cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5671
Views
0
Helpful
9
Replies

ASA 5510 SIP and One way audio

asommers
Level 1
Level 1

I am banging my head against the wall as I am trying to figure this out. We have a asterisk based PBX running on a server and it is not VLAN'd or anything as we have a large pipe coming in. We are using NAT and the problem is that occassionally we have audio issues when we call out to an outside caller, and we can hear them, but they can't hear anything. I was trying to add it to my nat 0 group, but then there is no audio in or out.

Below is parts of our config from the ASA:

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (public) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz2) 0 access-list dmz2_nat0_outbound

nat (dmz2) 0 access-list dmz2_nat0_outbound_1 outside

access-list mpl extended permit udp any host 66.213.98.12 eq sip

access-list mpl extended permit tcp host Nextiva host 66.213.98.12 eq sip

access-list mpl extended permit udp host Nextiva host 66.213.98.12 range 10000 20000

access-list mpl extended permit tcp any host 66.213.98.10 eq smtp

access-list mpl extended permit tcp any host 66.213.98.10 eq https

access-list mpl extended permit tcp any host 66.213.98.11 eq www

access-list mpl extended permit tcp any host 66.213.98.10 eq imap4

access-list mpl extended permit tcp any host 66.213.98.3 eq www

access-list mpl extended permit tcp any host 66.213.98.3 eq 10001

access-list mpl extended permit tcp any host 66.213.98.3 eq ssh

access-list mpl extended permit tcp any host 66.213.98.6 eq https

access-list mpl extended permit udp any host 192.168.0.53 eq ntp

access-list mpl extended permit udp any host 192.168.0.58 eq ntp

access-list mpl extended permit tcp any host 66.213.98.8 eq www

access-list mpl extended permit object-group TCPUDP any host 66.213.98.8 eq domain

access-list mpl extended permit tcp any host 66.213.98.5 inactive

access-list pixtosw extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list pixtonavarre extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list dmz2_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list MSS_Exceeded_ACL extended permit tcp any any

access-list dmz2_nat0_outbound_1 extended permit ip host 192.168.50.10 host 192.168.0.53

global (outside) 1 interface

global (outside) 1 66.213.98.12

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect ftp

  inspect http

  inspect pptp

  inspect rtsp

policy-map public-policy

class public-class

  inspect http

  police output 1500000 1500

  police input 1500000 1500

policy-map qos

class voice

  priority

priority-queue outside

  tx-ring-limit 256

threat-detection basic-threat

threat-detection statistics

!

class-map public-class

match any

class-map global-class

match default-inspection-traffic

class-map voice

match dscp ef

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Allen,

This is an issue with NAT as the signaling works fine.. The problem is after the users answer the phone looks like the ASA is not able to determine that the signaling traffic and audio traffic got to go to the same device and they are related to each other..As a result, the audio traffic is not translated properly between the address spaces.

I can see that you do not have a inspection for the SIP protocol.

Can you add it and give it a try:

policy-map global-policy

class global-class

Inspect SIP

Hope this helps.

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I have tried it both ways and it doesn't matter.  Alot of things I have found on the internet says to turn it off as it causes more problems.

If you look at the ASA log, it doesn't show anything hitting the x.x.x.12 IP.

Hello Allen,

Next thing would be to do captures and debugs,

Please provide them

Debug sip

Debug sip ha

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

How do you do captures and debugs?

Capture:

access-list capin permit ip host x.x.x.x(Local_endpoint) host y.y.y.y(Outside_Endpoint)

access-list capin permit ip host y.y.y.y host x.x.x.x

Access-list capout permit ip host z.z.z.z ( natted ip address of the local_endpoint) host y.y.y.y

access-list capout permi ip host y.y.y.y host z.z.z.z

capture capin access-list capin interface inside circular-buffer

capture capout access-list capout interface outside circular-buffer

Then try to make a phone call and do a show cap capin and show cap capout.... You should be able to see the packets in the capture.

Then we will need to download the captures to your computer ( for that go to a browser and set the following:

https://inside_asa_ip_address/capture/capin/pcap

https://inside_asa_ip_address/capture/capout/pcap)

then to do debugs just add the commands

Debug sip ha

debug sip

and make a phone call.. You should get a big output...

We need to see that.

Regards.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Attached are the captures. I'll have to figure out the debug later. I don't get anything when I do it.

Hello,

That is because you do not have the sip inspection enabled.

Now I want you to clear all the captures and take them back but this time with the SIP enabled

clear cap /all

And add the

policy-map global-policy

class global-class

Inspect SIP

Then send the traffic and donwload the captures again and take the debugs

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK, I had an appointment and did not get back to this until now. Hopefully you can see something in the attached logs. The debug still didn't do anything when I typed it in with inspect sip enabled.

I have exact same issues and I am looking for answer for the same problem.

Review Cisco Networking for a $25 gift card