12-15-2008 10:36 PM - edited 03-11-2019 07:26 AM
Hi All,
I have a scenario wherein SIP sessions need to be established across FWSM. The following is the scenario:-
On the FWSM there is a DMZ on which all voice devices reside which includes cal manager, voice routers and ip phones.The voice routers are on HSRP with 192.168.3.254 as virtual ip address.SIP sesison will be initiaied by the Voice router to a public IP address of the provider say A.A.A.A. i.e. the SRC=B.B.B.B DEST=A.A.A.A (Outgoing). Here B.B.B.B is a public IP address in our range. We will get incoming calls as SRC=A.A.A.A DEST=B.B.B.B.
A.A.A.A = Provider SIP Public Ip address
B.B.B.B = Our SIP Public IP address
Outgoing Call SRC=B.B.B.B ----~ DEST=A.A.A.A
(Session initiated by dmz Voice router)
Incoming Call SRC=A.A.A.A ----~ DEST=B.B.B.B
This means that there is one public IP (B.B.B.B) from our side that is used for all SIP transactions (Incoming and Outgoing).Also one public IP (A.A.A.A) used by the ISP for all SIP transactions. (Incoming and Outgoing).
The following is the configuration that i tried out:-
nat (dmzVOICE) 2 access-list UDP-SIP
global (OUTSIDE) 2 B.B.B.B
access-list FR_OUTSIDE extended permit udp host A.A.A.A host B.B.B.B eq sip
access-list FR_dmzVOICE extended permit ip any any log
access-list UDP-SIP extended permit udp host 192.168.3.254 A.A.A.A eq sip
access-group FR_OUTSIDE in interface OUTSIDE
access-group FR_dmzVOICE in interface dmzVOICE
static (dmzVOICE,OUTSIDE) udp B.B.B.B sip 192.168.3.254 sip netmask 255.255.255.255
The following are the results with this configuration:-
Incoming call
%FWSM-3-106011 Deny inbound (No xlate) tcp src OUTSIDE:A.A.A.A/54073 dst OUTSIDE:B.B.B.B/5060
I have allowed access from provder IP A.A.A.A to our IP B.B.B.B on udp 5060 and applied in on OUTSIDE in inbound direction
Then i have an static for our IP B.B.B.B to 192.168.3.254.
Outgoing Call
One way speech.
Plese help. Any suggestins or documentations/best practises on SIP through FWSM would be welcome.
Regards
Sonu.
12-15-2008 11:08 PM
You are doing a translation for UDP but the error message indicates that the ISP is sending 'TCP' data. Why don't you just do a simple one to one static mapping? And do any access-control required using ACLs. Using port rediction for voice is not that advisable anyway.
static (dmzVOICE,OUTSIDE) B.B.B.B 192.168.3.254 netmask 255.255.255.255
Also the nat/global commands are not required, the static command is bi-directional. As in it will allow both dmz >> outside and outside >> dmz translation.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide