Hi Johan,

Johan Olsson · ‎03-17-2016

Hi,

I replaced a Cisco 881 router with an ASA5506 firewall on a small network and now the users can't use their softphone application.

The softphone is locally installed application on the PC and it connects to a IP/phone service on Internet.

It was working with the 881 router and I think the problem is an inspection rule or something but cant figure out what. I have tested to enable/disable the SIP inspection but it doesn't help.

Any idea what it could be or how to troubleshoot? The ASA5506 use a standad configuration. I have only configured the Outside/Inside interface. All traffic are allowed from inside --> outside. I'm using NAT and no traffic are open from outside --> inside.

Thanks for any inputs!

Dinesh Moudgil · ‎03-18-2016

Hi Johan,

There can be issues related to inspection so it is good that you tried tweaking SIP inspection.
Can you run the following capture command:
cap asp type asp-drop all

and check if your interesting traffic is getting dropped:
show cap asp | in <PC's IP>

Just an option, you can disable all the TCP checks with TCP state bypass on the ASA for specific traffic using this document and confirm if the ASA is causing any issues.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Aditya Ganjoo · ‎03-18-2016

Hi Johan,

We may need to take captures on the ASA's inside and outside interface to see what port is being used by the softphones.

Link for taking captures on ASA:

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

And may know what IP softphone are we using ?

Regards,

Aditya

Please rate helpful posts.

IP Softphone can't connect to phone service on Internet through ASA5506