Ok, you already have a list of ports that need to be opened. Now, assuming your phones are on the internal side of the ASA, they do not represent a threat and are somehow trusted phones. There should not be any port restriction, we trust the phones don't we? Speaking of trusted stuff, i'm curious about the fact that the server [subscriber] and the phones are separated by the ASA. Why is it like that? Is this something that can be changed? If i had a bunch of phones, a server and whole lot of time, i would sell them. Don't know much of voice stuff, you know? But i know about this, so, i would recommend you to move the server with the phones and place them all in the same network, that way they will freely communicate with each other, saving a L3 hop and bandwidth. As my grandpa used to say: "If you can save a L3 hop in a voice implementation, do it." Wise words. Now, in case you are keeping your current setup, make sure that TFTP and SCCP traffic is allowed from the phones to the server, also UDP/16384 - 32767. That's basically all you need to get it working. Ports UDP/69, TCP/2000 and UDP/16384 - 32767 ... View more

Two things we can try. Try to "rediscover" the sensor. Basically go to the device list, delete it and add it back. If that doesn't work, try to reload the server that has the IME software. ... View more

Try these two commands: "Fixup protocol icmp" And "Same-security-traffic permit inter-interface" ... View more

As Juan suggested, review the logs, probably you will find some of  them saying that the connection was closed due a "pinhole" timeout. This  means that no traffic was traversing the secondary link and it was  closed. Not the ASA's fault. Also, have you tried disabling the H323 inspection? ... View more

Apologies for the late reply. Can you please be very specific on how you want to access the server and from where. Once that is clarified, the answer will be easy to get. ... View more

Sorry, bro. It's not you, it's me. But, i didn't get your last post, can you please elaborate? ... View more

SCCP uses port 2000, so open that one. The firewall inspection should do the rest. Normally you won't need to open anything else if you try to establish phone calls. Don't block DHCP nor TFTP though. ... View more

It is important to know the protocol that you are going to use, that way we can define the ports that you need open. There are many, SCCP 2000  SIP 5060, 5061 TCP & UDP,   H323 1720 TCP , MGCP 2427 Y 2428 TCP. That without the RTP ports. ... View more

What type of users are we talking about? End users or Ip phone extensions? ... View more

Can I access both the FW and IPS through the dedicated management port via SSH and ASDM/IDM? Sorta, you can ssh to the ASA and from there establish a backplane connection to the module. Can I assign the management port an external IP address and to establish  a L2L VPN tunnel for remote management and tunnel syslog and IPS logs  through it? Would I be able to route Syslog and IPS event through the Management port to a remote event collector? Yes, but you can't do the IPS part though. The IPS is an independant unit and will use its own management interface to send logs, the only way you can do this is to log into the ASA, then into the IPS and get the logs you are looking for. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1198794 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1214750 Cabling clarification: internal switch connected to the ASA's management interface and to the IPS' management interface. This is ok, if you want the units to communicate make sure they are part of the same vlan. ... View more

What version of IDM are you using? Can you share a screenshot of what you are seeing? Try to use the latest version of IDM and also try to access the module using a web browser instead of the launcher, in case you are using the launcher. ... View more

This might help you: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf ... View more

The problem seems to be only with the "inside" interface. Let's try to clear the counters and calculate how fast the number of dropped packets increasses. Issue a "clear interface gi0/1" and then get the output of the "show interface gi0/1" a couple of times with 5 minutes of difference between one output and the other. ... View more