06-06-2022 11:48 AM
Very much newer to Cisco ASA 5505 and the Vendor asked this of me.
Here are other recommendations from the vendor to make sure are set up in your firewall.
There might be other settings in the ASA. They could try opening (create ACL) RTP ports 10000 to 20000 UDP for our IPs. 209 Also try opening SIP ports 5060 to 5100 UDP.
hostname jz-corn
domain-name eerc.ca
enable password /vraMKkQ00WPzYqm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.12.0 chest
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 72.1.213.52 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name eerc.ca
access-list inside_outbound_nat0_acl extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0
access-list outin extended permit tcp any host 72.1.213.51 eq smtp
access-list outin extended permit tcp any host 72.1.213.51 eq https
access-list outin extended permit tcp any host 72.1.213.51 eq www
access-list outin extended permit tcp any host 72.1.213.50 eq 8001
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool clientpool 192.168.11.35-192.168.11.38 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 72.1.213.51 192.168.11.8 netmask 255.255.255.255
static (inside,outside) 72.1.213.50 192.168.11.9 netmask 255.255.255.255
access-group outin in interface outside
route outside 0.0.0.0 0.0.0.0 72.1.213.49 1
route outside chest 255.255.255.0 72.1.213.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.11.0 255.255.255.255 inside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 70.52.118.240 24.235.52.46
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 70.52.118.240 type ipsec-l2l
tunnel-group 70.52.118.240 ipsec-attributes
pre-shared-key *
tunnel-group 24.235.52.46 type ipsec-l2l
tunnel-group 24.235.52.46 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c840f9784f641433f2b59855f603ab16
06-06-2022 12:25 PM
Hi
Sounds to me like a inspection problem. Identify which protocols do you use for voice and fax and add inspection on ASA.
https://www.pearsonitcertification.com/articles/article.aspx?p=2140096
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide