Why i`m able to make phone-calls through the Firewall??

Unanswered Question
Aug 7th, 2008

I have the following szenario:

Outside Network:

Inside Network:

One ASA5505 separates the two networks, standard security levels, no default inspections, no access lists (implicid rules are working).

Cisco Call manager with IP: and one ip-phone ( are outside connected. Inside connected is another IP-Phone with IP:

My question is:

Why can i do a phone call from outside to inside ? Normaly the implicit deny ip any any should work?

If i have a look in my connection table, i can see the following:

UDP outside inside, idle 0:00:00, bytes 4879984, flags -

TCP outside inside, idle 0:00:26, bytes 16208, flags UIO


Why do i see no flags in the UDP connection?

Why is this connection possible?

Why is it just one UDP connection?

If i have a look in my firewall log (see attachment), i can see two denied UDP connections an after that an

build with the same parameters????

Maybe its easy, but i`m a bit confused....

Thanks for your help.

Here is the "attachment":

6 Aug 06 2008 18:05:35 302015 Built outbound UDP connection 377 for outside: ( to inside: (

2 Aug 06 2008 18:05:35 106006 Deny inbound UDP from to on interface outside

2 Aug 06 2008 18:05:35 106006 Deny inbound UDP from to on interface outside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 08/07/2008 - 04:27

UDP is a connectionless protocol, thats why it does not have any flag(s). However from your syslog it is clear that the UDP connection was initiated from the inside, "Built *outbound* UDP connection". The TCP connection was also initiated from the Inside (To the call manager) as it has flags UIO. Had it been from the outside, it would be UIOB.

Perhaps its working due to the inspections on the ASA? Did you try to 'talk' tough. As in two-way voice?



hubemark Thu, 08/07/2008 - 05:31

Yes i can establish a normal two way voice call and can also talk through.

Which inspections do you mean?

I have turned off all inspections.

Are there any invisible inspections in the background?

Normally i should see two UDP connections for one voice call, right?


hubemark Thu, 08/07/2008 - 23:16

sh run all policy-map shows no policy maps.

Thats what i want to have, no policy maps, no inspections.

The question is, why do i have this behaviour with no inspections turned on?

Are there any "side effects" with disabling all inspections?

Farrukh Haroon Fri, 08/08/2008 - 02:53

Of course, MANY side effects. FTP won't work, TFTP might not either. X-Window won't work. SMTP 'security'/sanity checks will not be performed.

And the list goes on and on.




This Discussion