10-24-2014 10:59 AM - edited 03-11-2019 09:59 PM
Hi,
I am having a problem getting a SIP software to reach a PBX (ip office 500 if that matters) that is behind a ASA 5505. I have a working VPN connection that terminates at the ASA and can ping/telnet/netcat (UDP) the PBX no problem. When connecting, I get connection errors and this message in the log
81.X.X.X is my public IP, 185.X.X.X is the outside IP of the ASA. 192.168.2.X is my VPN assigned IP, 192.192.168.0.X is my actual internal IP
Thanks
My full config is below
: Saved
:ASA Version 7.2(4)
!
hostname officefirewall
names
name 192.168.2.0 vpn-network description vpn-network
name 10.0.0.0 office-network description office-network
name 192.168.100.0 server-network description server-network
name 10.0.16.0 phone-network description phone-network
name 10.0.16.253 ipoffice
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 185.X.X.X 255.255.255.240
!
interface Vlan12
nameif guest
security-level 50
ip address 192.168.250.1 255.255.255.0
!
interface Vlan22
nameif phone
security-level 50
ip address 10.0.16.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 22
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
!
time-range Work
periodic daily 7:00 to 19:00
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name e-san.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp host esan3-outside host north-outside eq ssh
access-list outside_access_in extended permit tcp BlackSpider_Cluster_D 255.255.255.192 host east-outside eq smtp
access-list outside_access_in extended permit tcp BlackSpider_Cluster_F 255.255.255.192 host east-outside eq smtp
access-list outside_access_in extended permit tcp BlackSpider_Cluster_G 255.255.248.0 host east-outside eq smtp
access-list outside_access_in extended permit tcp BlackSpider_Cluster_H 255.255.248.0 host east-outside eq smtp
access-list outside_access_in extended permit tcp BlackSpider_Cluster_I 255.255.248.0 host east-outside eq smtp
access-list outside_access_in extended permit tcp BlackSpider_Cluster_J 255.255.224.0 host east-outside eq smtp
access-list outside_access_in extended permit tcp host 86.137.117.121 host east-outside eq smtp
access-list outside_access_in extended permit tcp any host east-outside object-group webaccess-in
access-list outside_access_in extended permit tcp any host east-outside eq imap4 inactive
access-list outside_access_in extended permit tcp any host east-outside eq pop3 inactive
access-list outside_access_in extended permit tcp any host east-outside eq 465 inactive
access-list outside_access_in extended permit tcp any host south-outside eq www
access-list outside_access_in extended permit tcp any host south-outside object-group openfire
access-list outside_access_in extended permit tcp any host south-outside eq 3030
access-list outside_access_in extended permit tcp any host bear-outside object-group webaccess-in
access-list outside_access_in extended permit tcp any host yellow-outside eq ssh
access-list outside_access_in extended permit tcp any host yellow-outside object-group webaccess-in
access-list outside_access_in extended permit udp any any eq 12211
access-list outside_access_in extended permit tcp any any eq 12211
access-list outside_access_in extended permit tcp any host yellow-outside object-group seafile-in
access-list inside_access_in extended permit ip any any
access-list inside_outbound_nat0_acl extended permit ip office-network 255.255.255.0 vpn-network 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip server-network 255.255.255.0 vpn-network 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.50.0 255.255.255.0 vpn-network 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip phone-network 255.255.255.0 vpn-network 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip any phone-network 255.255.255.0
access-list VPN_splitTunnelAcl standard permit office-network 255.255.255.0
access-list VPN_splitTunnelAcl standard permit phone-network 255.255.255.0
access-list VPN_splitTunnelAcl standard permit server-network 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list guest_access_in extended permit ip any any time-range Work
access-list vm_access_in extended permit ip any any
pager lines 24
ip local pool RemoteVPNUsers 192.168.2.10-192.168.2.30 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface guest
monitor-interface phone
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 office-network 255.255.255.0
nat (inside) 1 192.168.50.0 255.255.255.0
nat (inside) 1 192.168.250.0 255.255.255.0
nat (guest) 1 192.168.250.0 255.255.255.0
static (inside,outside) east-outside east-inside netmask 255.255.255.255
static (inside,outside) north-outside north-inside netmask 255.255.255.255
static (inside,outside) south-outside south-inside netmask 255.255.255.255
static (inside,outside) bear-outside bear-inside netmask 255.255.255.255
static (inside,outside) yellow-outside yellow-inside netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group guest_access_in in interface guest
access-group vm_access_in in interface phone
route inside office-network 255.255.255.0 192.168.50.2 1
route inside server-network 255.255.255.0 192.168.50.2 1
route outside 0.0.0.0 0.0.0.0 185.55.61.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy VPN internal
group-policy VPN attributes
wins-server value 10.0.0.6
dns-server value 10.0.0.6 10.0.0.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value X.local
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
address-pool RemoteVPNUsers
authentication-server-group MasterLDAP LOCAL
default-group-policy VPN
authorization-dn-attributes use-entire-name
tunnel-group VPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type ipsec-ra
tunnel-group VPNPHONE general-attributes
address-pool RemoteVPNUsers
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect ipsec-pass-thru
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac756d757e95441ac0591ad2e132fd21
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
05-05-2015 11:43 AM
You may take a look to this bug:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide