04-04-2014 04:36 AM - edited 03-11-2019 09:02 PM
Hi All,
I recently replaced a series of ASA 5505's with a singular ASA5515X firewall. All seems to have gone well but one group of users are reporting a problem with VOIP. They are the only VOIP users on this firewall.
They have Cisco VOIP phones that connect out to an external suppier. The firewall is on an open circuit so we do not restrict outbound traffic, permitting all traffic. Inbound we permit all traffic to named servers. To their VOIP server we have a NAT in place and a rule that permits anything from internet to that server. From their network we permit all traffic to internet, including the server. I can ping the server from Internet. All outbound data traffic is fine.
The users report incoming calls to VOIP work fine without issue. When they make an external call, the call connects to the remote phone okay but no voice/audio can be heard.
I have inspections for Skinny, H323 RAS & h225, and SIP enabled. This does not make a difference - even with them removed.
IOS version is asa913-smp-k8.bin. This was working on the ASA5505 firewall but now has an issue with the ASA5515X series.
Any ideas? Help appreciated.
Regards
Adrian
04-04-2014 11:50 AM
if i'm not wrong i saw some issues with SIP/NAT. I think PAT is not supported with inspection but check if inspection drop some traffic and probably you need configuring a SIP Inspection Policy Map for Additional Inspection Control
rate if i helped you
ruben
04-17-2014 11:19 AM
The previous version would have been 8.4 - not sure of exact version as this has been upgraded and redployed.
Remote end did some analysis and reported they are seeing the local IP in the sip traffic. The VOIP server has NAT traversal enabled. When I browse from the server I have a public IP address. NAT is working - maybe not for SIP. You would hope a Cisco product over a Cisco product would be okay. Calls outbound only have voice traffic missing - calls establish. Inbound calls have sessions establish and bi-directional voice traffic with no problems.
What are the addition Inspection Control?
04-06-2014 11:49 PM
Hi Adrian,
Was this outgoing VOIP traffic working fine on the ASA 5505 device with the previous IOS version ?
What was the previous IOS version ?
Please check and post "show service-policy " output to verify if there are any inspection drops or not.
Also apply caputres on ingress and egress interfaces to check if the inspection is working for this stream or not.
Please folow this link to apply the captures:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
Please post the ACL, NAT and insoection configuration from previous version and current device.
Cheers,
Naveen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide