Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
1
Replies

Dropping Calls and Faxes not working ATA

ebrunet
Level 1
Level 1

‎06-06-2022 11:48 AM

Very much newer to Cisco ASA 5505 and the Vendor asked this of me.

Here are other recommendations from the vendor to make sure are set up in your firewall.

 

There might be other settings in the ASA. They could try opening (create ACL) RTP ports 10000 to 20000 UDP for our IPs. 209 Also try opening SIP ports 5060 to 5100 UDP.

 

hostname jz-corn

domain-name eerc.ca

enable password /vraMKkQ00WPzYqm encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.12.0 chest

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 72.1.213.52 255.255.255.248

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.11.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name eerc.ca

access-list inside_outbound_nat0_acl extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0

access-list outin extended permit tcp any host 72.1.213.51 eq smtp

access-list outin extended permit tcp any host 72.1.213.51 eq https

access-list outin extended permit tcp any host 72.1.213.51 eq www

access-list outin extended permit tcp any host 72.1.213.50 eq 8001

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool clientpool 192.168.11.35-192.168.11.38 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 72.1.213.51 192.168.11.8 netmask 255.255.255.255

static (inside,outside) 72.1.213.50 192.168.11.9 netmask 255.255.255.255

access-group outin in interface outside

route outside 0.0.0.0 0.0.0.0 72.1.213.49 1

route outside chest 255.255.255.0 72.1.213.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.11.0 255.255.255.255 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 70.52.118.240 24.235.52.46

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 70.52.118.240 type ipsec-l2l

tunnel-group 70.52.118.240 ipsec-attributes

 pre-shared-key *

tunnel-group 24.235.52.46 type ipsec-l2l

tunnel-group 24.235.52.46 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect dns preset_dns_map

  inspect http

!

service-policy global_policy global

prompt hostname context

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c840f9784f641433f2b59855f603ab16

Labels:
0 Helpful
1 Reply 1

Flavio Miranda
VIP
VIP

‎06-06-2022 12:25 PM

Hi

 Sounds to me like a inspection problem. Identify which protocols do you use for voice and fax and add inspection on ASA.

 

https://www.pearsonitcertification.com/articles/article.aspx?p=2140096 

0 Helpful
Customers Also Viewed These Support Documents