Configuring ASA for Packet8 VOIP

Unanswered Question
Oct 12th, 2007
User Badges:

Hello, I am trying to configure my ASA5505 to correctly bypass the stateful inspection for UDP port 15044. Currently none of the default-inspect polices do not have this port listed. How do I add it and correctly get the VOIP traffic to not be inspected ?


Thanks,

Josh


Current config:


ASA Version 7.2(2)

!





access-list nonat extended permit ip 172.29.8.0 255.255.255.0 172.28.1.0 255.255.255.0

access-list XXX extended permit ip 172.29.8.0 255.255.255.0 172.28.1.0 255.255.255.0

access-list in_out extended permit tcp any any

access-list in_out extended permit ip any any

access-list in_out extended permit udp any any

access-list test extended permit ip 172.29.8.0 255.255.255.0 any

access-list net extended permit tcp any any eq smtp

access-list net extended permit udp any any eq 15044

access-list VOIP-TEST standard permit host 172.29.8.188

access-list VOIP-TEST standard permit host 172.29.8.199

access-list VOIP-TEST-IP extended permit ip host 172.29.8.188 any

access-list VOIP-TEST-IP extended permit ip host 172.29.8.199 any

access-list VOIP-TEST-IP extended permit ip any host 172.29.8.188

access-list VOIP-TEST-IP extended permit ip any host 172.29.8.199

access-list VOIP-TEST-IP extended permit udp any host 172.29.8.188 eq 15044

access-list VOIP-TEST-IP extended permit udp any host 172.29.8.199 eq 15044

access-list VOIP-TEST-IP extended permit udp host 172.29.8.199 any eq 15044

access-list VOIP-TEST-IP extended permit udp host 172.29.8.188 any eq 15044

access-list VOIP-CAPTURE standard permit host 172.29.8.188

access-list VOIP-CAPTURE standard permit host 172.29.8.199


priority-queue inside

tx-ring-limit 256

priority-queue outside

tx-ring-limit 256

!

class-map VOIP-TO-PACKET8-UDP-15044

match port udp eq 15044

class-map VOIP-TO-PACKET8-TCP-8880

match port tcp eq 8880

class-map inspection_default

match default-inspection-traffic

class-map default_inspection

match access-list VOIP-TEST-IP

class-map VOIP-TO-PACKET8-IP-FILTER

class-map inspection_15044

match port udp eq 15044

class-map VOIP-TO-PACKET8-UDP-RTP

match rtp 8000 16383

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map VOIP-TO-PACKETS

class inspection_default

inspect sip

policy-map global_policy

policy-map inspection_default

policy-map VOIP-TO-PACKET8

class VOIP-TO-PACKET8-UDP-15044

priority

class VOIP-TO-PACKET8-UDP-RTP

priority

class VOIP-TO-PACKET8-TCP-8880

priority

class inspection_default

inspect sip

inspect skinny

inspect rtsp

class inspection_15044

!

service-policy VOIP-TO-PACKET8 interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Thu, 10/18/2007 - 07:20
User Badges:
  • Silver, 250 points or more

You can use following config to bypass inspection for UDP port 15044


access-list acs-list permit udp any any eq 15044

access-list acs-list permit udp any eq 15044 any


class-map acs-class

match access-list acs-list


policy-map global_policy

class acs-class


Actions

This Discussion