02-25-2012 08:17 AM
Dears,
I have configured VPN client on my ASA 5510,
I am trying now to telnet my call manager on port 5060 and on port 2000.
When i am connected localy i am able to telnet both ports, but when i am trying to connect through cisco VPN client i am able to telnet the port 2000 and not able to telnet 5060. Both ports are on the same call manager.
When using windows VPN i am able to telnet both ports.
Can somone please advise if there's a special configuration for SIP on my ASA.
Please note that i have same issue even if i removed inspect SIP from:
policy-map global_policy
class inspection_default
Regards
02-25-2012 08:34 PM
Please post your ASA configuration. There are many different ways to configure VPN client (clientless SSL VPN, VPN client-based SSL VPN, IPsec remote access VPN, etc.). One cannot troubleshoot a problem like this without seeing the details of the way you are using.
02-26-2012 01:03 AM
hi,
Thanks for your support,
below is my ASA config:
ASA Version 7.0(7)
!
hostname FW
domain-name Company.com
enable password iqz6QVJ1vegoHbdy encrypted
names
name 192.168.0.0 inside_network
name 172.16.0.0 dmz_network
name 10.10.10.0 outside_network
name 10.10.10.2 server1
name 10.10.10.3 server2
dns-guard
!
interface Ethernet0/0
speed 10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 90
ip address 172.16.0.1 255.255.255.0
!
passwd iqaszg6gQVJ1dvcfssgoHgbndy encrypted
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 0:00 last Sun Oct 0:00
access-list inside_to_outside extended permit ip inside_network 255.255.255.0 any
access-list outside_to_inside extended permit ip any server1
access-list outside_to_inside extended permit ip any server2
access-list dmz_acl extended permit ip host 172.16.0.10 any
access-list 90 extended permit ip inside_network 255.255.255.0 192.168.145.0 255.255.255.0
access-list 90 extended permit ip inside_network 255.255.255.0 192.168.0.248 255.255.255.248
access-list ClientVPN_splitTunnelAcl standard permit inside_network 255.255.255.0
access-list ClientVPN_splitTunnelAcl standard permit dmz_network 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu WhozDMZ 1500
ip local pool VPNIpPool 192.168.0.250-192.168.0.252 mask 255.255.255.0
icmp deny any outside
asdm image disk0:/asdm-509.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.10.10.254
nat (inside) 0 access-list 90
nat (inside) 1 inside_network 255.255.255.0
static (inside,outside) server1 192.168.0.66 netmask 255.255.255.255
static (inside,outside) server2 192.168.0.67 netmask 255.255.255.255
access-group outside_to_inside in interface outside
access-group inside_to_outside in interface inside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ClientVPN internal
group-policy ClientVPN attributes
dns-server value 192.168.0.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN_splitTunnelAcl
default-domain value inmobiles.local
webvpn
username user1 password X.a/bhwgdLG6Bswg5Df0F encrypted privilege 0
username user1 attributes
vpn-group-policy ClientVPN
webvpn
http server enable
http inside_network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Client_Site_VPN esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set Client_Site_VPN
crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ToOutside interface outside
isakmp identity address
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
isakmp nat-traversal 20
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPN
tunnel-group ClientVPN ipsec-attributes
pre-shared-key *
telnet inside_network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect mgcp
inspect sip
inspect skinny
inspect h323 h225
inspect h323 ras
!
service-policy global_policy global
Cryptochecksum:1dd382f1ae1f1080581e4a490a9174be
: end
Regards
02-26-2012 06:43 AM
Thanks for the details.
Your configuration looks pretty straightforward. I don't see and access-lists or policies that would prevent telnet from working on 5060 (SIP) when it works on port 2000 (SCCP or 'skinny'). You've not changed the default port assignments with the fixup command.
I would assume your VPN client is assigned an address from the pool 192.168.0.250-192.168.0.252 . What is the destination IP of your server?
The policy-map should be allowing both protocols. You can verify that is it by using the commands:
show service-policy inspect sip
show service-policy inspect skinny
When you say you are not able to telnet on port 5060, what exactly do you see happening?
02-27-2012 03:42 AM
hi,
Thank you for your help,
The destination server is in the DMZ zone and his ip is 172.16.0.10
show service-policy inspect sip
show service-policy inspect skinny
are not working on my ASA.
We have the below CLI commands:
show service-policy ?
exec mode commands/options:
flow Show all policies that are enabled on a flow
global show status/statistics of the global policy
interface show status/statistics of an interface policy
ips Show status/statistics of 'ips' policy
police Show status/statistics of 'police' policy
priority Show status/statistics of 'priority' policy
set Show status/statistics of 'set' policy
| Output modifiers
Could it be my IOS version, all posts says that in some ASA ios there was a SIP bug and we should upgrade.?
Regards
02-27-2012 03:53 AM
Hi,
I am trying to use normal windows CMD telnet and i am getting
C:\Windows\System32>telnet 172.16.0.10 5060
Connecting To 172.16.0.10...Could not open connection to the host, on port 5060: Connect failed
on port 2000 is working just fine.
Reagrds
02-28-2012 11:59 AM
It could be your ASA version. 7.0(7) is very old for an ASA release. I always hesitate to just answer "upgrade" as that is often given as an answer without taking time to fully understand the problem. If you are willing, it would be a good thing to try - you would need to do several step upgrade to get up to at least 8.2(5) from 7.0(7).
03-11-2012 07:48 AM
hi i have upgraded my asa to 8.2(1) and i have configured no nat on the VPN client ip pool.
And it's working fine now.
Tks
03-11-2012 07:57 AM
access-list NONATdmz extended permit ip dmz 255.255.255.0 192.168.0.250 255.255.255.0
access-list NONATdmz extended permit ip dmz 255.255.255.0 192.168.0.251 255.255.255.0
access-list NONATdmz extended permit ip dmz 255.255.255.0 192.168.0.252 255.255.255.0
nat (DMZ) 0 access-list NONATdmz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide