cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
1
Replies

Configuring ASA for Packet8 VOIP

jholmes00676
Level 1
Level 1

Hello, I am trying to configure my ASA5505 to correctly bypass the stateful inspection for UDP port 15044. Currently none of the default-inspect polices do not have this port listed. How do I add it and correctly get the VOIP traffic to not be inspected ?

Thanks,

Josh

Current config:

ASA Version 7.2(2)

!

access-list nonat extended permit ip 172.29.8.0 255.255.255.0 172.28.1.0 255.255.255.0

access-list XXX extended permit ip 172.29.8.0 255.255.255.0 172.28.1.0 255.255.255.0

access-list in_out extended permit tcp any any

access-list in_out extended permit ip any any

access-list in_out extended permit udp any any

access-list test extended permit ip 172.29.8.0 255.255.255.0 any

access-list net extended permit tcp any any eq smtp

access-list net extended permit udp any any eq 15044

access-list VOIP-TEST standard permit host 172.29.8.188

access-list VOIP-TEST standard permit host 172.29.8.199

access-list VOIP-TEST-IP extended permit ip host 172.29.8.188 any

access-list VOIP-TEST-IP extended permit ip host 172.29.8.199 any

access-list VOIP-TEST-IP extended permit ip any host 172.29.8.188

access-list VOIP-TEST-IP extended permit ip any host 172.29.8.199

access-list VOIP-TEST-IP extended permit udp any host 172.29.8.188 eq 15044

access-list VOIP-TEST-IP extended permit udp any host 172.29.8.199 eq 15044

access-list VOIP-TEST-IP extended permit udp host 172.29.8.199 any eq 15044

access-list VOIP-TEST-IP extended permit udp host 172.29.8.188 any eq 15044

access-list VOIP-CAPTURE standard permit host 172.29.8.188

access-list VOIP-CAPTURE standard permit host 172.29.8.199

priority-queue inside

tx-ring-limit 256

priority-queue outside

tx-ring-limit 256

!

class-map VOIP-TO-PACKET8-UDP-15044

match port udp eq 15044

class-map VOIP-TO-PACKET8-TCP-8880

match port tcp eq 8880

class-map inspection_default

match default-inspection-traffic

class-map default_inspection

match access-list VOIP-TEST-IP

class-map VOIP-TO-PACKET8-IP-FILTER

class-map inspection_15044

match port udp eq 15044

class-map VOIP-TO-PACKET8-UDP-RTP

match rtp 8000 16383

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map VOIP-TO-PACKETS

class inspection_default

inspect sip

policy-map global_policy

policy-map inspection_default

policy-map VOIP-TO-PACKET8

class VOIP-TO-PACKET8-UDP-15044

priority

class VOIP-TO-PACKET8-UDP-RTP

priority

class VOIP-TO-PACKET8-TCP-8880

priority

class inspection_default

inspect sip

inspect skinny

inspect rtsp

class inspection_15044

!

service-policy VOIP-TO-PACKET8 interface outside

1 Reply 1

didyap
Level 6
Level 6

You can use following config to bypass inspection for UDP port 15044

access-list acs-list permit udp any any eq 15044

access-list acs-list permit udp any eq 15044 any

class-map acs-class

match access-list acs-list

policy-map global_policy

class acs-class

Review Cisco Networking for a $25 gift card