08-14-2012 04:38 PM - edited 03-11-2019 04:42 PM
Hello,
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny
Incoming Internal
allow ip any any
allow tcp any any
allow udp any any
default deny
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
08-15-2012 10:12 AM
Hi Daniel,
I guess there is support feature issue with the ASA sending VOIP traffic over VPN
The ASA Phone Proxy does not support inspection of packets from phones connecting to it over a VPN tunnel. Therefore, sending phone proxy traffic through a VPN tunnel is not supported.
Note The ASA 5500 appliances running version 8.4 can support the Phone Proxy feature when integrated with Unified CM 8.0(x) but do not support Phone Proxy with Unified CM versions 8.5(x) and 8.6(x).
Please do rate if the given information helps.
By
Karthik
08-15-2012 03:07 PM
The ASA does support Voice Traffic over a VPN tunnel, unless you are using phone proxy. If you are using SKINNY, or SIP, these inspections need to be enabled.
If you are still having problems, then you will need to send your show service-policy, and show asp drop output.
Thanks,
Rafael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide