ASA 5505 site to site RTP traffic is hitting deny all rule

Daniel Demers · ‎08-14-2012

Hello,

Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.

Currently the rules are as follows

Incoming External

allow ip any any

allow tcp any any

allow udp any any

default deny

Incoming Internal

allow ip any any

allow tcp any any

allow udp any any

default deny

It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

nkarthikeyan · ‎08-15-2012

Hi Daniel,

I guess there is support feature issue with the ASA sending VOIP traffic over VPN

The ASA Phone Proxy does not support inspection of packets from phones connecting to it over a VPN tunnel. Therefore, sending phone proxy traffic through a VPN tunnel is not supported.

Note The ASA 5500 appliances running version 8.4 can support the Phone Proxy feature when integrated with Unified CM 8.0(x) but do not support Phone Proxy with Unified CM versions 8.5(x) and 8.6(x).

Please do rate if the given information helps.

By

Karthik

rleivaoc · ‎08-15-2012

The ASA does support Voice Traffic over a VPN tunnel, unless you are using phone proxy. If you are using SKINNY, or SIP, these inspections need to be enabled.

If you are still having problems, then you will need to send your show service-policy, and show asp drop output.

Thanks,

Rafael