ASA 5510 SIP and One way audio

Unanswered Question

I am banging my head against the wall as I am trying to figure this out. We have a asterisk based PBX running on a server and it is not VLAN'd or anything as we have a large pipe coming in. We are using NAT and the problem is that occassionally we have audio issues when we call out to an outside caller, and we can hear them, but they can't hear anything. I was trying to add it to my nat 0 group, but then there is no audio in or out.


Below is parts of our config from the ASA:




nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (public) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz2) 0 access-list dmz2_nat0_outbound

nat (dmz2) 0 access-list dmz2_nat0_outbound_1 outside


access-list mpl extended permit udp any host 66.213.98.12 eq sip

access-list mpl extended permit tcp host Nextiva host 66.213.98.12 eq sip

access-list mpl extended permit udp host Nextiva host 66.213.98.12 range 10000 20000

access-list mpl extended permit tcp any host 66.213.98.10 eq smtp

access-list mpl extended permit tcp any host 66.213.98.10 eq https

access-list mpl extended permit tcp any host 66.213.98.11 eq www

access-list mpl extended permit tcp any host 66.213.98.10 eq imap4

access-list mpl extended permit tcp any host 66.213.98.3 eq www

access-list mpl extended permit tcp any host 66.213.98.3 eq 10001

access-list mpl extended permit tcp any host 66.213.98.3 eq ssh

access-list mpl extended permit tcp any host 66.213.98.6 eq https

access-list mpl extended permit udp any host 192.168.0.53 eq ntp

access-list mpl extended permit udp any host 192.168.0.58 eq ntp

access-list mpl extended permit tcp any host 66.213.98.8 eq www

access-list mpl extended permit object-group TCPUDP any host 66.213.98.8 eq domain

access-list mpl extended permit tcp any host 66.213.98.5 inactive

access-list pixtosw extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list pixtonavarre extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list dmz2_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list MSS_Exceeded_ACL extended permit tcp any any

access-list dmz2_nat0_outbound_1 extended permit ip host 192.168.50.10 host 192.168.0.53


global (outside) 1 interface

global (outside) 1 66.213.98.12


policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect ftp

  inspect http

  inspect pptp

  inspect rtsp

policy-map public-policy

class public-class

  inspect http

  police output 1500000 1500

  police input 1500000 1500

policy-map qos

class voice

  priority


priority-queue outside

  tx-ring-limit 256

threat-detection basic-threat

threat-detection statistics

!

class-map public-class

match any

class-map global-class

match default-inspection-traffic

class-map voice

match dscp ef

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Wed, 04/25/2012 - 10:21
User Badges:
  • Purple, 4500 points or more

Hello Allen,


This is an issue with NAT as the signaling works fine.. The problem is after the users answer the phone looks like the ASA is not able to determine that the signaling traffic and audio traffic got to go to the same device and they are related to each other..As a result, the audio traffic is not translated properly between the address spaces.


I can see that you do not have a inspection for the SIP protocol.


Can you add it and give it a try:

policy-map global-policy

class global-class

Inspect SIP



Hope this helps.



Regards,



Do rate all the helpful posts



Julio

Julio Carvajal Wed, 04/25/2012 - 10:53
User Badges:
  • Purple, 4500 points or more

Hello Allen,


Next thing would be to do captures and debugs,


Please provide them


Debug sip

Debug sip ha

Julio Carvajal Wed, 04/25/2012 - 11:12
User Badges:
  • Purple, 4500 points or more

Capture:


access-list capin permit ip host x.x.x.x(Local_endpoint) host y.y.y.y(Outside_Endpoint)

access-list capin permit ip host y.y.y.y host x.x.x.x


Access-list capout permit ip host z.z.z.z ( natted ip address of the local_endpoint) host y.y.y.y

access-list capout permi ip host y.y.y.y host z.z.z.z


capture capin access-list capin interface inside circular-buffer

capture capout access-list capout interface outside circular-buffer


Then try to make a phone call and do a show cap capin and show cap capout.... You should be able to see the packets in the capture.

Then we will need to download the captures to your computer ( for that go to a browser and set the following:

https://inside_asa_ip_address/capture/capin/pcap

https://inside_asa_ip_address/capture/capout/pcap)


then to do debugs just add the commands

Debug sip ha

debug sip


and make a phone call.. You should get a big output...

We need to see that.


Regards.

Julio Carvajal Wed, 04/25/2012 - 11:42
User Badges:
  • Purple, 4500 points or more

Hello,

That is because you do not have the sip inspection enabled.


Now I want you to clear all the captures and take them back but this time with the SIP enabled


clear cap /all


And add the

policy-map global-policy

class global-class

Inspect SIP



Then send the traffic and donwload the captures again and take the debugs

GASHAW TURA Tue, 03/11/2014 - 17:30
User Badges:

I have exact same issues and I am looking for answer for the same problem.

Actions

This Discussion