Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5299
Views
0
Helpful
9
Replies

ASA 5510 SIP and One way audio

asommers
Level 1
Level 1

‎04-25-2012 07:59 AM - edited ‎03-11-2019 03:58 PM

I am banging my head against the wall as I am trying to figure this out. We have a asterisk based PBX running on a server and it is not VLAN'd or anything as we have a large pipe coming in. We are using NAT and the problem is that occassionally we have audio issues when we call out to an outside caller, and we can hear them, but they can't hear anything. I was trying to add it to my nat 0 group, but then there is no audio in or out.

Below is parts of our config from the ASA:

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (public) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz2) 0 access-list dmz2_nat0_outbound

nat (dmz2) 0 access-list dmz2_nat0_outbound_1 outside

access-list mpl extended permit udp any host 66.213.98.12 eq sip

access-list mpl extended permit tcp host Nextiva host 66.213.98.12 eq sip

access-list mpl extended permit udp host Nextiva host 66.213.98.12 range 10000 20000

access-list mpl extended permit tcp any host 66.213.98.10 eq smtp

access-list mpl extended permit tcp any host 66.213.98.10 eq https

access-list mpl extended permit tcp any host 66.213.98.11 eq www

access-list mpl extended permit tcp any host 66.213.98.10 eq imap4

access-list mpl extended permit tcp any host 66.213.98.3 eq www

access-list mpl extended permit tcp any host 66.213.98.3 eq 10001

access-list mpl extended permit tcp any host 66.213.98.3 eq ssh

access-list mpl extended permit tcp any host 66.213.98.6 eq https

access-list mpl extended permit udp any host 192.168.0.53 eq ntp

access-list mpl extended permit udp any host 192.168.0.58 eq ntp

access-list mpl extended permit tcp any host 66.213.98.8 eq www

access-list mpl extended permit object-group TCPUDP any host 66.213.98.8 eq domain

access-list mpl extended permit tcp any host 66.213.98.5 inactive

access-list pixtosw extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list pixtonavarre extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0

access-list MPL_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list dmz2_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list MSS_Exceeded_ACL extended permit tcp any any

access-list dmz2_nat0_outbound_1 extended permit ip host 192.168.50.10 host 192.168.0.53

global (outside) 1 interface

global (outside) 1 66.213.98.12

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect ftp

  inspect http

  inspect pptp

  inspect rtsp

policy-map public-policy

class public-class

  inspect http

  police output 1500000 1500

  police input 1500000 1500

policy-map qos

class voice

  priority

priority-queue outside

  tx-ring-limit 256

threat-detection basic-threat

threat-detection statistics

!

class-map public-class

match any

class-map global-class

match default-inspection-traffic

class-map voice

match dscp ef

Labels:
0 Helpful
9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-25-2012 10:21 AM

Hello Allen,

This is an issue with NAT as the signaling works fine.. The problem is after the users answer the phone looks like the ASA is not able to determine that the signaling traffic and audio traffic got to go to the same device and they are related to each other..As a result, the audio traffic is not translated properly between the address spaces.

I can see that you do not have a inspection for the SIP protocol.

Can you add it and give it a try:

policy-map global-policy

class global-class

Inspect SIP

Hope this helps.

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

asommers
Level 1
Level 1
In response to Julio Carvajal

‎04-25-2012 10:35 AM

I have tried it both ways and it doesn't matter.  Alot of things I have found on the internet says to turn it off as it causes more problems.

If you look at the ASA log, it doesn't show anything hitting the x.x.x.12 IP.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to asommers

‎04-25-2012 10:53 AM

Hello Allen,

Next thing would be to do captures and debugs,

Please provide them

Debug sip

Debug sip ha

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

asommers
Level 1
Level 1
In response to Julio Carvajal

‎04-25-2012 11:04 AM

How do you do captures and debugs?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to asommers

‎04-25-2012 11:12 AM

Capture:

access-list capin permit ip host x.x.x.x(Local_endpoint) host y.y.y.y(Outside_Endpoint)

access-list capin permit ip host y.y.y.y host x.x.x.x

Access-list capout permit ip host z.z.z.z ( natted ip address of the local_endpoint) host y.y.y.y

access-list capout permi ip host y.y.y.y host z.z.z.z

capture capin access-list capin interface inside circular-buffer

capture capout access-list capout interface outside circular-buffer

Then try to make a phone call and do a show cap capin and show cap capout.... You should be able to see the packets in the capture.

Then we will need to download the captures to your computer ( for that go to a browser and set the following:

https://inside_asa_ip_address/capture/capin/pcap

https://inside_asa_ip_address/capture/capout/pcap)

then to do debugs just add the commands

Debug sip ha

debug sip

and make a phone call.. You should get a big output...

We need to see that.

Regards.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

asommers
Level 1
Level 1
In response to Julio Carvajal

‎04-25-2012 11:39 AM

Attached are the captures. I'll have to figure out the debug later. I don't get anything when I do it.

126912-pcap (1).zip
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to asommers

‎04-25-2012 11:42 AM

Hello,

That is because you do not have the sip inspection enabled.

Now I want you to clear all the captures and take them back but this time with the SIP enabled

clear cap /all

And add the

policy-map global-policy

class global-class

Inspect SIP

Then send the traffic and donwload the captures again and take the debugs

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

asommers
Level 1
Level 1
In response to Julio Carvajal

‎04-27-2012 05:20 AM

OK, I had an appointment and did not get back to this until now. Hopefully you can see something in the attached logs. The debug still didn't do anything when I typed it in with inspect sip enabled.

127022-pcap (3).zip
0 Helpful

GASHAW TURA
Level 1
Level 1
In response to asommers

‎03-11-2014 05:30 PM

I have exact same issues and I am looking for answer for the same problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card