Allowing inside network to access VOIP over the Internet using PAT and SIP

Unanswered Question
Nov 17th, 2009

I am trying to have internal users behind an ASA use a VOIP application. The vendor mentioned to me that their application needs SIP to extend UDP ports 5060 to 5063. Below is what I did.

object-group service Five9_SIP udp

description Five9 UDP Ports

port-object range sip 5063

access-list From_Internet_In extended permit tcp 72.5.65.0 255.255.255.0 interface outside eq sip

access-list From_Internet_In extended permit udp 72.5.65.0 255.255.255.0 interface outside object-group Five9_SIP

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect pptp

inspect sip

!

service-policy global_policy global

I know from various forums that a static (inside,outside) might be needed but I am doing PAT (i.e. global outside 1 interface).

Regards,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (2 ratings)
Poonguzhali Sankar Fri, 11/20/2009 - 08:10

I tried to look for firewall configuration information on five9.com http://www.five9.com/virtual-call-center-software/features/voip.htm

but, was not able to find anything useful.

Our ASA5505 with standard nat/global works fine out of the box if you read this thread in the forum to open SIP ports

https://supportforums.cisco.com/message/1319197#1319197

These applications should be able to establish all connections from a higher level security to lower level security even if you do not have an acl applied on the higher level security level. This is true only for the PIX/ASA platform.

Here is the config. guide link for SIP inspection:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1204403


•If a remote endpoint tries to register with a SIP proxy on a network protected by the security appliance, the registration fails under very specific conditions, as follows:
–PAT is configured for the remote endpoint.
–The SIP registrar server is on the outside network.
–The port is missing in the contact field in the REGISTER message sent by the endpoint to the proxy server.

So, you are hiding a bunch of computers behind a PAT pool. Say for example one of the hosts in the 72.5.65.0/24 tries to access the outside IP of your ASA on SIP port the firewall is not listening to what do you expect the firewall to do? It will just drop it.

These ACLs don't mean anything without a static line that tells the firewall where to send the packet.

access-list From_Internet_In extended permit tcp 72.5.65.0 255.255.255.0 interface outside eq sip
access-list From_Internet_In extended permit udp 72.5.65.0 255.255.255.0 interface outside object-group Five9_SIP


The take away here is that you cannot reach a device hiding behind a PAT pool from the outside.

Pls. double check with five9 and ask them if they meant that the PCs on the inside should be able to establish connections to their 72.5.65.0 255.255.255.0 IPs via tcp 5060 and 5063.

Tshi M Mon, 11/23/2009 - 05:03

Hi Kusankar,

I totally agree with the point that the ACL does not mean much without a proxy server behind the firewall and I pointed this out to the vendor. The 72.5.65.0/24 is Five9 subnet mask and not our internal subnet.

In any case, we have had a 5510 at a different location and the application works fine without adding any specials commands on the ASA. We are now using a 5580 and I had to remove inspect sip for the application to work. I have to point out that the vendor made some upgrade to their application so I am not quite sure if it is the application or the ASA5580 version 8.1(2).

The vendor had recommended an ACL to match the class-map but all that did was to prevent our users to use pptp.

Regards,

alexhartmaier Mon, 11/23/2009 - 08:20

I've found a bug where the sip udp packets destination port isn't changed by the ASA when going fromt he registrar sip server to the sip client.

You can check this with sh sip and show xlate or by sniffing on the client.

You will see udp packets from the sip server to your ip to the port the sip connection from you to the sip server has assigned by the ASA on its outside interface by the PAT.

Actions

Login or Register to take actions

This Discussion

Posted November 17, 2009 at 7:53 AM
Stats:
Replies:3 Avg. Rating:
Views:1011 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446