Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3743
Views
0
Helpful
2
Replies

SIP over VPN not working

MPIBGC_Jena
Level 1
Level 1

‎07-10-2012 07:09 AM

Hi,

we have an ASA running 8.2.2 (adsm 6.2.5). VPN connections are working well.

But it's not possible to use a SIP client (phone or software) through an SSL tunnel.

So today I've tried to look in detail on this problem. I installed an ubuntu system,

openconnect and ekiga as softphone. In our network everything is working without

any error. I used an external DSL connection to test everything over the VPN tunnel.

I can ping the SIP server and I can access the https frontend of the the SIP Server.

The client "seem's" to connect as well. I can call the ekiga client, it's ringing and

i can speak and hear everything (most times).

Dialing from the ekiga client ALWAYS fails.

On the ASA there is no policy allowing or denying those connections.

a) How can I trace it on the ASA ?

b) Has anybody seen this behavior ? (only one way communication)

Thanks and bye, Peer

Labels:
0 Helpful
2 Replies 2

manish arora
Level 6
Level 6

‎07-10-2012 10:56 AM

Hello Peer,

you can the capture packet function on the ASA to see & capture traffic coming into the asa and leaving asa.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

you can also use the packet-tracer feature to mock a connection and see if its passing the Firewall as expected.

https://supportforums.cisco.com/docs/DOC-5796

This will provide you with extra insight on how the firewall is treating the traffic ones its received on the internal or external interfaces.

Thank you

Manish

0 Helpful

Dinkar Sharma
Cisco Employee
Cisco Employee

‎07-10-2012 03:42 PM

Hi,

In general you do not require Sip inspection enabled on traffic flowing via VPN, as we do not require dynamic pinhole to be opened and not nat is required at layer-7. I would suggest disable SIP inspection for this specific host and then try connecting.

So go ahead and disable inspection for traffic coming via VPN tunnel.

access-list test extended deny ip 172.16.10.0 255.255.255.0 172.17.10.0 255.255.255.0
access-list test extended deny ip 172.17.10.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list test extended permit ip any any

(make sure you have permit ip any any) at last to allow rest of the traffic for inspection.

class-map inspection_default
match access-list test

Regards,

Dinkar
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents