Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27611
Views
10
Helpful
21
Replies

SIP through ASA 5505

elliott.barrere
Level 1
Level 1

‎06-14-2010 10:03 AM - edited ‎03-11-2019 10:59 AM

Hi all,

I'm trying to allow SIP calls through a 5505 running version 8.2(2).  I've passed port 5060 through the firewall but now I'm seeing the RTP traffic blocked.  I read this page and added this to my config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect sip

service-policy global_policy global

but it's not working.  No idea what else to do!  Any pointers or advice??

Thanks for any help in advance!

Cheers,

-elliott-

1 person had this problem
Labels:
0 Helpful
21 Replies 21

elliott.barrere
Level 1
Level 1
In response to Panos Kampanakis

‎06-18-2010 01:46 PM

Hi PK,

Thanks for the advice, unfortunately I have tried "debug sip" and I see nothing on the console!  Is there anything that could be preventing me from seeing the logs?  I have set "logging console debug".

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to elliott.barrere

‎06-18-2010 02:26 PM

Him, if sip inspection is not kicking in then the pinholes will not be opened.

You have sip inspection enabled haven't you?

Does "show service-policy" show counters for sip?

PK

0 Helpful

elliott.barrere
Level 1
Level 1
In response to Panos Kampanakis

‎06-18-2010 02:53 PM

I have tried to enable it by configuring it in my class-map.  I now see counters for SIP in "show service-policy" but they are empty, even after I make a call.  Still seeing the RTP ports blocked too (I have tried "debug sip" and "debug rtp" and I see nothing on the console when making calls)

# sh service-policy 

Interface inside:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Interface outside:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to elliott.barrere

‎06-18-2010 03:19 PM

Yeah, the inspection is not kicking in.

Can you "clear local " for the ip that has the issue? And try to pass sip again t see counters increment?

Make sure you have tcp port 5060 in your sip packets and they are hitting the ASA.

Also give us the "sh run policy-map" and "sh run class-map"

PK

elliott.barrere
Level 1
Level 1
In response to Panos Kampanakis

‎06-18-2010 05:19 PM

Okay, now we're getting somewhere!

I first tried running "clear local " and that didn't work (didn't seem to be doing anything) but a "clear local" with no args cleared out the whole state table and now the SIP counters are updating and I see channel information with "show sip".  I will have to wait until I'm in the office on Monday to see if the audio path is actually coming up now, but I have hope at this point

Thanks for your help so far!

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to elliott.barrere

‎06-20-2010 09:29 AM

I believe sip inspection will open the pinholes for the voice streams now.

Good luck,

PK

0 Helpful

abdel1967
Level 1
Level 1
In response to elliott.barrere

‎09-15-2019 06:44 AM

dear,

 

did you managed to resolve your issue? i have the same and i m looking for advice?

regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card