How to allow the SIP traffice on ASA 5520 ?

Unanswered Question
Jul 3rd, 2009
User Badges:


I have installed ASA 5520, and using Unified communication. Network config is:


Can some one help to allow the SIP traffic on ASA, the Access list syntax!

we use NAT on ASA! So 10.x.x.1 is the private address & 150.x.x.1 is the public address of CM! I want to setup SIP trunk to the third party provider--In this case (SIP proxy IP is 195.x.x.15 ) which is remote IP, but I want to allow the SIP traffic on the ASA!

Any help will be appreciated ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Fri, 07/03/2009 - 05:57
User Badges:
  • Cisco Employee,

Do you have an access-list applied on the higher security interface? If not you just need to add inspect sip in your configuration.

Otherwise you need to add permission on the inside acl as well.

access-l inside-acl permit tcp host 10.x.x.1 host 195.x.x.15 eq 5060

access-l inside-acl permit udp host 10.x.x.1 host 195.x.x.15 eq 5060




add the other permissions in the acl like

access-l inside-acl permit tcp any any eq 80

access-l inside-acl permit tcp any any eq 443

access-l inside-acl permit tcp any any eq 25

access-l inside-acl permit tcp any any eq 21

access-g inside-acl in int inside

policy-map global_policy

class inspection_default

inspect sip

wahidayat007 Mon, 07/06/2009 - 03:01
User Badges:

Thanks for your reply, I tried the above acl, but it did not work, and customer complained that other services web/mail/vpn down, Can you tell me why the above acl will put down the services, is there any command that I can see the error messages if I apply the wrong acl.

We use Nat and the I put the below statements.

-access-list inside_nat0_outbound permit tcp host 10.X.X.1

195.X.X.1 5060

access-list inside_nat0_outbound permit udp host 10.X.X.1

195.X.X.1 5060

why would this these acl would impact other services ? Customer is asking for reason.

Can you help regarding this issue,


Kureli Sankar Mon, 07/06/2009 - 04:10
User Badges:
  • Cisco Employee,

Where is this acl applied? With the name it sounds like it is tied to nat 0 acl. Is this correct? If so, you cannot use ports and protocols in those access-lists. You need to use permit or deny ip.

I had given you a sample to tie an access-list to the higher security interface.

Nat excemption (nat 0 w/acl)

We support denies and permits in the ACE.

We do not support ports or protocols in the ACE.

Policy nat (nat 1 w/acl)

We do not support denies in the ACE

We support ports and protocols in the ACE


This Discussion