Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4946
Views
0
Helpful
3
Replies

ASA5505 and VoIP: rings phone, but no sound when answered

Go to solution
dirkmelvin
Level 1
Level 1

‎12-19-2007 10:43 PM - edited ‎03-15-2019 07:53 AM

I have an ASA5505 in place that everything on the LAN network appears to be working as far as PCs and such. However we have IP phones coming from the Internet that are at issue.

On the local LAN phones can talk to each other no issue, and PCs can get out to the Internet and network print, etc. But when someone from the outside phones calls a phone on the local LAN(and vice versa) the phone rings, but there is no sound when answered in either direction.

These phones use an ALLWORX PBX that is on the local LAN.

I WANT to NAT the ALLWORX so it isn't outright exposed, but so far that is the only way I can get it to work for everyone.

I DID have udp/2088,udp/5060,tcp/8081,udp/15000-15511 opened for the external(12.x.x.90) and internal (192.168.x.22) IP both incoming and outgoing but started seeing these results. So I opened all ports to all IPs, with the exact same results.

This is the config with the udp/tcp ports allowed (attached)

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aalexiou78
Level 1
Level 1

‎06-06-2012 02:14 AM

Hello dirkmelvin

I was trying a lot around to find a solution but i was hitting always to Not Answered posts.

After a lot of search it looks indeed that was related with RTP traffic being denied from the PIX/ASA.

Here's what works for me (Asterisk (SIP/IAX) Internally - SIP/IAX2 Clients outside - ASA 8.0(4)

object-group service [OBJ_NAME]

service-object tcp-udp eq 4569 #for IAX2

service-object tcp-udp eq sip

service-object udp range 10000 20000 #for RTP needed by SIP clients NEVER USE tcp-udp here NEVER!

access-list [ACL_NAME] extended permit object-group [OBJ_NAME] any interface outside

access-group [ACL_NAME] in interface outside

static (inside,outside) udp interface sip [my internal VoIP_SRV_IP] sip netmask 255.255.255.255

static (inside,outside) udp interface 4569 [my internal VoIP_SRV_IP] 4569 #for IAX2

and of course didn't worked until i added inspection of sip in the global policy map

policy-map global_policy

class inspection_default

  inspect sip

do not forget to apply it by

service-policy global_policy global

View solution in original post

0 Helpful
3 Replies 3

Go to solution
bwilmoth
Level 5
Level 5

‎12-26-2007 02:48 PM

looks like RTP traffic is being blocked.make sure the packets are being sent back by the gateway and then eventually blocked by the ASA. If not, then there might be a routing/firewall issue between the gateway and the ASA5510

http://cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml

0 Helpful

Go to solution
Aalexiou78
Level 1
Level 1

‎06-06-2012 02:14 AM

Hello dirkmelvin

I was trying a lot around to find a solution but i was hitting always to Not Answered posts.

After a lot of search it looks indeed that was related with RTP traffic being denied from the PIX/ASA.

Here's what works for me (Asterisk (SIP/IAX) Internally - SIP/IAX2 Clients outside - ASA 8.0(4)

object-group service [OBJ_NAME]

service-object tcp-udp eq 4569 #for IAX2

service-object tcp-udp eq sip

service-object udp range 10000 20000 #for RTP needed by SIP clients NEVER USE tcp-udp here NEVER!

access-list [ACL_NAME] extended permit object-group [OBJ_NAME] any interface outside

access-group [ACL_NAME] in interface outside

static (inside,outside) udp interface sip [my internal VoIP_SRV_IP] sip netmask 255.255.255.255

static (inside,outside) udp interface 4569 [my internal VoIP_SRV_IP] 4569 #for IAX2

and of course didn't worked until i added inspection of sip in the global policy map

policy-map global_policy

class inspection_default

  inspect sip

do not forget to apply it by

service-policy global_policy global

0 Helpful

Go to solution
Cody Link
Level 4
Level 4

‎06-06-2012 05:20 AM

Not saying this applies to your situation but I have seen with other PBX systems such as Teleworker/Mitel that you will need an outbound NAT on the ASA to redirect the traffic to the PBX system.  The reason for this was the fact that the call is coming in from the outside so when the RTP stream is setup it is trying to reach the outside NAT'ed address instead of your internal address.  And of course the ASA denies this traffic by default due to the hairpin effect.  The solution I used was a static NAT statement like static(dmz,inside) .  In your instance it does not look like you have the PBX in a DMZ so it might be something like static(inside,inside) .

To see if this is your issue you could setup wireshark and sniff the traffic on the voice VLAN and see if the phone is trying to setup the RTP stream to an outside IP address.

Just a thought. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents