×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA Allowing access for VOIP issues

Unanswered Question
Sep 23rd, 2014
User Badges:

Hi All,

I am an accidental administrator and need some assistance please. Our ASA firewall is apparently blocking our phone traffic, resulting in only one phone being active at a time. I've been told by provider that port 5060 needs to be able to receive. Can someone help me with whatever I'm missing to make this work? What I have tried has not helped, and hopefully hasn't hurt anything else.

Here are some parts from the config;

 
ASA Version 9.1(2)

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.140.170 255.255.255.0
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.1
 vlan 2
 nameif inside
 security-level 100
 ip address 10.2.170.254 255.255.248.0
!
interface GigabitEthernet0/1.71
 vlan 71
 nameif voice
 security-level 100
 ip address 10.2.191.254 255.255.255.0
!
access-list inside_access_in extended permit ip 10.2.176.0 255.255.248.0 any
access-list inside_access_in extended permit tcp 10.2.176.0 255.255.248.0 any
access-list inside_access_in extended permit udp 10.2.176.0 255.255.248.0 any
access-list global_access extended permit icmp 10.2.176.0 255.255.248.0 any
access-list global_access extended permit ip object xxxxvpn any
access-list global_access extended permit ip object lanadmin any
access-list voice_access_in extended permit ip 10.2.191.0 255.255.255.0 any
access-list voice_access_in extended permit tcp 10.2.191.0 255.255.255.0 eq sip any
access-list outside_access_in extended permit ip any 10.2.191.0 255.255.255.0
access-list outside_access_in extended permit udp any eq sip 10.2.191.0 255.255.255.0
access-list outside_access_in extended permit tcp any eq sip 10.2.191.0 255.255.255.0
!
!!
nat (inside,outside) source static any interface
nat (voice,outside) source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group global_access global

Thank you for your assistance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 09/24/2014 - 06:11
User Badges:
  • Super Bronze, 10000 points or more

Hi,

 

Could you share the output of the following command

 

show run nat

 

The thing that catches my eye on the above partial configuration is that there is a "static" type NAT configuration for the "inside" interface which binds "any" source address staticly to the public IP address of the "outside" interface since the parameter "interface" is used in the command. The "static" type configuration is typically used when you have a specific host for which you want to give a static public IP address or perhaps forward only specific ports. When you want to share a single public IP address for multiple hosts then the "nat" command typically uses the parameter "dynamic"

 

I mean this command

 

nat (inside,outside) source static any interface

 

Now I am not sure if this is related to the problem but its atleast a NAT configuration that I would change.

 

You could actually do a Dynamic PAT for all the internal hosts/devices with the below command in which case you would not need the above 2 commands at all. And actually the below Dynamic PAT configuration would only get used if the above NAT configurations were not on the device. The reason for this is that they are configured on higher priority which comes from the fact that they dont have the parameter "after-auto" included in them.

 

nat (any,outside) after-auto source dynamic any interface

 

Have you looked at the real time logs through the ASDM while attempting the connections through the firewall? This might give a hint on what the problem is if its not NAT related.

 

- Jouni

Actions

This Discussion