Here is a basic layout of hte network. There are 6 location on an MPLS network that reside behinnd an ASA 5510 for internet. The ASA is last resort for routing, all internal routing is handeled by a Core router in the MPLS infrastructure. At each site is a Polycom Video phone. On the ASA are static 1:1 maps for each phone. If one site calls another via the mapped public IP, they work just fine, they are hairpinned on the ASA, everything is happy. When a call is place to an outside IP, this is where things go screwy.
The ASA has version 8.2(2) installed on it.
The one we were working with is 192.168.2.15, mapped to public x.x.x.97. A call was placed internally to 184.108.40.206, which is a polycom address. The ASA ACL has permit ip any to host, and icmp any to host, so basically nothing should be blocked. I can ping fine both ways, and see the correct translations, etc. However, when the call is initiated, I immediately get Deny TCP(no Connections) on port 5060 from both the public mapped IP and the destination IP, in both directions.
I ran a capture that included both public IP's and the private IP's in both directions. The capture came back with some interesting results. I see the packet inter the inside interface from the private IP, exit to the public IP, I see the return packet from the public IP hit the mapped public IP, but I do not see it being untranslated back to the private IP.
4: 07:59:01.319548 220.127.116.11.5060 > x.x.x.97.5060: S 591883322:591883322(0) ack 3961120088 win 5840 <mss 1460,nop,nop,sackOK>
5: 07:59:04.290313 192.168.2.15.5060 > 18.104.22.168.5060: S 3833084348:3833084348(0) win 5840 <mss 1460,sackOK,timestamp 1803832 0,nop,wscale 5>
6: 07:59:04.320234 22.214.171.124.5060 > x.x.x.97.5060: S 591883322:591883322(0) ack 3961120088 win 5840 <mss 1460,nop,nop,sackOK>
When I run a PING though
25: 07:43:59.257982 192.168.2.15 > 126.96.36.199: icmp: echo request
26: 07:43:59.289520 188.8.131.52 > x.x.x.97: icmp: echo reply
27: 07:43:59.289718 184.108.40.206 > x.x.x.97: icmp: echo reply
28: 07:43:59.289825 220.127.116.11 > x.x.x.97: icmp: echo reply
29: 07:43:59.289978 18.104.22.168 > 192.168.2.15: icmp: echo reply
Thinking it might have something to do with Sip and H323 inspection I bypassed the inspect using an ACL and class map that denied the private and public mapped IP's from the inspection and allows all else. This is something we found we needed to do for secure FTP through the firewall. No joy though, same results.
It appears as if the incoming packet is not being untranslated back to the private IP, but I cant seem to find any reason why. From the capture I can see the external connections, but without the reponse back to the internal, the connections are bing dropped.One other thing I tried was increasing the DNS message length to 1500.
Any help on this would be appreciated.