03-18-2014 08:34 AM - edited 03-11-2019 08:57 PM
Hi,
Being a call center we use softphones to make calls running on SIP.
Though the ACLs are in place, keeping the outside interface to security level '0' seems to be hindering softphone application. The softphone does not load properly.
I cant figure out if it has to do with JAVA or the ASA. Currently it is on security level 100 and no issues.
Could someone please explain me what might be going on?
If ACLs are permitting IP traffic how can security level at 0 make a difference as my understanding id ACLs override security level.
The sip traffic is being inspected too. Do I need to create a separate policy map for SIP?
03-18-2014 04:46 PM
Hello,
The ACLs do override the security level.
What version are you running, it could be a NAT issue.
Have you tested with packet tracer?
Also, did you allow all ports on the ACL, there could be child connections on different ports, what do you see on the logs?
Regards,
Felipe.
03-19-2014 09:06 AM
ASA 5515, Software Version 8.6(1)2.
No NAT configured on the Firewall. FW is behind the router (Cisco ISR 3925). The router is doing NAT.
I will test changing Sec lev to '0' tonight and monitor syslog output. I am not much into packet tracer.
None of the ports are being blocked by the ACLs.
FW has permit ip commands ('ip' should include sip's both tcp/udp connections right). The embryonic connections shouldn't be blocked. By stateful inspection property these connections should be included in the return traffic, or do I need to allow them on the outside incoming ACL?
As I have included 'inspect sip' in the global policy all related connections should be allowed.
03-22-2014 12:01 PM
Felipe,
I didn't get a chance to test as I was busy with other work. Will get back on it soon.
By the way you mentioned it could be a NATing issue.
The NATing on the router is little messed up. Unnecessary NAT command. Dont know who configured it.
How can NAT effect it anyway? Please explain.
I appreciate yout time Felipe.
03-24-2014 10:18 AM
Hello,
What I meant by NAT issue is that it could be hitting the wrong NAT rule or asymmetric NAT.
You can confirm the proper NAT and ACL are being used with the packet tracer:
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port
Example:
packet-tracer input outside tcp 10.x.x.x 1025 192.168.x.x 2000
Regards,
Felipe.
Remember to rate useful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide