These applications should be able to establish all connections from a higher level security to lower level security even if you do not have an acl applied on the higher level security level. This is true only for the PIX/ASA platform.
•If a remote endpoint tries to register with a SIP proxy on a network protected by the security appliance, the registration fails under very specific conditions, as follows: –PAT is configured for the remote endpoint. –The SIP registrar server is on the outside network. –The port is missing in the contact field in the REGISTER message sent by the endpoint to the proxy server.
So, you are hiding a bunch of computers behind a PAT pool. Say for example one of the hosts in the 220.127.116.11/24 tries to access the outside IP of your ASA on SIP port the firewall is not listening to what do you expect the firewall to do? It will just drop it.
These ACLs don't mean anything without a static line that tells the firewall where to send the packet.
Re: Allowing inside network to access VOIP over the Internet usi
I totally agree with the point that the ACL does not mean much without a proxy server behind the firewall and I pointed this out to the vendor. The 18.104.22.168/24 is Five9 subnet mask and not our internal subnet.
In any case, we have had a 5510 at a different location and the application works fine without adding any specials commands on the ASA. We are now using a 5580 and I had to remove inspect sip for the application to work. I have to point out that the vendor made some upgrade to their application so I am not quite sure if it is the application or the ASA5580 version 8.1(2).
The vendor had recommended an ACL to match the class-map but all that did was to prevent our users to use pptp.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :