ASA 5505 - VOIP no AUDIO on internal Calls

mariomark · ‎09-05-2010

Hi All,

in my NEW network there are 6 VOIP PHONE Linksys SPA922. They are connected to an external VOIP PBX through internet, NO VPN has been setup.

My firewall is a Cisco ASA 5505 with plus security licence installed. My firewall has a pubblic IP address on outside interface and my internal network (PC + VOIP PHONE) is NATTED.

I enabled SIP Inspection on ASA5505.

The VOIP phones register correctly with the PBX, I can call outside (for example I can call my mobile phone) and from outside the calls work well (from my mobile phone I can call my VOIP phone), the audio is good in both direction.

BUT when I try to call onother internal VOIP phone I have an issue: the called phone start to ring, but when I answer the call I cannot hear audio.

what can I do?

THANKS

Below my cisco ASA config:

ciscoasa# sh run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password vRvjDpmZ43rgmuOa encrypted

passwd vRvjDpmZ43rgmuOa encrypted

names

..

!

interface Vlan1

description PC Network

nameif inside

security-level 100

ip address 10.85.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

description FASTWEB WAN

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.248

ospf cost 10

!

interface Vlan20

description Voip Network

nameif VOIP

security-level 100

ip address 10.85.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 20

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

…

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

…

mtu inside 1500

mtu outside 1500

mtu VOIP 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any outside

icmp permit host IP-Venticento outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 xx.xx.xx.xx netmask 255.0.0.0

global (outside) 2 interface

global (outside) 3 xx.xx.xx.xy netmask 255.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 10.85.1.0 255.255.255.0

nat (VOIP) 1 10.85.2.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 yy.yy.yy.yy

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

…

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

...

dhcpd address 10.85.1.30-10.85.1.99 inside

dhcpd dns 85.18.200.200 89.97.140.140 interface inside

dhcpd option 3 ip 10.85.1.1 interface inside

dhcpd option 4 ip 193.204.114.232 interface inside

dhcpd enable inside

!

dhcpd address 10.85.2.30-10.85.2.99 VOIP

dhcpd dns 85.18.200.200 interface VOIP

dhcpd wins 89.97.140.140 interface VOIP

dhcpd option 3 ip 10.85.2.1 interface VOIP

dhcpd enable VOIP

!

ntp server 193.204.114.233

group-policy NewPolicy internal

username carl password rZyeNSp3vVXS1SBW encrypted privilege 15

tunnel-group zz.zz.zz.zz type ipsec-l2l

…

!

class-map global-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

class-map global-class1

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect skinny rscp

parameters

message-id max 0x141

timeout media 0:01:00

timeout signaling 0:05:00

rtp-conformance

match message-id 0x3

drop log

policy-map type inspect im imtest

parameters

match service conference

drop-connection log

policy-map type inspect sip TEST

parameters

ip-address-privacy

max-forwards-validation action drop log

policy-map type inspect sip SIPTEST

parameters

ip-address-privacy

max-forwards-validation action drop log

state-checking action drop log

software-version action mask log

strict-header-validation action drop log

uri-non-sip action mask log

rtp-conformance enforce-payloadtype

match called-party regex _default_GoToMyPC-tunnel

drop log

policy-map type inspect sip Secure_SIP

parameters

ip-address-privacy

max-forwards-validation action drop log

state-checking action drop-connection log

software-version action mask log

strict-header-validation action drop log

no traffic-non-sip

uri-non-sip action mask log

rtp-conformance enforce-payloadtype

policy-map global-policy

class global-class

inspect sip TEST

class global-class1

inspect icmp

inspect pptp

class inspection_default

!

service-policy global-policy global

smtp-server 85.18.95.132

prompt hostname context

Cryptochecksum:f852b91f266359fda5c84a2cb85be894

: end

ciscoasa#

X

Federico Coto Fajardo · ‎09-05-2010

Hi Mario,

The problem is no audio between the two internal phones.

Once the phones are registered with the external PBX and the call is established, the audio just goes directly between the phones (this means the audio should not reach the ASA). It should be normal traffic in the internal network.

Are both phones on the same subnet?

Can you PING between phones?

Federico.

mariomark · ‎09-05-2010

Hi Federico,

thanks for your answer.

Yes, I know that the comunication is enstablished directly between the phones and so it's a normal internal traffic... but I think that the PBX has to tell this to the phones. I suspect that the PBX gives them a bad information... I don't know....

However Yes, the phones are on the same internal subnet, they can ping each other and they can be PING from my PC. They have IP addr like 10.85.2.30/24 and 10.85.2.31/24, gateway 10.85.2.1

Any other idea!?

thanks.

Federico Coto Fajardo · ‎09-06-2010

Hi Mario,

What I mean is that if one phone calls the other (and the other actually rings)... then the PBX is doing its job as far as calling the phone and trying to establish the call.

The called phone rings and the problem is that when someone answer there's no audio?

If this is so, I'll capture the communication between both phone with a sniffer.

Federico.

mariomark · ‎09-06-2010

Yes Federico, the problem is that!

Federico Coto Fajardo · ‎09-06-2010

Mario,

Can you capture the traffic between both phones?

Like doing a SPAN on switches so we can analize with wireshark?

Federico.

mariomark · ‎09-07-2010

Ok Federico,

i did wireshark monitoring.

When I have an external call I can see RTP packet from my IP PHONE (10.85.1.52) going to the PBX (95.xx.xx.xx) and viceversa I can see PBX going to 10.85.2.30 and in fact everytihing works fine.

When I have an External CALL I can see RTP packet from my IP PHONES (10.85.1.52 and 10.85.2.53) going to the my CISCO WAN EXTERNAL IP ADDRESS but I cannot see packet coming back from the firewall.

See the attachment.

Bye

sachinga.hcl · ‎09-07-2010

Hi

Could you tell me why you have not configured h.323 And SCCP.

The adaptive security appliance does not support VoIP inspection engines when you configure NAT on same security interfaces. These inspection engines include Skinny, SIP, and H.323.

Had you refer the following example. If no please go through it for detail config regarding VOIP on ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml

Also I am seeing a lot of policy maps but your config is not very clear as well ideally if you are calling both of your phones internally then there should be NO NAT configured for those two LANS which I believe is missing.

Also you have not configured the inspection for h323 and SCCP as follows:

inspect h323 h225

inspect skinny

Have you followed the correct natting for SIP as follows:

Application = SIP
Default Port = TCP/5060 UDP/5060
NAT Limitations = No outside NAT. No NAT on same security interfaces.
Standards = RFC 2543

Application = H.323 H.225 and RAS
Default Port = TCP/1720 UDP/1718 UDP (RAS) 1718-1719
NAT Limitations = No NAT on same security interfaces. No static PAT.
Standards = ITU-T H.323, H.245, H225.0, Q.931, Q.932

Correct me if I am wrong.

Regards,

Sachin.

mariomark · ‎09-12-2010

I Made a more clear configuration, I enabled H323, SCCP, RTCP and I made NAT coorecty but the problem is still the same.

I don't have any problem on external outgoiong and incoming calls, but when I have an internal call I cannot hear AUDIO.
Doing monitoring on ASA5505 logging I don' t see any dropped packet.

Below the ASA clear configuration.

ciscoasa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password vRvjDpmZ43rgmuOa encrypted
passwd vRvjDpmZ43rgmuOa encrypted
names
!
interface Vlan1
description PC Network
nameif inside
security-level 100
ip address 10.85.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
description WAN
nameif outside
security-level 0
ip address 89.96.155.4 255.255.255.248
ospf cost 10
!
interface Vlan20
description Voip Network
nameif VOIP
security-level 100
ip address 10.85.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ANY tcp-udp
port-object range 1 65535
object-group network DM_INLINE_NETWORK_1
network-object 10.85.1.0 255.255.255.0
network-object 10.85.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.85.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.85.1.0 255.255.255.0 10.80.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.85.1.0 255.255.255.0 10.80.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.85.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list outside_access_in extended permit ip 10.80.0.0 255.255.0.0 any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list VOIP_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list VOIP_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm debugging
logging from-address ciscoasa@domain.com
logging recipient-address alert@xxx.com level errors
mtu inside 1500
mtu outside 1500
mtu VOIP 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit host IP-Venticento outside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 89.96.155.5 netmask 255.0.0.0
global (outside) 2 interface
global (outside) 3 89.96.155.6 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 10.85.1.0 255.255.255.0
nat (VOIP) 1 10.85.2.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group VOIP_access_in in interface VOIP
access-group VOIP_access_out out interface VOIP
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.85.0.0 255.255.0.0 inside
http IP-Venticento 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

**
** crypto
**

telnet 10.85.1.0 255.255.255.0 inside
telnet IP-Venticento 255.255.255.255 outside
telnet timeout 5
ssh 10.85.1.0 255.255.255.0 inside
ssh IP-Venticento 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 10.85.1.30-10.85.1.99 inside
dhcpd dns 85.18.200.200 89.97.140.140 interface inside
dhcpd option 3 ip 10.85.1.1 interface inside
dhcpd option 4 ip 193.204.114.232 interface inside
dhcpd enable inside
!
dhcpd address 10.85.2.30-10.85.2.99 VOIP
dhcpd dns 85.18.200.200 interface VOIP
dhcpd wins 89.97.140.140 interface VOIP
dhcpd option 3 ip 10.85.2.1 interface VOIP
dhcpd option 4 ip 193.204.114.233 interface VOIP
dhcpd enable VOIP
!

ntp server 193.204.114.233
group-policy NewPolicy internal
username venticento password rZyeNSp3vVXS1SBW encrypted privilege 15
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group yy.yy.yy.yy type ipsec-l2l
tunnel-group yy.yy.yy.yy ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
!
class-map global-class
match default-inspection-traffic
class-map global-class1
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im imtest
parameters
match service conference
drop-connection log
policy-map type inspect sip TEST
parameters
ip-address-privacy
max-forwards-validation action drop log
policy-map type inspect skinny SkynnyPolicy
parameters
rtp-conformance enforce-payloadtype
policy-map global-policy
class global-class
inspect sip TEST
inspect rtsp
inspect skinny SkynnyPolicy
inspect dns
inspect h323 h225
inspect h323 ras
inspect tftp
inspect mgcp
class global-class1
inspect icmp
inspect pptp
policy-map type inspect h323 H323policy
parameters
h245-tunnel-block action drop-connection
state-checking h225
state-checking ras
rtp-conformance enforce-payloadtype
!
service-policy global-policy global
smtp-server 85.18.95.132
prompt hostname context
Cryptochecksum:6f45e419d000cc20a722d22578ded76d
: end
ciscoasa#