cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
1
Replies

SIP and ASA Firewalls

bjames
Level 5
Level 5

So I had an issue with SIP to an ITSP and our ASA's. I posted to another thread, but I thought (based on all the time I spent fixing this) that it deserved a new thread.

My issue was SIP was not being NAT translated inbound to the UX 5x0 would reject the INVITE with an Invalid URI error. Captures showed the IP address was not being translated inbound to our UC from the ITSP at the firewall.

I opened a case with TAC, and they said there are bugs with using PAT and SIP on the ASA's so I changed the UC to a static address(on ASA); same issue. TAC then said there were SIP proxy (inspect) issues with the Firewall OS we were using; so I upgraded the code to 8.2(4) which is where the bug was suppose to be fixed in. TAC then said the inspect is done alphabetically rather than in sequence (totally lost faith at this point). I ran debugs on the UC and saw that oubound calls were running fine, but inbound gave the errors above. I tried the permit dns:natted IP, but this still failed. I changed the way the inspect ran as per TAC to inspect SIP early in the policy-map, but same failure.

In thinking about why outbound worked but inbound didn't, I saw the UC was set to "connection-reuse" under sip-ua. I figured that this is probably why the SIP packets weren't being translated inbound as it creates a permament connection to reuse to the ITSP so the SIP inspect wasn't really able to do its' job. I removed the connection-reuse command and EUREKA; I was able to dial into the UC correctly, and the SIP proxy/inspect was doing it's job.

I'm a little upset about the support, but at least I got it working and I hope this helps someone else trying to troubleshoot this.

Bob James

1 Reply 1

lusandi
Level 1
Level 1

Hello,

By any chance can you send me the show run of your ASA?

Regards,

Luis Sandi

Review Cisco Networking for a $25 gift card