07-10-2012 07:09 AM
Hi,
we have an ASA running 8.2.2 (adsm 6.2.5). VPN connections are working well.
But it's not possible to use a SIP client (phone or software) through an SSL tunnel.
So today I've tried to look in detail on this problem. I installed an ubuntu system,
openconnect and ekiga as softphone. In our network everything is working without
any error. I used an external DSL connection to test everything over the VPN tunnel.
I can ping the SIP server and I can access the https frontend of the the SIP Server.
The client "seem's" to connect as well. I can call the ekiga client, it's ringing and
i can speak and hear everything (most times).
Dialing from the ekiga client ALWAYS fails.
On the ASA there is no policy allowing or denying those connections.
a) How can I trace it on the ASA ?
b) Has anybody seen this behavior ? (only one way communication)
Thanks and bye, Peer
07-10-2012 10:56 AM
Hello Peer,
you can the capture packet function on the ASA to see & capture traffic coming into the asa and leaving asa.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
you can also use the packet-tracer feature to mock a connection and see if its passing the Firewall as expected.
https://supportforums.cisco.com/docs/DOC-5796
This will provide you with extra insight on how the firewall is treating the traffic ones its received on the internal or external interfaces.
Thank you
Manish
07-10-2012 03:42 PM
Hi,
In general you do not require Sip inspection enabled on traffic flowing via VPN, as we do not require dynamic pinhole to be opened and not nat is required at layer-7. I would suggest disable SIP inspection for this specific host and then try connecting.
So go ahead and disable inspection for traffic coming via VPN tunnel. access-list test extended deny ip 172.16.10.0 255.255.255.0 172.17.10.0 255.255.255.0 access-list test extended deny ip 172.17.10.0 255.255.255.0 172.16.10.0 255.255.255.0 access-list test extended permit ip any any (make sure you have permit ip any any) at last to allow rest of the traffic for inspection. class-map inspection_default match access-list test Regards,
Dinkar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: