07-03-2009 02:36 AM - edited 03-11-2019 08:50 AM
Hi,
I have installed ASA 5520, and using Unified communication. Network config is:
CM---3845---ASA-5520---Internet---SIP-proxy
Can some one help to allow the SIP traffic on ASA, the Access list syntax!
we use NAT on ASA! So 10.x.x.1 is the private address & 150.x.x.1 is the public address of CM! I want to setup SIP trunk to the third party provider--In this case (SIP proxy IP is 195.x.x.15 ) which is remote IP, but I want to allow the SIP traffic on the ASA!
Any help will be appreciated ?
Thanks
07-03-2009 05:57 AM
Do you have an access-list applied on the higher security interface? If not you just need to add inspect sip in your configuration.
Otherwise you need to add permission on the inside acl as well.
access-l inside-acl permit tcp host 10.x.x.1 host 195.x.x.15 eq 5060
access-l inside-acl permit udp host 10.x.x.1 host 195.x.x.15 eq 5060
.
.
.
add the other permissions in the acl like
access-l inside-acl permit tcp any any eq 80
access-l inside-acl permit tcp any any eq 443
access-l inside-acl permit tcp any any eq 25
access-l inside-acl permit tcp any any eq 21
access-g inside-acl in int inside
policy-map global_policy
class inspection_default
inspect sip
07-06-2009 03:01 AM
Thanks for your reply, I tried the above acl, but it did not work, and customer complained that other services web/mail/vpn down, Can you tell me why the above acl will put down the services, is there any command that I can see the error messages if I apply the wrong acl.
We use Nat and the I put the below statements.
-access-list inside_nat0_outbound permit tcp host 10.X.X.1
195.X.X.1 5060
access-list inside_nat0_outbound permit udp host 10.X.X.1
195.X.X.1 5060
why would this these acl would impact other services ? Customer is asking for reason.
Can you help regarding this issue,
Thanks
07-06-2009 04:10 AM
Where is this acl applied? With the name it sounds like it is tied to nat 0 acl. Is this correct? If so, you cannot use ports and protocols in those access-lists. You need to use permit or deny ip.
I had given you a sample to tie an access-list to the higher security interface.
Nat excemption (nat 0 w/acl)
We support denies and permits in the ACE.
We do not support ports or protocols in the ACE.
Policy nat (nat 1 w/acl)
We do not support denies in the ACE
We support ports and protocols in the ACE
07-08-2009 03:58 AM
Applied to
nat (inside) 0 access-list nonat
?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide