Solved: [SOLVED] Cisco ASA 5505 Deny UDP

Al3xand3r · ‎11-03-2014

Hello Everyone!

I'm relatively new to Cisco ASA firewalls and I recently came across an issue which I wasn't able to google. I'm using 5505 with 8.2 firmware to act as a simple firewall for Asterisk. I'm having no problems doing the inbound calls - signaling and sip traffic works fine. However, when I'm trying to dial out - I'm having issues with both - audio and signalling events. My asterisk is behind the firewall with natted external IP. When I'm trying to analyze the log I see the following:

Nov 03 2014 06:17:19: %ASA-4-106023: Deny udp src outside:207.223.70.133/61776 dst inside200:50.244.X.Y/18864 by access-group "outside2inside" [0x0, 0x0]

Where 50.244.X.X my external IP and outside2inside is the access list which has the following lines:

access-list outside2inside extended permit udp host 64.136.174.30 any
access-list outside2inside extended permit udp 207.223.0.0 255.255.0.0 host 192.168.200.203

here's the static section:

static (inside200,outside) 50.244.X.Y 192.168.200.203 netmask 255.255.255.255

My question is why is it blocking the udp traffic with destination as 50.244.X.Y instead of 192.168.200.203?

Thanks in advance.

jj27 · ‎11-03-2014

In 8.2 ASA code, you need to reference the public IP in your access-list. In this case, you are allowing UDP to 192.168.200.203 when you should be allowing to 50.244.x.x.

Try changing that and see if it works.

View solution in original post

jj27 · ‎11-03-2014

In 8.2 ASA code, you need to reference the public IP in your access-list. In this case, you are allowing UDP to 192.168.200.203 when you should be allowing to 50.244.x.x.

Try changing that and see if it works.

Al3xand3r · ‎11-04-2014

Thank you for your answer! I tried that before but for whatever reason only power cycle of 5505 helped to solve it.

I still have issues with outbound calls though. It doesn't block any incoming connections because of any access-lists but it still tearing some of them down. Here's the excerpt from my log:

Nov 04 2014 04:29:33: %ASA-6-302015: Built outbound UDP connection 41 for outside:64.136.174.30/5060 (64.136.174.30/5060) to inside200:192.168.200.203/5060 (50.244.X.Y/5060)
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-302016: Teardown UDP connection 30 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:02:52 bytes 0
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-7-609001: Built local-host outside:207.223.70.132
Nov 04 2014 04:29:34: %ASA-6-302015: Built inbound UDP connection 45 for outside:207.223.70.132/48906 (207.223.70.132/48906) to inside200:192.168.200.203/16478 (50.244.X.Y/16478)
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-302016: Teardown UDP connection 44 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:00:02 bytes 0
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:39: %ASA-6-302015: Built outbound UDP connection 47 for outside:207.223.70.132/48907 (207.223.70.132/48907) to inside200:192.168.200.203/16479 (50.244.X.Y/16479)
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:43: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:43: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:46: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:46: %ASA-6-302016: Teardown UDP connection 48 for outside:64.136.174.30/5060 to inside200:192.168.200.203/0 duration 0:00:02 bytes 0
Nov 04 2014 04:29:46: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-302016: Teardown UDP connection 46 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:00:11 bytes 0
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:53: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:29:53: %ASA-7-609001: Built local-host TWFirewall:192.168.200.203
Nov 04 2014 04:29:53: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:29:53: %ASA-6-302016: Teardown UDP connection 52 for outside:64.136.174.30/5060 to inside200:192.168.200.203/0 duration 0:00:03 bytes 0
Nov 04 2014 04:29:56: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:29:56: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:00: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:30:00: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:04: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:30:04: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message

I would appreciate any advice on how to proceed from here

Thank you!

Al3xand3r · ‎11-05-2014

I finally found out what was the issue with the outgoing calls. Disabling inspect sip did the trick.