Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5683
Views
0
Helpful
7
Replies

SIP trough ASA

tandrejevic
Level 1
Level 1

‎10-24-2017 11:56 AM - edited ‎02-21-2020 06:34 AM

Hello !

I have VoIP SIP servers in my internal network. Now I want to provide SIP softphones to register on servers and use internal VoIP resources. I put on ASA with public address between Internet and my intranet. Also, I NAT-ed address off my servers to public address and,with ACL allowed  any address outsdie to connect to SIP servers. I turned SIP inspection off. Well, softphones are registred on servers,I can place the call and everything looks fine.But,after 60 sec,Phones lose registration...Why?Please help me, it is pretty urgent.

Labels:
0 Helpful
7 Replies 7

Flavio Miranda
VIP
VIP

‎10-24-2017 01:38 PM

Hello @tandrejevic

 

 And why do you think ASA is the problem? Do you have some evidence of it?

Which Voip system do you have? Asterisk ?

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

tandrejevic
Level 1
Level 1
In response to Flavio Miranda

‎10-24-2017 01:58 PM

Hello

 

Thanks for your interest. We have Avaya system and if I put softphone in inside ASA (in intranet exactly) everything works fine...Also,if I

Denied due to NAT reverse path failure

try trace on ASA ,I get massage ,,denied due to NAT reverse path failure"

I heve done NAT with:

object network-object SM1

host 192.168.1.15

nat (inside,outside) static 217.X.X.15

and configured ACL

access-list OUTSIDE permit tcp any host 192.168.1.15 eq 5061

I tried with 

access-list OUTSIDE permit ip any host 192.168.1.15 

but,with same result.

What I am missing ?

Thanks in advance!

0 Helpful

Flavio Miranda
VIP
VIP
In response to tandrejevic

‎10-24-2017 02:16 PM

Everything I´ve been reading so far about SIP through ASA says that you need to perform inspect.

 

"To support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses."

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_voicevideo.html#wp1204403

 

You said above that you turned inspection off, right?

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

tandrejevic
Level 1
Level 1
In response to Flavio Miranda

‎10-24-2017 02:24 PM

Hi,

 

yes,I turned sip inspection off...But before I had turned off - situation was same...I will read post in the link which you send me. Tomorrow I will try again to turn sip inspection on. Do you mind that sip timeouts in basic ASA configuration have some influence in my problem ? 

kind regards 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to tandrejevic

‎10-24-2017 02:42 PM

I think so. Although you problem is related to phone registration and not voice communication itself.

 Is there any debug on the Avaya side to help you why phone loses connection? 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

tandrejevic
Level 1
Level 1
In response to Flavio Miranda

‎10-24-2017 02:50 PM

Flavio 

 

I will try to see what Avaya ,,says"...Thanks anyway.

0 Helpful

tandrejevic
Level 1
Level 1
In response to tandrejevic

‎10-24-2017 02:46 PM

Flavio,

just one more question ... Our server actually uses port 5061 (tls). Is it
sip inspection enough? How I can add  inspection port 5061 ?

Thanks for your time.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card