09-07-2010 01:03 PM - edited 03-11-2019 11:36 AM
I have an ASA firewall placed at the perimeter network and host in the inside network.
I have only allowed these host to make voip calls using 3rd Party Voip service so-called Jumblo ( for info www.jumblo.com)
Below is the config.
>>access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
>>nat (inside) 10 192.168.5.150 255.255.255.255
The call can be made success succefull. Perhaps the problem is that when call is placed he cannot hear the dial tone and remote client voice
I believe that I'd to configure something on ASA, to allow the traffice from outside to inside. But I am confused
Please Advise me.
09-07-2010 02:56 PM
but the voip service (jumblo) have whole subnet
221.123.176.0
77.72.174.0
how can i make static for the subnet
Really appreciate for your time
09-07-2010 02:59 PM
I don't mean making static for the jumblo subnet.
You have an internal device making the outbound call 192.168.5.150
Then, you do a static for that device:
static (inside,outside) PUBLIC_IP 192.168.5.150
access-list outside permit ip any host PUBLIC_IP
access-group outside in interface outside
In this way, we use a one-to-one translation for the calling-device to make sure PAT is not causing conflicts and also permitting the entire IP protocols to that IP. (if it works, we just adjust it as I mentioned before).
Federico.
09-07-2010 03:12 PM
I will try and keep you update
09-07-2010 03:22 PM
No its not working
09-07-2010 04:03 PM
Not that I have knowdlege how this service jumblo works but...
The device making the call is an actual IP phone in software (do you have an IP telephony device)? or its done via skype or something like that?
If the call is send to the jumblo server, then it somehow routes that to the telephony network to the mobile phone.
The mobile phone when it sends the audio (the jumblo server should notify that the call should be send to the public IP that you're using).
I think that the jumblo service is not sending the audio packets back to your IP properly?
You can do a capture on the ASA's outside interface and check if there's any incoming traffic on those ports being received.
Federico.
09-07-2010 04:12 PM
It works find when I permit the host to pass through the firewall completely, as i mentioned before
access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255
global (outside) 10 interface outside
Even I believe that ASA is not able make inbound connecction to a host
I am really confused. How to solve this issue ?
09-07-2010 04:23 PM
I ran the wireshark utility on a host 192.168.5.150
I disconnect all the session and I kept only jumblo runnning and making calls
I saw my host 192.168.5.150 trying to reach destination
221.123.176.56
77.72.174.33
And these public ip trying reach my IP 192.168.5.150
These things working when gave the whole permission to a host
access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255
global (outside) 10 interface outside
Please Advise
09-07-2010 05:07 PM
So running wireshark besides the outgoing traffic, you actually see incoming traffic back to your host?
If you PAT your internal 192.168.5.150, then the return traffic (when trying to reach your public IP from Internet), could have problems.
That's the reason I was suggesting to try with a STATIC translation.
Also, outbound traffic is permitted by the ACL that you described.
What I'll do is to enable logging
logging on
logging buffered 7
sh log
and check if you see any teardown message or something indicating a failed connection.
Also, can you run the wireshark on the outside interface?
Federico.
09-07-2010 06:16 PM
Hello Samir,
If I understand you correctly, it is working fine when you allow inside host
full access to internet. Do you have inspects enabled? My guess is that you
need to enable few TCP ports along with UDP ports for signaling purposes.
Can you allow TCP 5060 and 1719/1720 and see if that helps?
Regards,
NT
09-07-2010 06:21 PM
Hi NT,
Yes exactly, when I permit full internet access it works fine
I have default inspect enabled
Here is the output of show command
ASA-5520# sh running-config | include inspect
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
09-07-2010 06:27 PM
Hello Samir,
On your inside interface, can you allow TCP port 5060 along with other
ports? It seems like Jumblo uses SIP to establish calls.
Regards,
NT
09-07-2010 06:29 PM
Hi NT,
Can you give some command help to allow TCP 5060 and 1719/1720 ports
09-07-2010 06:34 PM
Hello Samir,
Try the following:
access-list inside_access_in line 1 permit tcp host 192.168.5.150 any eq
1720
access-list inside_access_in line 2 permit tcp host 192.168.5.150 any eq
1719
access-list inside_access_in line 3 permit tcp host 192.168.5.150 any eq
5060
Regards,
NT
09-07-2010 06:39 PM
Hello NT,
I'll try and update you then.
09-07-2010 07:22 PM
Hello NT,
I did as you say that but still the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide