cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4435
Views
0
Helpful
7
Replies

ASA 5505 SIP Configuration without NAT

campbellpv
Level 1
Level 1

I am new to using the ASA 5505 appliance.  I have successfully configured it so far, but the one piece that eludes me and I can't find an example of configuring SIP with internal (DMZ security level 50)) VoIP phones to an external call manager (external, security level 0) without using NAT.  I have an internal VLAN to an internal B2 router (and mangement) on eth0/7, an external VLAN (/30 to an extenal B1 border router) and five different DMZ VLAN on ports eth0/1-eth0/5.

On the external router, the internal interface going to ASA5505 are separate sub-interfaces for each VLAN in the DMZ and one /30 VLAN to connect between the router and ASA.  I am using vrf forwarding on the DMZ subinterfaces with IPSEC/GRE tunnels to keep the routing tables separate.  I cannot have the different DMZ VLANs communicate with each other (that's why I am using vrf).

Everything works, all my tunnels are up, I  can ping to the exteranal sites from the DMZ VLAN's and pass data, but I am stymied by setting up VoIP.  When I used the wizard (big mistake) it setup up all sorts of certificates and NAT (since I really didn't know what I was doing at this point).

Anybody have any hints or suggestions on configuring VoIP from phones in the DMZ VLAN's to an external call manager?

I would include the current config, but I have to hand transcribe it since we don't allow usb connectivity.  I might be able to provide it a little later. 

I am using ASDM 6.4 and ASA IOS 8..4

Thanks in advance.

Peyton

1 Accepted Solution

Accepted Solutions

packet-tracer input dmz udp dmz_phone_ip 5060 external_callmanager_ip 5060

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Peyton,

If you do have routable IPs for your DMZ nat should not be a problem when you go to the public internet,

Are you getting any logs or errors that make you think the ASA is the issue

Also do the following:

packet-tracer input dmz udp dmz_phone_ip 5060 external_callmanager_ip 5060

Any other question..Sure,,Just remember to rate all of the support answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

I tried the command provided above but the ASA wasn't happy with it.

Before we tried the state bypass for VoIP, we were getting resets due to RST ACK without SYN so I was pretty sure it is the ASA..

Now the logs show the following :

build tcp state-bypass conneciton 15156 from MTMD:160.5.22.254/51234 to MTMD;160.2.32.1/2000

teardown tcp state-bypass connection 14794 fro MTMD:160.5.22.254/14794 to MTMD:160.2.32.1/53102 duration 1:00:04 bytes 0 connection time out

teardown udp connection 15142 for MTMD:160.5.22.254/53082 to MTMD:160.2.32.1/69 duration 0:02:01 bytes 0

teardown udp connection 15141 for MTMD:160.2.32.1/0 to MTMD:160.5.22.254/53081 duration 0:02:17 bytes 0

teardown udp connection 15140 for MTMD:160.5.22.254/53081 to MTMD:160.2.32.1/69 duration 0:02:01 bytes 100

Please excuse the length and any typos, I had to hand transcribe the configuration.

Saved

:

ASA Version 8.4(1)

!

:Saved

:

ASA Version 8.4(1)

!

hostname CFBL-FW

domain-name cfbl.cdsa.smil.mil

enable password asdl;fakldsf das encrypted

passwd adsklfjakl encrypted

names

!

! VLAN1 is a /0 to connect ASA to B2 internal router, router is 10.10.26.1/30

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.26.2 255.255.255.252

!

! VLAN 25 is a /30 to connect ASA to B1 external router, router 10.10.25.1/30

interface Vlan25

description Outside to B1

nameif Outside

security-level 0

ip address 10.10.25.2 255.255.255.252

!

!interface Vlan96

description BMC4I DMZ

nameif BMC4I

security-level 50

ip address 96.5.22.2 255.255.255.0

!

!interface Vlan97

description TPEX DMZ

nameif TPEX

security-level 50

ip address 97.5.22.2 255.255.255.0

!

!interface Vlan98

description CDEP DMZ

nameif CDEP

security-level 50

ip address 98.5.22.2 255.255.255.0

!

!interface Vlan99

description M&S DMZ

nameif M&S

security-level 50

ip address 99.5.22.2 255.255.255.0

!

!interface Vlan160

description MTMD DMZ

nameif MTMD

security-level 50

ip address 160.5.22.2 255.255.255.0

!

! Eth0/0 is outside access

!

interface Ethernet0/0

switchport access vlan 25

switchport trunk allowed vlan 25,96-99,160

switchport mode trunk

!

interface Ethernet0/1

switchport access vlan 96

!

interface Ethernet0/2

switchport access vlan 97

!

interface Ethernet0/3

switchport access vlan 98

!

interface Ethernet0/4

switchport access vlan 99

!

interface Ethernet0/5

switchport access vlan 160

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

!

ftp mode passive

!

dns server-group DefaultDNS

domain-name CFBL.CDSA.SMIL.MIL

!

same-security-traffic-permit intra-interface

!

object network AUS-BMC4I-Network

subnet 96.1.0.0 255.255.0.0

description Australian BMC4I Network

!

object network AUS-TPEX-Network

subnet 97.1.0.0 255.255.0.0

description Australian TPEX Network

!

object network AUS-CDEP-Network

subnet 98.1.0.0 255.255.0.0

description Australian CDEP Network

!

object network AUS-M&S-Network

subnet 99.1.0.0 255.255.0.0

description Australian M&S Network

!

object network AUS-MTMD-Network

subnet 160.1.0.0 255.255.0.0

description Australian MTMD Network

!

object network CAN-BMC4I-Network

subnet 96.2.0.0 255.255.0.0

description Canadian BMC4I Network

!

object network CAN-TPEX-Network

subnet 97.2.0.0 255.255.0.0

description Canadian TPEX Network

!

object network CAN-CDEP-Network

subnet 98.2.0.0 255.255.0.0

description Canadian CDEP Network

!

object network CAN-M&S-Network

subnet 99.2.0.0 255.255.0.0

description Canadian M&S Network

!

object network CAN-MTMD-Network

subnet 160.2.0.0 255.255.0.0

description Canadian MTMD Network

!

object network GBR-BMC4I-Network

subnet 96.4.0.0 255.255.0.0

description Great Britain BMC4I Network

!

object network GBR-TPEX-Network

subnet 97.4.0.0 255.255.0.0

description Great Britain TPEX Network

!

object network GBR-CDEP-Network

subnet 98.4.0.0 255.255.0.0

description Great Britain CDEP Network

!

object network GBR-M&S-Network

subnet 99.4.0.0 255.255.0.0

description Great Britain M&S Network

!

object network GBR-MTMD-Network

subnet 160.4.0.0 255.255.0.0

description Great Britain MTMD Network

!

object network Inside-Network

subnet 10.10.26.0 255.255.255.252

description To/From FW/B2 Router

!

object network MTMD-Networks

subnet 160.0.0.0 255.0.0.0

description All Nation enclaves

! object network NLD-BMC4I-Network

subnet 96.22.0.0 255.255.0.0

description Netherlands BMC4I Network

!

object network NLD-TPEX-Network

subnet 97.22.0.0 255.255.0.0

description Netherlands TPEX Network

!

object network NLD-CDEP-Network

subnet 98.22.0.0 255.255.0.0

description Netherlands CDEP Network

!

object network NLD-M&S-Network

subnet 99.22.0.0 255.255.0.0

description Netherlands M&S Network

!

object network NLD-MTMD-Network

subnet 160.22.0.0 255.255.0.0

description Netherlands MTMD Network

!

object network Outside-GWY

host 10.10.25.1

description From B2 Router to Outside

!

object network Outside-Network

subnet 10.10.25.0 255.255.255.252

description To/From B1 Router/FW Outside

!

object network USA-DN-BMC4I-Network

subnet 96.5.22.0 255.255.255.0

description USA Dam Neck BMC4I Network

!

object network USA-DN-TPEX-Network

subnet 97.5.22.0 255.255.255.0

description USA Dam Neck TPEX Network

!

object network USA-DN-CDEP-Network

subnet 98.5.22.0 255.255.255.0

description USA Dam Neck CDEP Network

!

object network USA-DN-M&S-Network

subnet 99.5.22.0 255.255.255.0

description USA Dam Neck M&S Network

!

object network USA-DN-MTMD-Network

subnet 160.5.22.0 255.255.255.0

description USA Dam Neck MTMD Network

!

object network USA-DD-BMC4I-Network

subnet 96.5.6.0 255.255.255.0

description USA Dahlgren BMC4I Network

!

object network USA-DD-TPEX-Network

subnet 97.5.6.0 255.255.255.0

description USA Dahlgren TPEX Network

!

object network USA-DD-CDEP-Network

subnet 98.5.6.0 255.255.255.0

description USA Dahlgren CDEP Network

!

object network USA-DD-M&S-Network

subnet 99.5.6.0 255.255.255.0

description USA Dahlgren M&S Network

!

object network USA-DD-MTMD-Network

subnet 160.5.6.0 255.255.255.0

description USA Dahlgren MTMD Network

!

!Added by UC Wizard

!

object network asdm_pp_cucm_tftp_160.2.32.1_sccp

Host 160.2.32.1

object network asdm_pp_cucm_tftp_160.2.32.1_sccp_secure

Host 160.2.32.1

object network asdm_pp_cucm_tftp_160.2.32.1_sip

Host 160.2.32.1

object network asdm_pp_cucm_tftp_160.2.32.1_tftp

Host 160.2.32.1

object-group network asdm_pp_cucm_tftp_160.2.32.1 group

description Unified CM + TFTP at 160.2.32.1

network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp

network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp_secure

network-object object asdm_pp_cucm_tftp_150.2.32.1_sip

network-object object asdm_pp_cucm_tftp_150.2.32.1_tftp

object-group network asdm_pp_cucm_tftp_160.2.32.1_group

!

! Added as part of our configuration

!

access-list Outside_access_in extended permit ip any any

access-list Outside_access_out extended permit ip any any

access-list MTMD_access_out extended permit ip any any

access-list MTMD_access_out extended deny ip any any

access-list MTMD_access_in extended permit udp any object asdm_pp_cucm_tftp_160.2.32.1_tftp eq tftp

access-list MTMD_access_in extended permit ip any any

access-list MTMD_access_in extended deny ip any any

access-list global_access extended permit tcp host 64.1.35.111 any eq ssh

access-list M&S_access_out extended permit ip any any

access-list M&S_access_out extended deny ip any any

access-list M&S_access_in extended permit ip any any

access-list CDEP_access_in extended permit ip any any

access-list CDEP_access_out extended permit ip any any

access-list BMC4I_access_in extended permit ip any any

access-list BMC4I_access_out extended permit ip any any

access-list TPEX_access_in extended permit ip any any

access-list TPEX_access_out extended permit ip any any

!

! Looks like part of wizard addtion

!

access-list asdm_pp_sip_inspect extended permit tcp any object asdm_pp_cucm_tftp_160.2.32.1_sip eq 5061 log

access-list adsm_pp_skinny_inspect extended permit tcp any object adsm_pp_cucm_tftp_160.2.32.1_sccp_secure eq 2443 log

!

! We addes this in an effort to use the state bypass so that it wouldn’t inspect sip/skinny traffic

!

access-list VoIP extended permit tcp host 160.2.32.1 host 160.5.22.254

access-list VoIP extended permit tcp host 160.2.32.1 host 10.10.25.2

access-list VoIP extended permit tcp host 160.5.22.254 host 160.2.32.1

access-list VoIP extended permit tcp host 160.5.22.254 host 160.5.22.2

!

pager lines 24

!

logging enable

!

logging console informational

!

logging asdm informational

!

mtu inside 1500

mtu Outside 1500

mtu BMC4I 1500

mtu CDEP 1500

mtu M&S 1500

mtu TPEX 1500

mtu MTMD 1500

!

no failover

!

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any MTMD

!

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

!

! Part of our configuration

!

access-group Outside_access_in interface Outside

access-group Outside_access_out interface Outside

access-group BMC4I_access_in interface BMC4I

access-group BMC4I_access_out interface BMC4I

access-group CDEP_access_in interface CDEP

access-group CDEP_access_out interface CDEP

access-group M&S_access_in interface M&S

access-group M&S_access_out interface M&S

access-group TPEX_access_in interface TPEX

access-group TPEX_access_out interface TPEX

access-group MTMD_access_in interface MTMD

access-group MTMD_access_out interface MTMD

access-group global access global

!

! Routes to management and external networks, routing information provided by BGP using VRF in !routers

!

route inside 64.1.35.0 255.255.255.255.0 10.10.26.1 1

route Outside 96.0.0.0 255.0.0.0 96.5.22.1 1

route Outside 97.0.0.0 255.0.0.0 97.5.22.1 1

route Outside 98.0.0.0 255.0.0.0 98.5.22.1 1

route Outside 99.0.0.0 255.0.0.0 99.5.22.1 1

route Outside 160.0.0.0 255.0.0.0 160.5.22.1 1

!

timeout xlate 3:00:00time conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

!

dynamic-access-policy-record DfltAccessPolicy

!

http server enable

http servers session-timeout 6

http 10.10.26.0 255.255.255.0 inside

http 64.1.35.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

! More UC Wizard entries

!

crypto ca trustpoint CAP-RTP-001_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint CAP-RTP-002_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint asdm_pp_cucm_tftp_160.2.32.1

enrollment self

keypair asdm_cucm_keypair

crl configure

crypto cc trustpoint _internal_asdm_ctl_file_SAST_0

enrollment self

fqdn none

subject-name cn=”_internal_asdm_ctl_file_SAST_0”;ou=”STG”;o=”Cisco Inc”

keypair _internal_asdm_ctl_file_SAST_0

crl configure

crypto cc trustpoint _internal_asdm_ctl_file_SAST_1

enrollment self

fqdn none

subject-name cn=”_internal_asdm_ctl_file_SAST_1”;ou=”STG”;o=”Cisco Inc”

keypair _internal_asdm_ctl_file_SAST_1

crl configure

crypto cc trustpoint _internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”

enrollment self

fqdn none

subject-name cn=”_internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”

keypair _internal_asdm_ctl_file_SAST_0

crl configure

crypto ca certificate chain CAP-RTP-001_trustpoint

certificate blahblahblah

quit

crypto ca certificate chain CAP-RTP-002_trustpoint

certificate blahblahblah

quit

crypto ca certificate chain Cisco_Manufacturing_CA_trustpoint

certificate blahblahblah

quit

crypto ca certificate chain asdm_pp_cucm_tftp_160.2.32.1

certificate blahblahblah

quit

crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_0

certificate blahblahblah

quit

crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_1

certificate blahblahblah

quit

crypto ca certificate chain chain_internal_PP-asdm-ctl_file

certificate blahblahblah

quit

!

! End US Wizard entries

!

telnet timeout 5

ssh 64.1.35.111 255.255.255.255 inside

ssh timeout 5

ssh version 2

console timeout 10

!

! More US Wizard entries

tls-proxy asdm_cucm_inbound_proxy

server trust-point _internal_PP__ctl_file

client cipher-suite aes128-sha1 aes256-sha1 3des-dah1 null-sha1 rc4-sha1

ctl-file asdm_ctl_file

record-entry cucm-tftp trustpoint asdm_pp_cucm_tftp_160.2.32.1 address 160.5.22.1

no shutdown

!

Media-termination asdm_media_termination

address 10.10.25.1 interface Outside

address 160.5.22.1 interace MTMD

!

phone-proxy asdm_phone_proxy

Media-termination asdm_media_termination

tftp-server address 160.2.32.1 interface Outside

tls-proxy asdm_cucm_inbound_proxy

ctl-file asdm_ctl_file

no disable service-settings

!

! End UC Wizard entries

!

threat-detection basic-threat

threat-detecttion statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.10.1.2 source inside prefer

ssl encryption aes128-sha1 aes2560sha1 3des-sha1 null-sha1

webvpn

username

!

! More UC Wizard entries and our entry for statebypass in an effort to get around this

!

class-map _cucm_sip_class

description Phone proxy sip traffic inspection

match access-list asdm_pp_sip_inspect

class-map inspection default

match default-instpection-traffic

class-map tcp-statebypass

match access-list VoIP

class-map asdm_cucm_skinny_class

description Phone proxy skinny traffic inspection

match access-list asdm_pp_skinny_inspect

!

policy-map type inspect dns preset_dsn_map

parameters

   message-length maximum 512

policy-map global policy

class inspection-default

   inspect dns preset_dns_map

   inspect ftp

   inspect h323 h225

   inpsect h323 ras

   inspect rsh

   inspect rtsp

   inspect esmtp

   inpsect sqlnet

   inspect skinny

   inspect sunrpc

   inspect xdmcp

   inspect sip

   inspect netbios

   inspect tftp

   inpsect ip-options

!

! Part of our statebypass entry to overcome sip and skinny inspection

!

class tcp_statebypass

set connection advanced-options tcp-state-bypass

!

! End of statebypass entry by us

!

policy-map MTMD-policy

class asdm_cucm_sip_class

inspect sip phone-proxy asdm_phone_proxy

class asdn_cucm_skinny_class

   inspect skinny phone-proxy asdm_phone_proxy

!

service-policy global_policy global

service-policy MTDM-policy interface MTMD

prompt hostname context

call-home

profile CiscoTAC-1

   no active

   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

   destination address e-mail callhome@cisco.com

   destination transport-method http

   subscribe-to-alert-group diagnostic

   subscribe-to-alert-group environment

   subscribe-to-alert-group inventory periodic monthly

   subscribe-to-alert-group configuration periodic monthly

   subscribe-to-alert-group telemetry periodic monthly  

hpm topN enable

Cryptochecksum:kadfkldasjf

: end

asdm image disk0:/asdm-641.bin

no adsm history enable

Routing in the network is provided by BGP and we are properly sending and receiving updates.

Thanks again for taking a look at this.

Peyton

hostname CFBL-FW

domain-name cfbl.cdsa.smil.mil

enable password asdl;fakldsf das encrypted

passwd adsklfjakl encrypted

names

!

! VLAN1 is a /0 to connect ASA to B2 internal router, router is 10.10.26.1/30

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.26.2 255.255.255.252

!

! VLAN 25 is a /30 to connect ASA to B1 external router, router 10.10.25.1/30

interface Vlan25

description Outside to B1

nameif Outside

security-level 0

ip address 10.10.25.2 255.255.255.252

!

!interface Vlan96

description BMC4I DMZ

nameif BMC4I

security-level 50

ip address 96.5.22.2 255.255.255.0

!

!interface Vlan97

description TPEX DMZ

nameif TPEX

security-level 50

ip address 97.5.22.2 255.255.255.0

!

!interface Vlan98

description CDEP DMZ

nameif CDEP

security-level 50

ip address 98.5.22.2 255.255.255.0

!

!interface Vlan99

description M&S DMZ

nameif M&S

security-level 50

ip address 99.5.22.2 255.255.255.0

!

!interface Vlan160

description MTMD DMZ

nameif MTMD

security-level 50

ip address 160.5.22.2 255.255.255.0

!

! Eth0/0 is outside access

!

interface Ethernet0/0

switchport access vlan 25

switchport trunk allowed vlan 25,96-99,160

switchport mode trunk

!

interface Ethernet0/1

switchport access vlan 96

!

interface Ethernet0/2

switchport access vlan 97

!

interface Ethernet0/3

switchport access vlan 98

!

interface Ethernet0/4

switchport access vlan 99

!

interface Ethernet0/5

switchport access vlan 160

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

!

ftp mode passive

!

dns server-group DefaultDNS

domain-name CFBL.CDSA.SMIL.MIL

!

same-security-traffic-permit intra-interface

!

object network AUS-BMC4I-Network

subnet 96.1.0.0 255.255.0.0

description Australian BMC4I Network

!

object network AUS-TPEX-Network

subnet 97.1.0.0 255.255.0.0

description Australian TPEX Network

!

object network AUS-CDEP-Network

subnet 98.1.0.0 255.255.0.0

description Australian CDEP Network

!

object network AUS-M&S-Network

subnet 99.1.0.0 255.255.0.0

description Australian M&S Network

!

object network AUS-MTMD-Network

subnet 160.1.0.0 255.255.0.0

description Australian MTMD Network

!

object network CAN-BMC4I-Network

subnet 96.2.0.0 255.255.0.0

description Canadian BMC4I Network

!

object network CAN-TPEX-Network

subnet 97.2.0.0 255.255.0.0

description Canadian TPEX Network

!

object network CAN-CDEP-Network

subnet 98.2.0.0 255.255.0.0

description Canadian CDEP Network

!

object network CAN-M&S-Network

subnet 99.2.0.0 255.255.0.0

description Canadian M&S Network

!

object network CAN-MTMD-Network

subnet 160.2.0.0 255.255.0.0

description Canadian MTMD Network

!

object network GBR-BMC4I-Network

subnet 96.4.0.0 255.255.0.0

description Great Britain BMC4I Network

!

object network GBR-TPEX-Network

subnet 97.4.0.0 255.255.0.0

description Great Britain TPEX Network

!

object network GBR-CDEP-Network

subnet 98.4.0.0 255.255.0.0

description Great Britain CDEP Network

!

object network GBR-M&S-Network

subnet 99.4.0.0 255.255.0.0

description Great Britain M&S Network

!

object network GBR-MTMD-Network

subnet 160.4.0.0 255.255.0.0

description Great Britain MTMD Network

!

object network Inside-Network

subnet 10.10.26.0 255.255.255.252

description To/From FW/B2 Router

!

object network MTMD-Networks

subnet 160.0.0.0 255.0.0.0

description All Nation enclaves

! object network NLD-BMC4I-Network

subnet 96.22.0.0 255.255.0.0

description Netherlands BMC4I Network

!

object network NLD-TPEX-Network

subnet 97.22.0.0 255.255.0.0

description Netherlands TPEX Network

!

object network NLD-CDEP-Network

subnet 98.22.0.0 255.255.0.0

description Netherlands CDEP Network

!

object network NLD-M&S-Network

subnet 99.22.0.0 255.255.0.0

description Netherlands M&S Network

!

object network NLD-MTMD-Network

subnet 160.22.0.0 255.255.0.0

description Netherlands MTMD Network

!

object network Outside-GWY

host 10.10.25.1

description From B2 Router to Outside

!

object network Outside-Network

subnet 10.10.25.0 255.255.255.252

description To/From B1 Router/FW Outside

!

object network USA-DN-BMC4I-Network

subnet 96.5.22.0 255.255.255.0

description USA Dam Neck BMC4I Network

!

object network USA-DN-TPEX-Network

subnet 97.5.22.0 255.255.255.0

description USA Dam Neck TPEX Network

!

object network USA-DN-CDEP-Network

subnet 98.5.22.0 255.255.255.0

description USA Dam Neck CDEP Network

!

object network USA-DN-M&S-Network

subnet 99.5.22.0 255.255.255.0

description USA Dam Neck M&S Network

!

object network USA-DN-MTMD-Network

subnet 160.5.22.0 255.255.255.0

description USA Dam Neck MTMD Network

!

object network USA-DD-BMC4I-Network

subnet 96.5.6.0 255.255.255.0

description USA Dahlgren BMC4I Network

!

object network USA-DD-TPEX-Network

subnet 97.5.6.0 255.255.255.0

description USA Dahlgren TPEX Network

!

object network USA-DD-CDEP-Network

subnet 98.5.6.0 255.255.255.0

description USA Dahlgren CDEP Network

!

object network USA-DD-M&S-Network

subnet 99.5.6.0 255.255.255.0

description USA Dahlgren M&S Network

!

object network USA-DD-MTMD-Network

subnet 160.5.6.0 255.255.255.0

description USA Dahlgren MTMD Network

!

!Added by UC Wizard

!

object network asdm_pp_cucm_tftp_160.2.32.1_sccp

Host 160.2.32.1

object network asdm_pp_cucm_tftp_160.2.32.1_sccp_secure

Host 160.2.32.1

object network asdm_pp_cucm_tftp_160.2.32.1_sip

Host 160.2.32.1

object network asdm_pp_cucm_tftp_160.2.32.1_tftp

Host 160.2.32.1

object-group network asdm_pp_cucm_tftp_160.2.32.1 group

description Unified CM + TFTP at 160.2.32.1

network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp

network-object object asdm_pp_cucm_tftp_150.2.32.1_sccp_secure

network-object object asdm_pp_cucm_tftp_150.2.32.1_sip

network-object object asdm_pp_cucm_tftp_150.2.32.1_tftp

object-group network asdm_pp_cucm_tftp_160.2.32.1_group

!

! Added as part of our configuration

!

access-list Outside_access_in extended permit ip any any

access-list Outside_access_out extended permit ip any any

access-list MTMD_access_out extended permit ip any any

access-list MTMD_access_out extended deny ip any any

access-list MTMD_access_in extended permit udp any object asdm_pp_cucm_tftp_160.2.32.1_tftp eq tftp

access-list MTMD_access_in extended permit ip any any

access-list MTMD_access_in extended deny ip any any

access-list global_access extended permit tcp host 64.1.35.111 any eq ssh

access-list M&S_access_out extended permit ip any any

access-list M&S_access_out extended deny ip any any

access-list M&S_access_in extended permit ip any any

access-list CDEP_access_in extended permit ip any any

access-list CDEP_access_out extended permit ip any any

access-list BMC4I_access_in extended permit ip any any

access-list BMC4I_access_out extended permit ip any any

access-list TPEX_access_in extended permit ip any any

access-list TPEX_access_out extended permit ip any any

!

! Looks like part of wizard addtion

!

access-list asdm_pp_sip_inspect extended permit tcp any object asdm_pp_cucm_tftp_160.2.32.1_sip eq 5061 log

access-list adsm_pp_skinny_inspect extended permit tcp any object adsm_pp_cucm_tftp_160.2.32.1_sccp_secure eq 2443 log

!

! We addes this in an effort to use the state bypass so that it wouldn’t inspect sip/skinny traffic

!

access-list VoIP extended permit tcp host 160.2.32.1 host 160.5.22.254

access-list VoIP extended permit tcp host 160.2.32.1 host 10.10.25.2

access-list VoIP extended permit tcp host 160.5.22.254 host 160.2.32.1

access-list VoIP extended permit tcp host 160.5.22.254 host 160.5.22.2

!

pager lines 24

!

logging enable

!

logging console informational

!

logging asdm informational

!

mtu inside 1500

mtu Outside 1500

mtu BMC4I 1500

mtu CDEP 1500

mtu M&S 1500

mtu TPEX 1500

mtu MTMD 1500

!

no failover

!

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any MTMD

!

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

!

! Part of our configuration

!

access-group Outside_access_in interface Outside

access-group Outside_access_out interface Outside

access-group BMC4I_access_in interface BMC4I

access-group BMC4I_access_out interface BMC4I

access-group CDEP_access_in interface CDEP

access-group CDEP_access_out interface CDEP

access-group M&S_access_in interface M&S

access-group M&S_access_out interface M&S

access-group TPEX_access_in interface TPEX

access-group TPEX_access_out interface TPEX

access-group MTMD_access_in interface MTMD

access-group MTMD_access_out interface MTMD

access-group global access global

!

! Routes to management and external networks, routing information provided by BGP using VRF in !routers

!

route inside 64.1.35.0 255.255.255.255.0 10.10.26.1 1

route Outside 96.0.0.0 255.0.0.0 96.5.22.1 1

route Outside 97.0.0.0 255.0.0.0 97.5.22.1 1

route Outside 98.0.0.0 255.0.0.0 98.5.22.1 1

route Outside 99.0.0.0 255.0.0.0 99.5.22.1 1

route Outside 160.0.0.0 255.0.0.0 160.5.22.1 1

!

timeout xlate 3:00:00time conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

!

dynamic-access-policy-record DfltAccessPolicy

!

http server enable

http servers session-timeout 6

http 10.10.26.0 255.255.255.0 inside

http 64.1.35.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

! More UC Wizard entries

!

crypto ca trustpoint CAP-RTP-001_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint CAP-RTP-002_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint asdm_pp_cucm_tftp_160.2.32.1

enrollment self

keypair asdm_cucm_keypair

crl configure

crypto cc trustpoint _internal_asdm_ctl_file_SAST_0

enrollment self

fqdn none

subject-name cn=”_internal_asdm_ctl_file_SAST_0”;ou=”STG”;o=”Cisco Inc”

keypair _internal_asdm_ctl_file_SAST_0

crl configure

crypto cc trustpoint _internal_asdm_ctl_file_SAST_1

enrollment self

fqdn none

subject-name cn=”_internal_asdm_ctl_file_SAST_1”;ou=”STG”;o=”Cisco Inc”

keypair _internal_asdm_ctl_file_SAST_1

crl configure

crypto cc trustpoint _internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”

enrollment self

fqdn none

subject-name cn=”_internal_PP_asdm_ctl_file”;ou=”STG”;o=”Cisco Inc”

keypair _internal_asdm_ctl_file_SAST_0

crl configure

crypto ca certificate chain CAP-RTP-001_trustpoint

certificate blahblahblah

quit

crypto ca certificate chain CAP-RTP-002_trustpoint

certificate blahblahblah

quit

crypto ca certificate chain Cisco_Manufacturing_CA_trustpoint

certificate blahblahblah

quit

crypto ca certificate chain asdm_pp_cucm_tftp_160.2.32.1

certificate blahblahblah

quit

crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_0

certificate blahblahblah

quit

crypto ca certificate chain chain_internal_asdm_ctl_file_SAST_1

certificate blahblahblah

quit

crypto ca certificate chain chain_internal_PP-asdm-ctl_file

certificate blahblahblah

quit

!

! End US Wizard entries

!

telnet timeout 5

ssh 64.1.35.111 255.255.255.255 inside

ssh timeout 5

ssh version 2

console timeout 10

!

! More US Wizard entries

tls-proxy asdm_cucm_inbound_proxy

server trust-point _internal_PP__ctl_file

client cipher-suite aes128-sha1 aes256-sha1 3des-dah1 null-sha1 rc4-sha1

ctl-file asdm_ctl_file

record-entry cucm-tftp trustpoint asdm_pp_cucm_tftp_160.2.32.1 address 160.5.22.1

no shutdown

!

Media-termination asdm_media_termination

address 10.10.25.1 interface Outside

address 160.5.22.1 interace MTMD

!

phone-proxy asdm_phone_proxy

Media-termination asdm_media_termination

tftp-server address 160.2.32.1 interface Outside

tls-proxy asdm_cucm_inbound_proxy

ctl-file asdm_ctl_file

no disable service-settings

!

! End UC Wizard entries

!

threat-detection basic-threat

threat-detecttion statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.10.1.2 source inside prefer

ssl encryption aes128-sha1 aes2560sha1 3des-sha1 null-sha1

webvpn

username

!

! More UC Wizard entries and our entry for statebypass in an effort to get around this

!

class-map _cucm_sip_class

description Phone proxy sip traffic inspection

match access-list asdm_pp_sip_inspect

class-map inspection default

match default-instpection-traffic

class-map tcp-statebypass

match access-list VoIP

class-map asdm_cucm_skinny_class

description Phone proxy skinny traffic inspection

match access-list asdm_pp_skinny_inspect

!

policy-map type inspect dns preset_dsn_map

parameters

   message-length maximum 512

policy-map global policy

class inspection-default

   inspect dns preset_dns_map

   inspect ftp

   inspect h323 h225

   inpsect h323 ras

   inspect rsh

   inspect rtsp

   inspect esmtp

   inpsect sqlnet

   inspect skinny

   inspect sunrpc

   inspect xdmcp

   inspect sip

   inspect netbios

   inspect tftp

   inpsect ip-options

!

! Part of our statebypass entry to overcome sip and skinny inspection

!

class tcp_statebypass

set connection advanced-options tcp-state-bypass

!

! End of statebypass entry by us

!

policy-map MTMD-policy

class asdm_cucm_sip_class

inspect sip phone-proxy asdm_phone_proxy

class asdn_cucm_skinny_class

   inspect skinny phone-proxy asdm_phone_proxy

!

service-policy global_policy global

service-policy MTDM-policy interface MTMD

prompt hostname context

call-home

profile CiscoTAC-1

   no active

   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

   destination address e-mail callhome@cisco.com

   destination transport-method http

   subscribe-to-alert-group diagnostic

   subscribe-to-alert-group environment

   subscribe-to-alert-group inventory periodic monthly

   subscribe-to-alert-group configuration periodic monthly

   subscribe-to-alert-group telemetry periodic monthly  

hpm topN enable

Cryptochecksum:kadfkldasjf

: end

asdm image disk0:/asdm-641.bin

no adsm history enable

VoIP phone is on the MTMD VLAN enclave and the call manager is external to our B1 router.  We

Corrected drawing

packet-tracer input dmz udp dmz_phone_ip 5060 external_callmanager_ip 5060

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks,

I have to find another tree to bark up, I performed the trace using the source and destinations both ways, results were the same.

Phase 1 - route lookup - allow

Phase 2 - access-list - allow

Phase 3 - ip-options - allow

Phase 4 - inspect - allow

Phase 5 - access-list - allow

Phase 6 - ip options - allow

Phase 7 - flow - allow

Results:

  input-interface: MTMD (correct interface where phone is)

  input-status - up

  input-line-status - up

  output-interface: MTMD (should this be the outside interface?)

  output-status - up

  output-line-status -up

  action:  allow

Julio,

I forgot to thank  you for your reply and suggestion on the packet trace.  Thanks for taking the time to help.

Peyton

Hello Peyton,

So it looks like the configuration is the one you need,

If this is still not working, our next step is to perfom captures on the ASA.

Do you know how to create them or do you want me to help?

It is my pleasure to help,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: