Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
0
Helpful
2
Replies

IP Phones Unable to keep connection with ASA 5505

mpadderatz
Level 1
Level 1

‎07-15-2017 04:31 PM - edited ‎03-12-2019 02:42 AM

Today we updated our ASA 5505 from ASA 6.5xx to ASA 9.24, and as we know around 8.1 the way NAT was done was changed. I was under the impression that the ASA would "convert" most of the rules, and I figured I would have to recreate some of them that failed.  Well, I recreated what I could but I still could not get the phones to work. Some preface of our network in question: 

Internet<-------ISP ROUTER<-----ASA 5505<-----SG-3000

  • Phones are a Ploycom VTX 400/410
  • The phones receive DHCP from the ASA, and we have a VPN tunnel created to our host for the phones. 
  • The phones are then come back from our branch office back into the main office via another VPN tunnel to go out 
  • The phones receive their option 60 from our hosted provider
  • The computers work fine and have no issue what so ever. The computers and the phones share the same IP range of the subnet.

The phones are getting everything correctly, IP, VLAN, DHCP, DNS, and configuration. The tunnel is established to both the main office and the hosted phone provider. There is traffic passing through both tunnels, and they are active. When I try to make a call from the phone it rings, connects, and then within 4 seconds, it hangs up with no voice being exchanged.

I inherited this network from a MSP that had provided IT to my company I work at for the last 4 years. They are to say, very reluctant to give information about the setup. Also, they provided no documentation what so ever, so here I am trying to figure this out. My config for my ASA is below, any help would be good or some information as to what to look at. I am quite a novice when it comes to firewalls, and this one would be the first one I would have configured albeit unsuccessfully.

ASA Version 9.1(7)11 
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

names
name 10.22.100.0 MainOfficeIP description computer vlan
name 10.22.101.0 MainOfficeVoice description voice voice
name 10.220.80.0 net-CDCC-qts description QTS CDCC network
name 10.230.80.0 net-CVPN-qts description QTS VPN CDCC network
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.22.114.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Public IP 255.255.255.252 
!
boot system disk0:/asa917-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.22.100.3
 name-server 10.22.100.7
 name-server 8.8.8.8
 domain-name ######

object network MainOfficeIP
 subnet 10.22.100.0 255.255.255.0
 description Created during name migration
object network MainOfficeVoice
 subnet 10.22.101.0 255.255.255.0
 description Created during name migration
 description Created during name migration
object network net-CDCC-qts
 subnet 10.220.80.0 255.255.255.0
 description Created during name migration
object network net-CVPN-qts
 subnet 10.230.80.0 255.255.255.0
 description Created during name migration
object network obj-10.22.114.0
 subnet 10.22.114.0 255.255.255.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.22.114.0_24
 subnet 10.22.114.0 255.255.255.0
object-group network obj_any
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network MainOfficeVlans
 description Vlans at the main office
 network-object object MainOfficeIP
 network-object object MainOfficeVoice
 network-object object MainOfficeVOIP
object-group network grp-CDCC-qts
 description CDCC group at QTS
 network-object object net-CDCC-qts
 network-object object net-CVPN-qts
object-group network DM_INLINE_NETWORK_1
 network-object 10.22.114.0 255.255.255.0
 network-object object NETWORK_OBJ_10.22.114.0_24
access-list outside_1_cryptomap extended permit ip 10.22.114.0 255.255.255.0 object-group MainOfficeVlans 
access-list inside_access_in extended permit ip 10.22.114.0 255.255.255.0 any4 
access-list inside_nat0_outbound extended permit ip 10.22.114.0 255.255.255.0 object-group MainOfficeVlans 
access-list inside_nat0_outbound extended permit ip 10.22.114.0 255.255.255.0 object-group grp-CDCC-qts 
access-list outside_2_cryptomap extended permit ip object NETWORK_OBJ_10.22.114.0_24 object net-CDCC-qts 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit object-group TCPUDP any any eq domain 
access-list outside_access_in remark Allow port 80 traffic
access-list outside_access_in remark Allow https port 443
access-list outside_access_in remark DNS traffic
access-list outside_access_in remark ICMP type 11 for Windows Traceroute
access-list outside_access_in extended permit icmp any4 any4 time-exceeded 
access-list outside_access_in remark ICMP type 3 for Cisco and Linux
access-list outside_access_in extended permit icmp any4 any4 unreachable 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-10.22.114.0 obj-10.22.114.0 destination static MainOfficeVlans MainOfficeVlans no-proxy-arp route-lookup
nat (inside,any) source static obj-10.22.114.0 obj-10.22.114.0 destination static grp-CDCC-qts grp-CDCC-qts no-proxy-arp route-lookup
nat (inside,any) source static NETWORK_OBJ_10.22.114.0_24 NETWORK_OBJ_10.22.114.0_24 destination static net-CDCC-qts net-CDCC-qts no-proxy-arp route-lookup
nat (inside,any) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static net-CDCC-qts net-CDCC-qts no-proxy-arp route-lookup
nat (inside,any) source static NETWORK_OBJ_10.22.114.0_24 NETWORK_OBJ_10.22.114.0_24 destination static MainOfficeVlans MainOfficeVlans no-proxy-arp route-lookup
!
object network obj_any-01
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ISP Router IP 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy

no snmp-server location
no snmp-server contact

crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer Main Office Public IP 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer VPN tunnel to Phone Host 
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-MD5 ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy


dhcpd address 10.22.114.50-10.22.114.254 inside
dhcpd dns 10.22.100.3 8.8.8.8 interface inside
dhcpd domain cdcc.local interface inside
dhcpd option 66 ascii tftp://10.220.80.185 interface inside
dhcpd option 150 ascii tftp://10.220.80.185 interface inside
dhcpd option 160 ascii tftp://10.220.80.185 interface inside

dhcpd enable inside

!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.207.165.27 source outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 

!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
 class class-default
 set connection decrement-ttl
policy-map global-policy
 class global-class
 inspect dns 
 inspect esmtp 
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect icmp 
 inspect ip-options 
 inspect netbios 
 inspect rsh 
 inspect rtsp 
 inspect sip 
 inspect skinny 
 inspect sqlnet 
 inspect sunrpc 
 inspect tftp 
 inspect xdmcp 
!
service-policy global-policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
no call-home reporting anonymous

Labels:
0 Helpful
2 Replies 2

GRANT3779
Spotlight
Spotlight

‎07-15-2017 10:58 PM

I would initially try the following

Policy-map global-policy

class global-class

no inspect h323 h225

no inspect rstp

no inspect sip

no inspect h323 ras

no inspect skinny

0 Helpful

mpadderatz
Level 1
Level 1
In response to GRANT3779

‎07-16-2017 07:45 AM

I will give it a try Monday when I get into the office.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card