Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA SIP INSPECT does not work (via header)

Hi,

Hope you can help .....

I have setup a SIP Server behind a ASA firewall (inside interface). The SIP server talks to an external server (via the outside interface).

* The ASA is configured to use static NAT.

* INSPECT is setup for sip (global service policy).

194.145.133.97 Oustide Voice Server

63.188.8.164 <-----> 192.168.4.74 (Inside SIP Server, outside, inside)

When I trace on the SIP server, I see the SIP INVITE packet exits the server and is received (as expected) by the outside voice-server. I examine the "VIA header" and I see the ASA's INSPECT engine is working OK as the IP addresses have been masqueraded (as per the NAT static rules). But when the response sip packet is seen on the inside server, the "VIA header" has not been ammended by the ASA and it retains the OUTSIDE/PUBLIC ip address.

It seems the INSPECT has worked okay for EGRESS SIP traffic ONLY, but the Ingress fails.

Despite having the SIP INSPECT command configured on the global service policy.

TRACE:

Outgoing Message

INVITE sip:28111447914402497@194.145.133.97:5060;transport=udp SIP/2.0

Call-ID: 1830128939279915897@192.168.4.74
Via: SIP/2.0/UDP 192.168.4.74:5070;branch=z9hG4bKC0A8044A13CE00000133B29887A31

-------------------------

Incoming Message
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 63.188.8.164:5070;branch=z9hG4bKC0A8044A13CE00000133B29887A31
Via: SIP/2.0/UDP

As you can see, the Incoming message (traced on the inside sip-server), has the EXTERNAL IP Address in the VIA-HEADER, I would expect the INSIDE address. Consequntly, this brakes the server application.

If anyone could help, or offer advise, it would ve very much appreciated.

thank you

p.s I am using latest 8.4(2) code.

Matt

4 REPLIES

ASA SIP INSPECT does not work (via header)

Hello Mcroft,

Seems like you are hitting bug ID:CSCto50963

Here is the link you can take a look at it:

http://tools.cisco.com/squish/3DF8e

Now  the problem is that after you did the upgrade the embedded IP address on the header is not being translated as it supposed when its an inbound Sip invitation.

The bug stills open and being investigated and the workaround for this would be a downgrade.

Please rate helpfull posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA SIP INSPECT does not work (via header)

Hi!

Faced with the same problem in 8.6 (1) 2. Since the release of version 8.4 (2) The problem was not solved? What to do?

ASA SIP INSPECT does not work (via header)

Hello Artem,

No solution yet, they are still working on this Sr.

A regresion to make it work is need it right now!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA SIP INSPECT does not work (via header)

Any update on this issue? I'm on the same boat. My 9971 vpn phone is unable to receive calls but can make outbound calls.Has anyone tried with ASA release 9.0.1?

3965
Views
0
Helpful
4
Replies
CreatePlease to create content