Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5278
Views
0
Helpful
4
Replies

ASA SIP INSPECT does not work (via header)

mcroft
Level 1
Level 1

‎11-18-2011 09:30 AM - edited ‎03-11-2019 02:52 PM

Hi,

Hope you can help .....

I have setup a SIP Server behind a ASA firewall (inside interface). The SIP server talks to an external server (via the outside interface).

* The ASA is configured to use static NAT.

* INSPECT is setup for sip (global service policy).

194.145.133.97 Oustide Voice Server

63.188.8.164 <-----> 192.168.4.74 (Inside SIP Server, outside, inside)

When I trace on the SIP server, I see the SIP INVITE packet exits the server and is received (as expected) by the outside voice-server. I examine the "VIA header" and I see the ASA's INSPECT engine is working OK as the IP addresses have been masqueraded (as per the NAT static rules). But when the response sip packet is seen on the inside server, the "VIA header" has not been ammended by the ASA and it retains the OUTSIDE/PUBLIC ip address.

It seems the INSPECT has worked okay for EGRESS SIP traffic ONLY, but the Ingress fails.

Despite having the SIP INSPECT command configured on the global service policy.

TRACE:

Outgoing Message

INVITE sip:28111447914402497@194.145.133.97:5060;transport=udp SIP/2.0

Call-ID: 1830128939279915897@192.168.4.74
Via: SIP/2.0/UDP 192.168.4.74:5070;branch=z9hG4bKC0A8044A13CE00000133B29887A31

-------------------------

Incoming Message
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 63.188.8.164:5070;branch=z9hG4bKC0A8044A13CE00000133B29887A31
Via: SIP/2.0/UDP

As you can see, the Incoming message (traced on the inside sip-server), has the EXTERNAL IP Address in the VIA-HEADER, I would expect the INSIDE address. Consequntly, this brakes the server application.

If anyone could help, or offer advise, it would ve very much appreciated.

thank you

p.s I am using latest 8.4(2) code.

Matt

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-18-2011 01:31 PM

Hello Mcroft,

Seems like you are hitting bug ID:CSCto50963

Here is the link you can take a look at it:

http://tools.cisco.com/squish/3DF8e

Now  the problem is that after you did the upgrade the embedded IP address on the header is not being translated as it supposed when its an inbound Sip invitation.

The bug stills open and being investigated and the workaround for this would be a downgrade.

Please rate helpfull posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

aslobchenko
Level 1
Level 1
In response to Julio Carvajal

‎10-24-2012 12:42 AM

Hi!

Faced with the same problem in 8.6 (1) 2. Since the release of version 8.4 (2) The problem was not solved? What to do?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to aslobchenko

‎10-24-2012 09:44 AM

Hello Artem,

No solution yet, they are still working on this Sr.

A regresion to make it work is need it right now!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

khanhluu82
Level 4
Level 4
In response to Julio Carvajal

‎11-30-2012 09:05 AM

Any update on this issue? I'm on the same boat. My 9971 vpn phone is unable to receive calls but can make outbound calls.Has anyone tried with ASA release 9.0.1?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card