I am banging my head against the wall as I am trying to figure this out. We have a asterisk based PBX running on a server and it is not VLAN'd or anything as we have a large pipe coming in. We are using NAT and the problem is that occassionally we have audio issues when we call out to an outside caller, and we can hear them, but they can't hear anything. I was trying to add it to my nat 0 group, but then there is no audio in or out.
Below is parts of our config from the ASA:
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz2) 0 access-list dmz2_nat0_outbound
nat (dmz2) 0 access-list dmz2_nat0_outbound_1 outside
access-list mpl extended permit udp any host 22.214.171.124 eq sip
access-list mpl extended permit tcp host Nextiva host 126.96.36.199 eq sip
access-list mpl extended permit udp host Nextiva host 188.8.131.52 range 10000 20000
access-list mpl extended permit tcp any host 184.108.40.206 eq smtp
access-list mpl extended permit tcp any host 220.127.116.11 eq https
access-list mpl extended permit tcp any host 18.104.22.168 eq www
access-list mpl extended permit tcp any host 22.214.171.124 eq imap4
access-list mpl extended permit tcp any host 126.96.36.199 eq www
access-list mpl extended permit tcp any host 188.8.131.52 eq 10001
access-list mpl extended permit tcp any host 184.108.40.206 eq ssh
access-list mpl extended permit tcp any host 220.127.116.11 eq https
access-list mpl extended permit udp any host 192.168.0.53 eq ntp
access-list mpl extended permit udp any host 192.168.0.58 eq ntp
access-list mpl extended permit tcp any host 18.104.22.168 eq www
access-list mpl extended permit object-group TCPUDP any host 22.214.171.124 eq domain
access-list mpl extended permit tcp any host 126.96.36.199 inactive
access-list pixtosw extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list pixtonavarre extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list MPL_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list MPL_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list MPL_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list dmz2_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list MSS_Exceeded_ACL extended permit tcp any any
access-list dmz2_nat0_outbound_1 extended permit ip host 192.168.50.10 host 192.168.0.53
global (outside) 1 interface
global (outside) 1 188.8.131.52
policy-map type inspect dns preset_dns_map
message-length maximum 512
police output 1500000 1500
police input 1500000 1500
match dscp ef
This is an issue with NAT as the signaling works fine.. The problem is after the users answer the phone looks like the ASA is not able to determine that the signaling traffic and audio traffic got to go to the same device and they are related to each other..As a result, the audio traffic is not translated properly between the address spaces.
I can see that you do not have a inspection for the SIP protocol.
Can you add it and give it a try:
Hope this helps.
Do rate all the helpful posts
I have tried it both ways and it doesn't matter. Alot of things I have found on the internet says to turn it off as it causes more problems.
If you look at the ASA log, it doesn't show anything hitting the x.x.x.12 IP.
Next thing would be to do captures and debugs,
Please provide them
Debug sip ha
access-list capin permit ip host x.x.x.x(Local_endpoint) host y.y.y.y(Outside_Endpoint)
access-list capin permit ip host y.y.y.y host x.x.x.x
Access-list capout permit ip host z.z.z.z ( natted ip address of the local_endpoint) host y.y.y.y
access-list capout permi ip host y.y.y.y host z.z.z.z
capture capin access-list capin interface inside circular-buffer
capture capout access-list capout interface outside circular-buffer
Then try to make a phone call and do a show cap capin and show cap capout.... You should be able to see the packets in the capture.
Then we will need to download the captures to your computer ( for that go to a browser and set the following:
then to do debugs just add the commands
Debug sip ha
and make a phone call.. You should get a big output...
We need to see that.
That is because you do not have the sip inspection enabled.
Now I want you to clear all the captures and take them back but this time with the SIP enabled
clear cap /all
And add the
Then send the traffic and donwload the captures again and take the debugs