Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
1
Replies

Voip Problem - ASA 5515 - Version_9.1.1

Thiago Cella
Level 1
Level 1

‎05-18-2013 08:44 PM - edited ‎03-11-2019 06:46 PM

Hi friends,

Im changing the firewall 5510 to 5515, with ASA5510 the incoming and outgoing calls work perfectly, but when i active the 5515 the outgoing calls doesnt work, only the incoming calls work. Please any idea to fix this??

As you see on the topology,the flow of calls happens this way:

In the outgoing calls the phone forward the call to the PABX(172.17.3.4), and the PABX forward the call through the ISP LINK to

SIP SERVER (10.140.131.208). The incoming calls occur in the reverse path.

Desenho1.jpg

ASA 5510 config:

ASA Version 7.0(8)

name 172.17.3.4 PABX

dns-guard

!

!

interface Ethernet0/1

description ***ISP SIP Network***

nameif isp_sip

security-level 100

ip address 10.143.5.66 255.255.255.248

!

!

interface Management0/0

description ***LAN VoIP Network ***

nameif lan_sip

security-level 100

ip address 172.17.3.7 255.255.255.0

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list lan_sip_in extended permit ip 172.17.3.0 255.255.255.0 any

access-list isp_sip_in extended permit ip any any

pager lines 24

logging enable

logging asdm debugging

mtu isp_sip 1500

mtu lan_sip 1500

no failover

icmp permit any voice-sip

asdm image disk0:/asdm-509.bin

asdm history enable

arp timeout 14400

global (isp_sip) 10 interface

nat (lan_sip) 10 access-list lan_sip_in

static (lan_sip,isp_sip) interface PABX netmask 255.255.255.255

access-group isp_sip_in in interface isp_sip

access-group lan_sip_in in interface lan_sip

route isp_sip 10.128.0.0 255.128.0.0 10.143.5.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 20

ssh scopy enable

ssh timeout 20

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect netbios

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect sip

  inspect rtsp

  inspect skinny

  inspect h323 h225

  inspect h323 ras

!

service-policy global_policy global

Cryptochecksum:2700210eff18cd54cf9633fc11cbb3c2

: end

===============================================================================================

ASA 5515 config:

ASA Version 9.1(1)

!

interface GigabitEthernet0/4

description ***LAN VoIP Network ***

speed 100

nameif lan_sip

security-level 100

ip address 172.17.3.7 255.255.255.0

!

interface GigabitEthernet0/5

description ***ISP SIP Network***

speed 100

nameif isp_sip

security-level 100

ip address 10.143.5.66 255.255.255.248

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network gw_lan_sip

host 172.17.3.4

description PABX

object network lan_sip

subnet 172.17.3.0 255.255.255.0

object network 10.143.5.64

subnet 10.143.5.64 255.255.255.248

object network isp_nat

subnet 10.128.0.0 255.128.0.0

object network isp_nat_67

host 10.143.5.67

object network isp_sip

host 10.143.5.66

object-group icmp-type icmp_group

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object redirect

icmp-object router-advertisement

icmp-object source-quench

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object unreachable

icmp-object alternate-address

icmp-object mask-reply

icmp-object mask-request

object-group network DM_INLINE_NETWORK_3

network-object object 10.143.5.64

network-object object gvt_nat

access-list lan_sip_in extended permit ip 172.17.3.0 255.255.255.0 any

access-list isp_sip_in extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging asdm debugging

mtu voice_sip 1500

mtu gvt_sip 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (lan_sip,isp_sip) source dynamic lan_sip interface

access-group lan_sip_in in interface lan_sip

access-group isp_sip_in in interface isp_sip

route isp_sip 10.128.0.0 255.128.0.0 10.143.5.65 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 172.17.3.0 255.255.255.0 voice_sip

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

ssh scopy enable

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl encryption des-sha1

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ssl-clientless

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect sip 

  inspect h323 h225

  inspect h323 ras

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:a44971c471666eca006a410a93b1abdd

: end

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-19-2013 07:26 AM

Hi Thiago,

When you say that the outbound calls do not work, they dont work at all or just having audio issues? We may need to capture the traffic between the PBX box and the ISP voice network to see what exaclty is happening with the call signaling.

Let us know if you have a sniffer already.

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card