Network
!
object network AUS-TPEX-Network
subnet 97.1.0.0 255.255.0.0
description Australian TPEX Network
!
object network AUS-CDEP-Network
subnet 98.1.0.0 255.255.0.0
description Australian CDEP Network
!
object network AUS-M&S-Network
subnet 99.1.0.0 255.255.0.0
description Australian M&S Network
!
object network AUS-MTMD-Network
subnet 160.1.0.0 255.255.0.0
description Australian MTMD Network
!
object network CAN-BMC4I-Network
subnet 96.2.0.0 255.255.0.0
description Canadian BMC4I Network
!
object network CAN-TPEX-Network
subnet 97.2.0.0 255.255.0.0
description Canadian TPEX Network
!
object network CAN-CDEP-Network
subnet 98.2.0.0 255.255.0.0
description Canadian CDEP Network
!
object network CAN-M&S-Network
subnet 99.2.0.0 255.255.0.0
description Canadian M&S Network
!
object network CAN-MTMD-Network
subnet 160.2.0.0 255.255.0.0
description Canadian MTMD Network
!
object network GBR-BMC4I-Network
subnet 96.4.0.0 255.255.0.0
description Great Britain BMC4I Network
!
object network GBR-TPEX-Network
subnet 97.4.0.0 255.255.0.0
description Great Britain TPEX Network
!
object network GBR-CDEP-Network
subnet 98.4.0.0 255.255.0.0
description Great Britain CDEP Network
!
object network GBR-M&S-Network
subnet 99.4.0.0 255.255.0.0
description Great Britain M&S Network
!
object network GBR-MTMD-Network
subnet 160.4.0.0 255.255.0.0
description Great Britain MTMD Network
!
object network Inside-Network
subnet 10.10.26.0 255.255.255.252
description To/From FW/B2 Router
!
object network MTMD-Networks
subnet 160.0.0.0 255.0.0.0
description All Nation enclaves
! object network NLD-BMC4I-Network
subnet 96.22.0.0 255.255.0.0
description Netherlands BMC4I Network
!
object network NLD-TPEX-Network
subnet 97.22.0.0 255.255.0.0
description Netherlands TPEX Network
!
object network NLD-CDEP-Network
subnet 98.22.0.0 255.255.0.0
description Netherlands CDEP Network
!
object network NLD-M&S-Network
subnet 99.22.0.0 255.255.0.0
description Netherlands M&S Network
!
object network NLD-MTMD-Network
subnet 160.22.0.0 255.255.0.0
description Netherlands MTMD Network
!
object network Outside-GWY
host 10.10.25.1
description From B2 Router to Outside
!
object network Outside-Network
subnet 10.10.25.0 255.255.255.252
description To/From B1 Router/FW Outside
!
object network USA-DN-BMC4I-Network
subnet 96.5.22.0 255.255.255.0
description USA Dam Neck BMC4I Network
!
object network USA-DN-TPEX-Network
subnet 97.5.22.0 255.255.255.0
description USA Dam Neck TPEX Network
!
object network USA-DN-CDEP-Network
subnet 98.5.22.0 255.255.255.0
description USA Dam Neck CDEP Network
!
object network USA-DN-M&S-Network
subnet 99.5.22.0 255.255.255.0
description USA Dam Neck M&S Network
!
object network USA-DN-MTMD-Network
subnet 160.5.22.0 255.255.255.0
description USA Dam Neck MTMD Network
!
object network USA-DD-BMC4I-Network
subnet 96.5.6.0 255.255.255.0
description USA Dahlgren BMC4I Network
!
object network USA-DD-TPEX-Network
subnet 97.5.6.0 255.255.255.0
description USA Dahlgren TPEX Network
!
object network USA-DD-CDEP-Network
subnet 98.5.6.0 255.255.255.0
description USA Dahlgren CDEP Network
!
object network USA-DD-M&S-Network
subnet 99.5.6.0 255.255.255.0
description USA Dahlgren M&S Network
!
object network USA-DD-MTMD-Network
subnet 160.5.6.0 255.255.255.0
description USA Dahlgren MTMD Network
!
!Added by UC Wizard
!
object network asdm_pp_cucm_tftp_160.2.32.1_sccp
Host 160.2.32.1
object network asdm_pp_cucm_tftp_160.2.32.1_sccp_secure
Host 160.2.32.1
object network asdm_pp_cucm_tftp_160.2.32.1_sip
Host 160.2.32.1
object network asdm_pp_cucm_tftp_160.2.32.1_tftp
Host 160.2.32.1
object-group network asdm_pp_cucm_tftp_160.2.32.1 group
description Unified CM + TFTP at 160.2.32.1
network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp
network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp_secure
network-object object asdm_pp_cucm_tftp_150.2.32.1_sip
network-object object asdm_pp_cucm_tftp_150.2.32.1_tftp
object-group network asdm_pp_cucm_tftp_160.2.32.1_group
!
! Added as part of our configuration
!
access-list Outside_access_in extended permit ip any any
access-list Outside_access_out extended permit ip any any
access-list MTMD_access_out extended permit ip any any
access-list MTMD_access_out extended deny ip any any
access-list MTMD_access_in extended permit udp any object asdm_pp_cucm_tftp_160.2.32.1_tftp eq tftp
access-list MTMD_access_in extended permit ip any any
access-list MTMD_access_in extended deny ip any any
access-list global_access extended permit tcp host 64.1.35.111 any eq ssh
access-list M&S_access_out extended permit ip any any
access-list M&S_access_out extended deny ip any any
access-list M&S_access_in extended permit ip any any
access-list CDEP_access_in extended permit ip any any
access-list CDEP_access_out extended permit ip any any
access-list BMC4I_access_in extended permit ip any any
access-list BMC4I_access_out extended permit ip any any
access-list TPEX_access_in extended permit ip any any
access-list TPEX_access_out extended permit ip any any
!
! Looks like part of wizard addtion
!
access-list asdm_pp_sip_inspect extended permit tcp any object asdm_pp_cucm_tftp_160.2.32.1_sip eq 5061 log
access-list adsm_pp_skinny_inspect extended permit tcp any object adsm_pp_cucm_tftp_160.2.32.1_sccp_secure eq 2443 log
!
! We addes this in an effort to use the state bypass so that it wouldn’t inspect sip/skinny traffic
!
access-list VoIP extended permit tcp host 160.2.32.1 host 160.5.22.254
access-list VoIP extended permit tcp host 160.2.32.1 host 10.10.25.2
access-list VoIP extended permit tcp host 160.5.22.254 host 160.2.32.1
access-list VoIP extended permit tcp host 160.5.22.254 host 160.5.22.2
!
pager lines 24
!
logging enable
!
logging console informational
!
logging asdm informational
!
mtu inside 1500
mtu Outside 1500
mtu BMC4I 1500
mtu CDEP 1500
mtu M&S 1500
mtu TPEX 1500
mtu MTMD 1500
!
no failover
!
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any MTMD
!
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
!
! Part of our configuration
!
access-group Outside_access_in interface Outside
access-group Outside_access_out interface Outside
access-group BMC4I_access_in interface BMC4I
access-group BMC4I_access_out interface BMC4I
access-group CDEP_access_in interface CDEP
access-group CDEP_access_out interface CDEP
access-group M&S_access_in interface M&S
access-group M&S_access_out interface M&S
access-group TPEX_access_in interface TPEX
access-group TPEX_access_out interface TPEX
access-group MTMD_access_in interface MTMD
access-group MTMD_access_out interface MTMD
access-group global access global
!
! Routes to management and external networks, routing information provided by BGP using VRF in !routers
!
route inside 64.1.35.0 255.255.255.255.0 10.10.26.1 1
route Outside 96.0.0.0 255.0.0.0 96.5.22.1 1
route Outside 97.0.0.0 255.0.0.0 97.5.22.1 1
route Outside 98.0.0.0 255.0.0.0 98.5.22.1 1
route Outside 99.0.0.0 255.0.0.0 99.5.22.1 1
route Outside 160.0.0.0 255.0.0.0 160.5.22.1 1
!
timeout xlate 3:00:00time conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
!
dynamic-access-policy-record DfltAccessPolicy
!
http server enable
http servers session-timeout 6
http 10.10.26.0 255.255.255.0 inside
http 64.1.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
! More UC Wizard entries
!
crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asdm_pp_cucm_tftp_160.2.32.1
enrollment self
keypair asdm_cucm_keypair
crl configure
crypto cc trustpoint _internal_asdm_ctl_file_SAST_0
enrollment self
fqdn none
subject-name cn=”_internal_asdm_ctl_file_SAST_0”;ou=”STG”;o=”Cisco Inc”
keypair _internal_asdm_ctl_file_SAST_0
crl configure
crypto cc trustpoint _internal_asdm_ctl_file_SAST_1
enrollment self
fqdn none
subject-name cn=”_internal_asdm_ctl_file_SAST_1”;ou=”STG”;o=”Cisco Inc”
keypair _internal_asdm_ctl_file_SAST_1
crl configure
crypto cc trustpoint _internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”
enrollment self
fqdn none
subject-name cn=”_internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”
keypair _internal_asdm_ctl_file_SAST_0
crl configure
crypto ca certificate chain CAP-RTP-001_trustpoint
certificate blahblahblah
quit
crypto ca certificate chain CAP-RTP-002_trustpoint
certificate blahblahblah
quit
crypto ca certificate chain Cisco_Manufacturing_CA_trustpoint
certificate blahblahblah
quit
crypto ca certificate chain asdm_pp_cucm_tftp_160.2.32.1
certificate blahblahblah
quit
crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_0
certificate blahblahblah
quit
crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_1
certificate blahblahblah
quit
crypto ca certificate chain chain_internal_PP-asdm-ctl_file
certificate blahblahblah
quit
!
! End US Wizard entries
!
telnet timeout 5
ssh 64.1.35.111 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 10
!
! More US Wizard entries
tls-proxy asdm_cucm_inbound_proxy
server trust-point _internal_PP__ctl_file
client cipher-suite aes128-sha1 aes256-sha1 3des-dah1 null-sha1 rc4-sha1
ctl-file asdm_ctl_file
record-entry cucm-tftp trustpoint asdm_pp_cucm_tftp_160.2.32.1 address 160.5.22.1
no shutdown
!
Media-termination asdm_media_termination
address 10.10.25.1 interface Outside
address 160.5.22.1 interace MTMD
!
phone-proxy asdm_phone_proxy
Media-termination asdm_media_termination
tftp-server address 160.2.32.1 interface Outside
tls-proxy asdm_cucm_inbound_proxy
ctl-file asdm_ctl_file
no disable service-settings
!
! End UC Wizard entries
!
threat-detection basic-threat
threat-detecttion statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.10.1.2 source inside prefer
ssl encryption aes128-sha1 aes2560sha1 3des-sha1 null-sha1
webvpn
username
!
! More UC Wizard entries and our entry for statebypass in an effort to get around this
!
class-map _cucm_sip_class
description Phone proxy sip traffic inspection
match access-list asdm_pp_sip_inspect
class-map inspection default
match default-instpection-traffic
class-map tcp-statebypass
match access-list VoIP
class-map asdm_cucm_skinny_class
description Phone proxy skinny traffic inspection
match access-list asdm_pp_skinny_inspect
!
policy-map type inspect dns preset_dsn_map
parameters
message-length maximum 512
policy-map global policy
class inspection-default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inpsect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inpsect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inpsect ip-options
!
! Part of our statebypass entry to overcome sip and skinny inspection
!
class tcp_statebypass
set connection advanced-options tcp-state-bypass
!
! End of statebypass entry by us
!
policy-map MTMD-policy
class asdm_cucm_sip_class
inspect sip phone-proxy asdm_phone_proxy
class asdn_cucm_skinny_class
inspect skinny phone-proxy asdm_phone_proxy
!
service-policy global_policy global
service-policy MTDM-policy interface MTMD
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address e-mail callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic monthly
hpm topN enable
Cryptochecksum:kadfkldasjf
: end
asdm image disk0:/asdm-641.bin
no adsm history enable
Routing in the network is provided by BGP and we are properly sending and receiving updates.
Thanks again for taking a look at this.
Peyton
hostname CFBL-FW
domain-name cfbl.cdsa.smil.mil
enable password asdl;fakldsf das encrypted
passwd adsklfjakl encrypted
names
!
! VLAN1 is a /0 to connect ASA to B2 internal router, router is 10.10.26.1/30
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.26.2 255.255.255.252
!
! VLAN 25 is a /30 to connect ASA to B1 external router, router 10.10.25.1/30
interface Vlan25
description Outside to B1
nameif Outside
security-level 0
ip address 10.10.25.2 255.255.255.252
!
!interface Vlan96
description BMC4I DMZ
nameif BMC4I
security-level 50
ip address 96.5.22.2 255.255.255.0
!
!interface Vlan97
description TPEX DMZ
nameif TPEX
security-level 50
ip address 97.5.22.2 255.255.255.0
!
!interface Vlan98
description CDEP DMZ
nameif CDEP
security-level 50
ip address 98.5.22.2 255.255.255.0
!
!interface Vlan99
description M&S DMZ
nameif M&S
security-level 50
ip address 99.5.22.2 255.255.255.0
!
!interface Vlan160
description MTMD DMZ
nameif MTMD
security-level 50
ip address 160.5.22.2 255.255.255.0
!
! Eth0/0 is outside access
!
interface Ethernet0/0
switchport access vlan 25
switchport trunk allowed vlan 25,96-99,160
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 96
!
interface Ethernet0/2
switchport access vlan 97
!
interface Ethernet0/3
switchport access vlan 98
!
interface Ethernet0/4
switchport access vlan 99
!
interface Ethernet0/5
switchport access vlan 160
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
!
ftp mode passive
!
dns server-group DefaultDNS
domain-name CFBL.CDSA.SMIL.MIL
!
same-security-traffic-permit intra-interface
!
object network AUS-BMC4I-Network
subnet 96.1.0.0 255.255.0.0
description Australian BMC4I Network
!
object network AUS-TPEX-Network
subnet 97.1.0.0 255.255.0.0
description Australian TPEX Network
!
object network AUS-CDEP-Network
subnet 98.1.0.0 255.255.0.0
description Australian CDEP Network
!
object network AUS-M&S-Network
subnet 99.1.0.0 255.255.0.0
description Australian M&S Network
!
object network AUS-MTMD-Network
subnet 160.1.0.0 255.255.0.0
description Australian MTMD Network
!
object network CAN-BMC4I-Network
subnet 96.2.0.0 255.255.0.0
description Canadian BMC4I Network
!
object network CAN-TPEX-Network
subnet 97.2.0.0 255.255.0.0
description Canadian TPEX Network
!
object network CAN-CDEP-Network
subnet 98.2.0.0 255.255.0.0
description Canadian CDEP Network
!
object network CAN-M&S-Network
subnet 99.2.0.0 255.255.0.0
description Canadian M&S Network
!
object network CAN-MTMD-Network
subnet 160.2.0.0 255.255.0.0
description Canadian MTMD Network
!
object network GBR-BMC4I-Network
subnet 96.4.0.0 255.255.0.0
description Great Britain BMC4I Network
!
object network GBR-TPEX-Network
subnet 97.4.0.0 255.255.0.0
description Great Britain TPEX Network
!
object network GBR-CDEP-Network
subnet 98.4.0.0 255.255.0.0
description Great Britain CDEP Network
!
object network GBR-M&S-Network
subnet 99.4.0.0 255.255.0.0
description Great Britain M&S Network
!
object network GBR-MTMD-Network
subnet 160.4.0.0 255.255.0.0
description Great Britain MTMD Network
!
object network Inside-Network
subnet 10.10.26.0 255.255.255.252
description To/From FW/B2 Router
!
object network MTMD-Networks
subnet 160.0.0.0 255.0.0.0
description All Nation enclaves
! object network NLD-BMC4I-Network
subnet 96.22.0.0 255.255.0.0
description Netherlands BMC4I Network
!
object network NLD-TPEX-Network
subnet 97.22.0.0 255.255.0.0
description Netherlands TPEX Network
!
object network NLD-CDEP-Network
subnet 98.22.0.0 255.255.0.0
description Netherlands CDEP Network
!
object network NLD-M&S-Network
subnet 99.22.0.0 255.255.0.0
description Netherlands M&S Network
!
object network NLD-MTMD-Network
subnet 160.22.0.0 255.255.0.0
description Netherlands MTMD Network
!
object network Outside-GWY
host 10.10.25.1
description From B2 Router to Outside
!
object network Outside-Network
subnet 10.10.25.0 255.255.255.252
description To/From B1 Router/FW Outside
!
object network USA-DN-BMC4I-Network
subnet 96.5.22.0 255.255.255.0
description USA Dam Neck BMC4I Network
!
object network USA-DN-TPEX-Network
subnet 97.5.22.0 255.255.255.0
description USA Dam Neck TPEX Network
!
object network USA-DN-CDEP-Network
subnet 98.5.22.0 255.255.255.0
description USA Dam Neck CDEP Network
!
object network USA-DN-M&S-Network
subnet 99.5.22.0 255.255.255.0
description USA Dam Neck M&S Network
!
object network USA-DN-MTMD-Network
subnet 160.5.22.0 255.255.255.0
description USA Dam Neck MTMD Network
!
object network USA-DD-BMC4I-Network
subnet 96.5.6.0 255.255.255.0
description USA Dahlgren BMC4I Network
!
object network USA-DD-TPEX-Network
subnet 97.5.6.0 255.255.255.0
description USA Dahlgren TPEX Network
!
object network USA-DD-CDEP-Network
subnet 98.5.6.0 255.255.255.0
description USA Dahlgren CDEP Network
!
object network USA-DD-M&S-Network
subnet 99.5.6.0 255.255.255.0
description USA Dahlgren M&S Network
!
object network USA-DD-MTMD-Network
subnet 160.5.6.0 255.255.255.0
description USA Dahlgren MTMD Network
!
!Added by UC Wizard
!
object network asdm_pp_cucm_tftp_160.2.32.1_sccp
Host 160.2.32.1
object network asdm_pp_cucm_tftp_160.2.32.1_sccp_secure
Host 160.2.32.1
object network asdm_pp_cucm_tftp_160.2.32.1_sip
Host 160.2.32.1
object network asdm_pp_cucm_tftp_160.2.32.1_tftp
Host 160.2.32.1
object-group network asdm_pp_cucm_tftp_160.2.32.1 group
description Unified CM + TFTP at 160.2.32.1
network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp
network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp_secure
network-object object asdm_pp_cucm_tftp_150.2.32.1_sip
network-object object asdm_pp_cucm_tftp_150.2.32.1_tftp
object-group network asdm_pp_cucm_tftp_160.2.32.1_group
!
! Added as part of our configuration
!
access-list Outside_access_in extended permit ip any any
access-list Outside_access_out extended permit ip any any
access-list MTMD_access_out extended permit ip any any
access-list MTMD_access_out extended deny ip any any
access-list MTMD_access_in extended permit udp any object asdm_pp_cucm_tftp_160.2.32.1_tftp eq tftp
access-list MTMD_access_in extended permit ip any any
access-list MTMD_access_in extended deny ip any any
access-list global_access extended permit tcp host 64.1.35.111 any eq ssh
access-list M&S_access_out extended permit ip any any
access-list M&S_access_out extended deny ip any any
access-list M&S_access_in extended permit ip any any
access-list CDEP_access_in extended permit ip any any
access-list CDEP_access_out extended permit ip any any
access-list BMC4I_access_in extended permit ip any any
access-list BMC4I_access_out extended permit ip any any
access-list TPEX_access_in extended permit ip any any
access-list TPEX_access_out extended permit ip any any
!
! Looks like part of wizard addtion
!
access-list asdm_pp_sip_inspect extended permit tcp any object asdm_pp_cucm_tftp_160.2.32.1_sip eq 5061 log
access-list adsm_pp_skinny_inspect extended permit tcp any object adsm_pp_cucm_tftp_160.2.32.1_sccp_secure eq 2443 log
!
! We addes this in an effort to use the state bypass so that it wouldn’t inspect sip/skinny traffic
!
access-list VoIP extended permit tcp host 160.2.32.1 host 160.5.22.254
access-list VoIP extended permit tcp host 160.2.32.1 host 10.10.25.2
access-list VoIP extended permit tcp host 160.5.22.254 host 160.2.32.1
access-list VoIP extended permit tcp host 160.5.22.254 host 160.5.22.2
!
pager lines 24
!
logging enable
!
logging console informational
!
logging asdm informational
!
mtu inside 1500
mtu Outside 1500
mtu BMC4I 1500
mtu CDEP 1500
mtu M&S 1500
mtu TPEX 1500
mtu MTMD 1500
!
no failover
!
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any MTMD
!
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
!
! Part of our configuration
!
access-group Outside_access_in interface Outside
access-group Outside_access_out interface Outside
access-group BMC4I_access_in interface BMC4I
access-group BMC4I_access_out interface BMC4I
access-group CDEP_access_in interface CDEP
access-group CDEP_access_out interface CDEP
access-group M&S_access_in interface M&S
access-group M&S_access_out interface M&S
access-group TPEX_access_in interface TPEX
access-group TPEX_access_out interface TPEX
access-group MTMD_access_in interface MTMD
access-group MTMD_access_out interface MTMD
access-group global access global
!
! Routes to management and external networks, routing information provided by BGP using VRF in !routers
!
route inside 64.1.35.0 255.255.255.255.0 10.10.26.1 1
route Outside 96.0.0.0 255.0.0.0 96.5.22.1 1
route Outside 97.0.0.0 255.0.0.0 97.5.22.1 1
route Outside 98.0.0.0 255.0.0.0 98.5.22.1 1
route Outside 99.0.0.0 255.0.0.0 99.5.22.1 1
route Outside 160.0.0.0 255.0.0.0 160.5.22.1 1
!
timeout xlate 3:00:00time conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
!
dynamic-access-policy-record DfltAccessPolicy
!
http server enable
http servers session-timeout 6
http 10.10.26.0 255.255.255.0 inside
http 64.1.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
! More UC Wizard entries
!
crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asdm_pp_cucm_tftp_160.2.32.1
enrollment self
keypair asdm_cucm_keypair
crl configure
crypto cc trustpoint _internal_asdm_ctl_file_SAST_0
enrollment self
fqdn none
subject-name cn=”_internal_asdm_ctl_file_SAST_0”;ou=”STG”;o=”Cisco Inc”
keypair _internal_asdm_ctl_file_SAST_0
crl configure
crypto cc trustpoint _internal_asdm_ctl_file_SAST_1
enrollment self
fqdn none
subject-name cn=”_internal_asdm_ctl_file_SAST_1”;ou=”STG”;o=”Cisco Inc”
keypair _internal_asdm_ctl_file_SAST_1
crl configure
crypto cc trustpoint _internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”
enrollment self
fqdn none
subject-name cn=”_internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”
keypair _internal_asdm_ctl_file_SAST_0
crl configure
crypto ca certificate chain CAP-RTP-001_trustpoint
certificate blahblahblah
quit
crypto ca certificate chain CAP-RTP-002_trustpoint
certificate blahblahblah
quit
crypto ca certificate chain Cisco_Manufacturing_CA_trustpoint
certificate blahblahblah
quit
crypto ca certificate chain asdm_pp_cucm_tftp_160.2.32.1
certificate blahblahblah
quit
crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_0
certificate blahblahblah
quit
crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_1
certificate blahblahblah
quit
crypto ca certificate chain chain_internal_PP-asdm-ctl_file
certificate blahblahblah
quit
!
! End US Wizard entries
!
telnet timeout 5
ssh 64.1.35.111 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 10
!
! More US Wizard entries
tls-proxy asdm_cucm_inbound_proxy
server trust-point _internal_PP__ctl_file
client cipher-suite aes128-sha1 aes256-sha1 3des-dah1 null-sha1 rc4-sha1
ctl-file asdm_ctl_file
record-entry cucm-tftp trustpoint asdm_pp_cucm_tftp_160.2.32.1 address 160.5.22.1
no shutdown
!
Media-termination asdm_media_termination
address 10.10.25.1 interface Outside
address 160.5.22.1 interace MTMD
!
phone-proxy asdm_phone_proxy
Media-termination asdm_media_termination
tftp-server address 160.2.32.1 interface Outside
tls-proxy asdm_cucm_inbound_proxy
ctl-file asdm_ctl_file
no disable service-settings
!
! End UC Wizard entries
!
threat-detection basic-threat
threat-detecttion statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.10.1.2 source inside prefer
ssl encryption aes128-sha1 aes2560sha1 3des-sha1 null-sha1
webvpn
username
!
! More UC Wizard entries and our entry for statebypass in an effort to get around this
!
class-map _cucm_sip_class
description Phone proxy sip traffic inspection
match access-list asdm_pp_sip_inspect
class-map inspection default
match default-instpection-traffic
class-map tcp-statebypass
match access-list VoIP
class-map asdm_cucm_skinny_class
description Phone proxy skinny traffic inspection
match access-list asdm_pp_skinny_inspect
!
policy-map type inspect dns preset_dsn_map
parameters
message-length maximum 512
policy-map global policy
class inspection-default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inpsect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inpsect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inpsect ip-options
!
! Part of our statebypass entry to overcome sip and skinny inspection
!
class tcp_statebypass
set connection advanced-options tcp-state-bypass
!
! End of statebypass entry by us
!
policy-map MTMD-policy
class asdm_cucm_sip_class
inspect sip phone-proxy asdm_phone_proxy
class asdn_cucm_skinny_class
inspect skinny phone-proxy asdm_phone_proxy
!
service-policy global_policy global
service-policy MTDM-policy interface MTMD
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address e-mail callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic monthly
hpm topN enable
Cryptochecksum:kadfkldasjf
: end
asdm image disk0:/asdm-641.bin
no adsm history enable
VoIP phone is on the MTMD VLAN enclave and the call manager is external to our B1 router. We
10-17-2012 07:28 AM
Corrected drawing
10-17-2012 07:46 AM
packet-tracer input dmz udp dmz_phone_ip 5060 external_callmanager_ip 5060
10-18-2012 02:36 PM
Thanks,
I have to find another tree to bark up, I performed the trace using the source and destinations both ways, results were the same.
Phase 1 - route lookup - allow
Phase 2 - access-list - allow
Phase 3 - ip-options - allow
Phase 4 - inspect - allow
Phase 5 - access-list - allow
Phase 6 - ip options - allow
Phase 7 - flow - allow
Results:
input-interface: MTMD (correct interface where phone is)
input-status - up
input-line-status - up
output-interface: MTMD (should this be the outside interface?)
output-status - up
output-line-status -up
action: allow
10-18-2012 02:40 PM
Julio,
I forgot to thank you for your reply and suggestion on the packet trace. Thanks for taking the time to help.
Peyton
10-18-2012 02:42 PM
Hello Peyton,
So it looks like the configuration is the one you need,
If this is still not working, our next step is to perfom captures on the ASA.
Do you know how to create them or do you want me to help?
It is my pleasure to help,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide