Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
2
Replies

What else needs to be done for SIP on ASA 5510 /3825

stownsend
Level 2
Level 2

‎10-03-2012 11:08 AM - edited ‎03-11-2019 05:03 PM

My SIP provider is not convinced that my ASA  and Edge Router is not altering the SIP packets.  On the ASA I've removed the inspect SIP, and H323, what else needs to be done to make the firewall not mess with the SIP Traffic.

Packets are flowing in/out.  

access-list hbg-outside-198_access_in extended permit udp host <SIP HOST> object sfipoffice_o eq sip 
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o gt 49152 
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o lt 53246

Here are my Policy Maps.

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect ils 
  inspect http 
!

On the 3825 Its jsut a pretty simple config that jsut routes packets form one interface to another, all Public Addresses, so no NAT on it.

Anything else I need to do?

Thanks,

Thanks!

Labels:
0 Helpful
2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

‎10-08-2012 11:28 AM

If you removed SIP inspection, you may also want to "clear local x.x.x.x" for the IP address in question so, all new connections will not use SIP inspection.

Besides that nothing else needs to be done.

If there is address translation involved then, to fix up the embeded IP address within the packets, you most defenitely need sip inspection enabled. If there is no address translation (NAT) involved then, all you need is permission via the ACL.

-Kureli

0 Helpful

stownsend
Level 2
Level 2
In response to Kureli Sankar

‎10-09-2012 09:47 AM

I'm a bit confused about your reply.

I have two devices.

The ASA, which has to do NAT. Though its SIP Inspection is disabled.

The 3825 Edge Router, It does not do NAT, there is no Policy Map and no inspections in the

The Configs on these have been in place for some time over a few reboots. So I dont think its a Cached thing.

Thank you,

  Scott<-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card