Re: Problems to call on a Videoconference System

anunes1987 · ‎03-15-2011

Hello Guys !

Need your help to solve an issue.

I have a Videoconference system which calls another Videoconference in another site , this communication is done thru a leased line between these two sites.

DMZVCA ---- ASA-A --- LEASED LINE ---- ASA-B ----- DMZVCB

From DMZVCB i can make calls and all works fine but from DMZVCA i'm unable to call them.

When i got the log seems to be a NAT problem on ASA A but i'm not sure what could i do. I know the problem is related to the ASA A but i can't get what is the issue if a need to put up a PAT dunno.

If i put up the log on i get a translation failure related to the NAT from DMZ to the inside someone can give me some hints about how to solve this issue?

My VC IP address is 172.16.10.200

Following some outputs:

interface GigabitEthernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.30.1 255.255.255.0

interface GigabitEthernet0/2.2>> My DMZ

vlan 4

nameif dmz2

security-level 4

ip address 172.16.10.1 255.255.255.0

sh run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.30.201 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz2) 0 access-list dmz2_nat0_outbound

SPOFWL01# sh run global

global (outside) 1 interface

global (dmz1) 1 interface

global (dmz2) 1 interface

SPOFWL01# sh run stat

static (dmz2,outside) tcp 189.39.32.42 www 172.16.10.22 82 netmask 255.255.255.255

static (dmz2,outside) tcp 189.39.32.41 www 172.16.10.22 81 netmask 255.255.255.255

static (dmz2,outside) tcp 189.39.32.40 https 172.16.10.22 https netmask 255.255.255.255

static (dmz2,outside) tcp 189.39.32.40 www 172.16.10.22 www netmask 255.255.255.255

static (dmz2,outside) tcp 189.39.32.37 www 172.16.10.200 www netmask 255.255.255.255

static (inside,dmz2) 172.16.1.21 172.16.30.21 netmask 255.255.255.255

static (inside,dmz2) 172.16.1.22 172.16.30.22 netmask 255.255.255.255

static (inside,dmz2) 172.16.1.71 172.16.30.71 netmask 255.255.255.255

static (inside,outside) 189.39.32.39 172.16.30.225 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.11 10.21.8.11 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.21 10.21.8.21 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.32 10.21.8.32 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.71 10.21.8.71 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.76 10.21.8.76 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.21 10.21.8.21 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.22 10.21.8.22 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.76 10.21.8.76 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.91 10.21.8.91 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.25 10.21.8.25 netmask 255.255.255.255

static (inside,dmz2) 10.21.8.77 10.21.8.77 netmask 255.255.255.255

static (dmz2,inside) 172.16.10.23 172.16.10.23 netmask 255.255.255.255

static (dmz2,outside) 189.X.X.X 172.16.10.25 netmask 255.255.255.255 dns

static (dmz2,inside) 172.16.10.22 172.16.10.22 netmask 255.255.255.255

static (dmz2,outside) 189.X.X.X 172.16.10.21 netmask 255.255.255.255

static (dmz2,inside) 172.16.10.200 172.16.10.200 netmask 255.255.255.255

static (dmz2,outside) 189.X.X.X 172.16.10.200 netmask 255.255.255.255

Please Give some hints, thanks in advance

Shrikant Sundaresh · ‎03-20-2011

Hi Amanda,

Could you please run a packet-tracer command on ASA-A to confirm if packets are allowed through?

The command would be:

packet-tracer input dmz2 tcp 172.16.10.200 detailed

Reply with the output of the command, and we can try troubleshooting the issue.

If you are unsure about which port numbers are to be used, then you can capture a few packets to find that out.

access-list capacl permit ip 172.16.10.200 any

capture capdmz access-list capacl interface dmz2

After a test call, do "show cap capdmz" to check which port it tried to communicate with DMZVCB on, and run the packet tracer for that destination port.

The output of this command will tell us if the packet is getting dropped and if so, why.