ASA5505 and VoIP: rings phone, but no sound when answered

Answered Question
Dec 19th, 2007
User Badges:

I have an ASA5505 in place that everything on the LAN network appears to be working as far as PCs and such. However we have IP phones coming from the Internet that are at issue.


On the local LAN phones can talk to each other no issue, and PCs can get out to the Internet and network print, etc. But when someone from the outside phones calls a phone on the local LAN(and vice versa) the phone rings, but there is no sound when answered in either direction.


These phones use an ALLWORX PBX that is on the local LAN.


I WANT to NAT the ALLWORX so it isn't outright exposed, but so far that is the only way I can get it to work for everyone.


I DID have udp/2088,udp/5060,tcp/8081,udp/15000-15511 opened for the external(12.x.x.90) and internal (192.168.x.22) IP both incoming and outgoing but started seeing these results. So I opened all ports to all IPs, with the exact same results.


This is the config with the udp/tcp ports allowed (attached)



Correct Answer by Aalexiou78 about 4 years 10 months ago

Hello dirkmelvin


I was trying a lot around to find a solution but i was hitting always to Not Answered posts.

After a lot of search it looks indeed that was related with RTP traffic being denied from the PIX/ASA.

Here's what works for me (Asterisk (SIP/IAX) Internally - SIP/IAX2 Clients outside - ASA 8.0(4)


object-group service [OBJ_NAME]

service-object tcp-udp eq 4569 #for IAX2

service-object tcp-udp eq sip

service-object udp range 10000 20000 #for RTP needed by SIP clients NEVER USE tcp-udp here NEVER!


access-list [ACL_NAME] extended permit object-group [OBJ_NAME] any interface outside

access-group [ACL_NAME] in interface outside


static (inside,outside) udp interface sip [my internal VoIP_SRV_IP] sip netmask 255.255.255.255

static (inside,outside) udp interface 4569 [my internal VoIP_SRV_IP] 4569 #for IAX2


and of course didn't worked until i added inspection of sip in the global policy map


policy-map global_policy

class inspection_default

  inspect sip


do not forget to apply it by


service-policy global_policy global

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Aalexiou78 Wed, 06/06/2012 - 02:14
User Badges:

Hello dirkmelvin


I was trying a lot around to find a solution but i was hitting always to Not Answered posts.

After a lot of search it looks indeed that was related with RTP traffic being denied from the PIX/ASA.

Here's what works for me (Asterisk (SIP/IAX) Internally - SIP/IAX2 Clients outside - ASA 8.0(4)


object-group service [OBJ_NAME]

service-object tcp-udp eq 4569 #for IAX2

service-object tcp-udp eq sip

service-object udp range 10000 20000 #for RTP needed by SIP clients NEVER USE tcp-udp here NEVER!


access-list [ACL_NAME] extended permit object-group [OBJ_NAME] any interface outside

access-group [ACL_NAME] in interface outside


static (inside,outside) udp interface sip [my internal VoIP_SRV_IP] sip netmask 255.255.255.255

static (inside,outside) udp interface 4569 [my internal VoIP_SRV_IP] 4569 #for IAX2


and of course didn't worked until i added inspection of sip in the global policy map


policy-map global_policy

class inspection_default

  inspect sip


do not forget to apply it by


service-policy global_policy global

Cody Link Wed, 06/06/2012 - 05:20
User Badges:

Not saying this applies to your situation but I have seen with other PBX systems such as Teleworker/Mitel that you will need an outbound NAT on the ASA to redirect the traffic to the PBX system.  The reason for this was the fact that the call is coming in from the outside so when the RTP stream is setup it is trying to reach the outside NAT'ed address instead of your internal address.  And of course the ASA denies this traffic by default due to the hairpin effect.  The solution I used was a static NAT statement like static(dmz,inside) .  In your instance it does not look like you have the PBX in a DMZ so it might be something like static(inside,inside) .


To see if this is your issue you could setup wireshark and sniff the traffic on the voice VLAN and see if the phone is trying to setup the RTP stream to an outside IP address.


Just a thought. 

Actions

This Discussion