09-05-2010 03:30 AM - edited 03-11-2019 11:35 AM
Hi All,
in my NEW network there are 6 VOIP PHONE Linksys SPA922. They are connected to an external VOIP PBX through internet, NO VPN has been setup.
My firewall is a Cisco ASA 5505 with plus security licence installed. My firewall has a pubblic IP address on outside interface and my internal network (PC + VOIP PHONE) is NATTED.
I enabled SIP Inspection on ASA5505.
The VOIP phones register correctly with the PBX, I can call outside (for example I can call my mobile phone) and from outside the calls work well (from my mobile phone I can call my VOIP phone), the audio is good in both direction.
BUT when I try to call onother internal VOIP phone I have an issue: the called phone start to ring, but when I answer the call I cannot hear audio.
what can I do?
THANKS
Below my cisco ASA config:
ciscoasa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password vRvjDpmZ43rgmuOa encrypted
passwd vRvjDpmZ43rgmuOa encrypted
names
..
..
!
interface Vlan1
description PC Network
nameif inside
security-level 100
ip address 10.85.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
description FASTWEB WAN
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
ospf cost 10
!
interface Vlan20
description Voip Network
nameif VOIP
security-level 100
ip address 10.85.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
…
…
…
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
…
…
…
mtu inside 1500
mtu outside 1500
mtu VOIP 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
icmp permit host IP-Venticento outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.xx netmask 255.0.0.0
global (outside) 2 interface
global (outside) 3 xx.xx.xx.xy netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 10.85.1.0 255.255.255.0
nat (VOIP) 1 10.85.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 yy.yy.yy.yy
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
…
…
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
...
...
dhcpd address 10.85.1.30-10.85.1.99 inside
dhcpd dns 85.18.200.200 89.97.140.140 interface inside
dhcpd option 3 ip 10.85.1.1 interface inside
dhcpd option 4 ip 193.204.114.232 interface inside
dhcpd enable inside
!
dhcpd address 10.85.2.30-10.85.2.99 VOIP
dhcpd dns 85.18.200.200 interface VOIP
dhcpd wins 89.97.140.140 interface VOIP
dhcpd option 3 ip 10.85.2.1 interface VOIP
dhcpd enable VOIP
!
ntp server 193.204.114.233
group-policy NewPolicy internal
username carl password rZyeNSp3vVXS1SBW encrypted privilege 15
tunnel-group zz.zz.zz.zz type ipsec-l2l
…
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map global-class1
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect skinny rscp
parameters
message-id max 0x141
timeout media 0:01:00
timeout signaling 0:05:00
rtp-conformance
match message-id 0x3
drop log
policy-map type inspect im imtest
parameters
match service conference
drop-connection log
policy-map type inspect sip TEST
parameters
ip-address-privacy
max-forwards-validation action drop log
policy-map type inspect sip SIPTEST
parameters
ip-address-privacy
max-forwards-validation action drop log
state-checking action drop log
software-version action mask log
strict-header-validation action drop log
uri-non-sip action mask log
rtp-conformance enforce-payloadtype
match called-party regex _default_GoToMyPC-tunnel
drop log
policy-map type inspect sip Secure_SIP
parameters
ip-address-privacy
max-forwards-validation action drop log
state-checking action drop-connection log
software-version action mask log
strict-header-validation action drop log
no traffic-non-sip
uri-non-sip action mask log
rtp-conformance enforce-payloadtype
policy-map global-policy
class global-class
inspect sip TEST
class global-class1
inspect icmp
inspect pptp
class inspection_default
!
service-policy global-policy global
smtp-server 85.18.95.132
prompt hostname context
Cryptochecksum:f852b91f266359fda5c84a2cb85be894
: end
ciscoasa#
X
09-05-2010 07:45 AM
Hi Mario,
The problem is no audio between the two internal phones.
Once the phones are registered with the external PBX and the call is established, the audio just goes directly between the phones (this means the audio should not reach the ASA). It should be normal traffic in the internal network.
Are both phones on the same subnet?
Can you PING between phones?
Federico.
09-05-2010 11:01 AM
Hi Federico,
thanks for your answer.
Yes, I know that the comunication is enstablished directly between the phones and so it's a normal internal traffic... but I think that the PBX has to tell this to the phones. I suspect that the PBX gives them a bad information... I don't know....
However Yes, the phones are on the same internal subnet, they can ping each other and they can be PING from my PC. They have IP addr like 10.85.2.30/24 and 10.85.2.31/24, gateway 10.85.2.1
Any other idea!?
thanks.
09-06-2010 08:18 AM
Hi Mario,
What I mean is that if one phone calls the other (and the other actually rings)... then the PBX is doing its job as far as calling the phone and trying to establish the call.
The called phone rings and the problem is that when someone answer there's no audio?
If this is so, I'll capture the communication between both phone with a sniffer.
Federico.
09-06-2010 09:00 AM
Yes Federico, the problem is that!
09-06-2010 09:22 AM
Mario,
Can you capture the traffic between both phones?
Like doing a SPAN on switches so we can analize with wireshark?
Federico.
09-07-2010 03:10 AM
Ok Federico,
i did wireshark monitoring.
When I have an external call I can see RTP packet from my IP PHONE (10.85.1.52) going to the PBX (95.xx.xx.xx) and viceversa I can see PBX going to 10.85.2.30 and in fact everytihing works fine.
When I have an External CALL I can see RTP packet from my IP PHONES (10.85.1.52 and 10.85.2.53) going to the my CISCO WAN EXTERNAL IP ADDRESS but I cannot see packet coming back from the firewall.
See the attachment.
Bye
09-07-2010 05:24 AM
Hi
Could you tell me why you have not configured h.323 And SCCP.
The adaptive security appliance does not support VoIP inspection engines when you configure NAT on same security interfaces. These inspection engines include Skinny, SIP, and H.323.
Had you refer the following example. If no please go through it for detail config regarding VOIP on ASA:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml
Also I am seeing a lot of policy maps but your config is not very clear as well ideally if you are calling both of your phones internally then there should be NO NAT configured for those two LANS which I believe is missing.
Also you have not configured the inspection for h323 and SCCP as follows:
inspect h323 h225
inspect skinny
Have you followed the correct natting for SIP as follows:
Application = SIP
Default Port = TCP/5060 UDP/5060
NAT Limitations = No outside NAT. No NAT on same security interfaces.
Standards = RFC 2543
Application = H.323 H.225 and RAS
Default Port = TCP/1720 UDP/1718 UDP (RAS) 1718-1719
NAT Limitations = No NAT on same security interfaces. No static PAT.
Standards = ITU-T H.323, H.245, H225.0, Q.931, Q.932
Correct me if I am wrong.
Regards,
Sachin.
09-12-2010 02:20 AM
I Made a more clear configuration, I enabled H323, SCCP, RTCP and I made NAT coorecty but the problem is still the same.
I don't have any problem on external outgoiong and incoming calls, but when I have an internal call I cannot hear AUDIO.
Doing monitoring on ASA5505 logging I don' t see any dropped packet.
Below the ASA clear configuration.
ciscoasa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password vRvjDpmZ43rgmuOa encrypted
passwd vRvjDpmZ43rgmuOa encrypted
names
!
interface Vlan1
description PC Network
nameif inside
security-level 100
ip address 10.85.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
description WAN
nameif outside
security-level 0
ip address 89.96.155.4 255.255.255.248
ospf cost 10
!
interface Vlan20
description Voip Network
nameif VOIP
security-level 100
ip address 10.85.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ANY tcp-udp
port-object range 1 65535
object-group network DM_INLINE_NETWORK_1
network-object 10.85.1.0 255.255.255.0
network-object 10.85.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.85.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.85.1.0 255.255.255.0 10.80.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.85.1.0 255.255.255.0 10.80.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.85.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list outside_access_in extended permit ip 10.80.0.0 255.255.0.0 any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list VOIP_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list VOIP_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm debugging
logging from-address ciscoasa@domain.com
logging recipient-address alert@xxx.com level errors
mtu inside 1500
mtu outside 1500
mtu VOIP 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit host IP-Venticento outside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 89.96.155.5 netmask 255.0.0.0
global (outside) 2 interface
global (outside) 3 89.96.155.6 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 10.85.1.0 255.255.255.0
nat (VOIP) 1 10.85.2.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group VOIP_access_in in interface VOIP
access-group VOIP_access_out out interface VOIP
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.85.0.0 255.255.0.0 inside
http IP-Venticento 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
**
** crypto
**
telnet 10.85.1.0 255.255.255.0 inside
telnet IP-Venticento 255.255.255.255 outside
telnet timeout 5
ssh 10.85.1.0 255.255.255.0 inside
ssh IP-Venticento 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 10.85.1.30-10.85.1.99 inside
dhcpd dns 85.18.200.200 89.97.140.140 interface inside
dhcpd option 3 ip 10.85.1.1 interface inside
dhcpd option 4 ip 193.204.114.232 interface inside
dhcpd enable inside
!
dhcpd address 10.85.2.30-10.85.2.99 VOIP
dhcpd dns 85.18.200.200 interface VOIP
dhcpd wins 89.97.140.140 interface VOIP
dhcpd option 3 ip 10.85.2.1 interface VOIP
dhcpd option 4 ip 193.204.114.233 interface VOIP
dhcpd enable VOIP
!
ntp server 193.204.114.233
group-policy NewPolicy internal
username venticento password rZyeNSp3vVXS1SBW encrypted privilege 15
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group yy.yy.yy.yy type ipsec-l2l
tunnel-group yy.yy.yy.yy ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
!
class-map global-class
match default-inspection-traffic
class-map global-class1
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im imtest
parameters
match service conference
drop-connection log
policy-map type inspect sip TEST
parameters
ip-address-privacy
max-forwards-validation action drop log
policy-map type inspect skinny SkynnyPolicy
parameters
rtp-conformance enforce-payloadtype
policy-map global-policy
class global-class
inspect sip TEST
inspect rtsp
inspect skinny SkynnyPolicy
inspect dns
inspect h323 h225
inspect h323 ras
inspect tftp
inspect mgcp
class global-class1
inspect icmp
inspect pptp
policy-map type inspect h323 H323policy
parameters
h245-tunnel-block action drop-connection
state-checking h225
state-checking ras
rtp-conformance enforce-payloadtype
!
service-policy global-policy global
smtp-server 85.18.95.132
prompt hostname context
Cryptochecksum:6f45e419d000cc20a722d22578ded76d
: end
ciscoasa#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide