cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25070
Views
0
Helpful
5
Replies

SIP through an ASA, NAT'ing question.

Hi I have a question regarding allowing SIP traffic through an ASA.

I have the following situation.


'LAN A' with Call Manager and Phones  <--->  ASA 5520(running 8.3) <-----> internet <---> Another 3rd Party Firewall <--------->  'LAN B' 2 Cisco IP Phones

The remote phones in 'LAN B' will be configured to send SIP traffic to the Call Manager in 'LAN A'

Now I want to let my phones in the LAN make calls to the 2 Cisco IP Phones behind the other firewall.

To make calls FROM the 'LAN A' to the phones in 'LAN B' on the ASA 5520 I was thinking I need to;

1) Enable SIP inspection and RTSP inspection
2) Put in a static nat translation and ACE to expose the Cisco Call manager to the remote phones.
3) Put in a rule allowing outbound SIP Traffic to the remote phones.
4) Setup Proirity Queuing for VOIP.

My questions are

1) Does this sound sufficient from the point of view of the ASA 5520 configuration? If not, what am I missing?

2) From my understanding the SIP inspection will NAT the IP's of the phones for the RTP(voice) and open up pinholes. Does this mean I should not need to create any NAT's or ACL's for the RTP traffic? If this is true how does the SIP inspection decide what to NAT the phone IP's to for RTP traffic? I can't seem to find the answer anywhere.

3) Is the configuration similar if the traffic is Skinny instead?

Thanks in Advance.

5 Replies 5

praprama
Cisco Employee
Cisco Employee

Hi,

You can find details about sip inspection below:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1743169

For skinny inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1743385

I am not really a voice guy but for the RTP stream that is negotiated between the phones, the ASA will dynamically open up pinholes (after looking into the SIP payloads) as you have said. How the ASA decides to which IP the phone gets NATed (within the payload as well) depends on the NAT configuration on the ASA. You can find information about what all inspection for SIP does in the firstl link above under Technical details. Hope this helps.

With regards to skinny, I would assume the above config would suffice (just replacing inspection for sip with inspection for skinny).

All this best!!

Regards,

Prapanch

Many Thanks Prapanch,

I've had a read through the documentation you provided, especially under the 'technical documentation' section, but I can't seem to see where it explains what the outgoing rtp traffic is NAT'ed to.... or what incoming address the remote phones would be told to reach.

Could you please show me the part that states how the NAT'ing works?

cheers.

Hi Marcos,

Assuming that all the internal phones are being dynamically NATed to the outside interface IP of the ASA, i would assume the outgoing RTP stream would be NATed to the same IP address.

Also, my understanding of SIP is limited but i think if you have dynamic NAT for both your IP phones (in LAN A) and the remote IP phones (LAN B), you will not be able to call between them.

Kindly attach the IP address details and the NAT configuration in the network for a better understanding.

Regards,

Prapanch

Hi Prapanch,

Once again thanks for your help.

I have not configured the firewalls for this setup yet as I am still planning my approach before implementing it.

However, The plan is the following.

A Static NAT will be setup to expose the internal callmanager.  So for example on "LAN A"

Call Manager - real IP : 192.168.1.10  Natted IP: 202.204.151.2

For SIP the phones speak to the call manager directly and I understand how to allow this to happen of course, my question is how the SIP inspection will choose what IP to NAT the internal phones IP's too.

I'm trying to determine if it would be 202.204.151.2 or something else. i.e the interface IP. i.e 202.204.151.1  

Surely cisco must have documented this somewhere.

NOTE: These are not my actual IP addresses.

Hello Marcos,

Answering your query, you can refer this link to better understand how sip inspection works over nat/pat.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml#sip

Now in your scenario,

You definitely need the call manager ip to be static NAT'd because the internal phones need to reach the call manager to register.

The internal phones while trying to register will get out through the PAT'd ip (i could see that you have done a PAT of the outside interface). The management of each internal phones getting PAT'd to the same ip address and trying to make a call is governed by the "inspect sip" which does more than inspecting sip by controlling the RTP/RTCP stream.

Since the calling process involves accessing the call manager and the call manager redirecting the call to the proper phone makes the PAT to work in this scenario even though both the end phones are being PAT'd.

Hope this helps. Let me know if you have any other concerns.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: