Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2085
Views
0
Helpful
4
Replies

How to allow the SIP traffice on ASA 5520 ?

wahidayat007
Level 1
Level 1

‎07-03-2009 02:36 AM - edited ‎03-11-2019 08:50 AM

Hi,

I have installed ASA 5520, and using Unified communication. Network config is:

CM---3845---ASA-5520---Internet---SIP-proxy

Can some one help to allow the SIP traffic on ASA, the Access list syntax!

we use NAT on ASA! So 10.x.x.1 is the private address & 150.x.x.1 is the public address of CM! I want to setup SIP trunk to the third party provider--In this case (SIP proxy IP is 195.x.x.15 ) which is remote IP, but I want to allow the SIP traffic on the ASA!

Any help will be appreciated ?

Thanks

Labels:
0 Helpful
4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

‎07-03-2009 05:57 AM

Do you have an access-list applied on the higher security interface? If not you just need to add inspect sip in your configuration.

Otherwise you need to add permission on the inside acl as well.

access-l inside-acl permit tcp host 10.x.x.1 host 195.x.x.15 eq 5060

access-l inside-acl permit udp host 10.x.x.1 host 195.x.x.15 eq 5060

.

.

.

add the other permissions in the acl like

access-l inside-acl permit tcp any any eq 80

access-l inside-acl permit tcp any any eq 443

access-l inside-acl permit tcp any any eq 25

access-l inside-acl permit tcp any any eq 21

access-g inside-acl in int inside

policy-map global_policy

class inspection_default

inspect sip

0 Helpful

wahidayat007
Level 1
Level 1
In response to Kureli Sankar

‎07-06-2009 03:01 AM

Thanks for your reply, I tried the above acl, but it did not work, and customer complained that other services web/mail/vpn down, Can you tell me why the above acl will put down the services, is there any command that I can see the error messages if I apply the wrong acl.

We use Nat and the I put the below statements.

-access-list inside_nat0_outbound permit tcp host 10.X.X.1

195.X.X.1 5060

access-list inside_nat0_outbound permit udp host 10.X.X.1

195.X.X.1 5060

why would this these acl would impact other services ? Customer is asking for reason.

Can you help regarding this issue,

Thanks

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to wahidayat007

‎07-06-2009 04:10 AM

Where is this acl applied? With the name it sounds like it is tied to nat 0 acl. Is this correct? If so, you cannot use ports and protocols in those access-lists. You need to use permit or deny ip.

I had given you a sample to tie an access-list to the higher security interface.

Nat excemption (nat 0 w/acl)

We support denies and permits in the ACE.

We do not support ports or protocols in the ACE.

Policy nat (nat 1 w/acl)

We do not support denies in the ACE

We support ports and protocols in the ACE

0 Helpful

wahidayat007
Level 1
Level 1
In response to Kureli Sankar

‎07-08-2009 03:58 AM

Applied to

nat (inside) 0 access-list nonat

?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card