Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
3
Replies

ASA5515X & VOIP

Adrian Jones
Level 1
Level 1

‎04-04-2014 04:36 AM - edited ‎03-11-2019 09:02 PM

Hi All,

 

    I recently replaced a series of ASA 5505's with a singular ASA5515X firewall. All seems to have gone well but one group of users are reporting a problem with VOIP. They are the only VOIP users on this firewall.

 

    They have Cisco VOIP phones that connect out to an external suppier. The firewall is on an open circuit so we do not restrict outbound traffic, permitting all traffic. Inbound we permit all traffic to named servers. To their VOIP server we have a NAT in place and a rule that permits anything from internet to that server. From their network we permit all traffic to internet, including the server. I can ping the server from Internet. All outbound data traffic is fine.

 

    The users report incoming calls to VOIP work fine without issue. When they make an external call, the call connects to the remote phone okay but no voice/audio can be heard.

 

    I have inspections for Skinny, H323 RAS & h225, and SIP enabled. This does not make a difference - even with them removed.

 

    IOS version is asa913-smp-k8.bin. This was working on the ASA5505 firewall but now has an issue with the ASA5515X series.

 

    Any ideas? Help appreciated.

 

Regards

 

Adrian

Labels:
0 Helpful
3 Replies 3

Ruben Cocheno
Spotlight
Spotlight

‎04-04-2014 11:50 AM

if i'm not wrong i saw some issues with SIP/NAT. I think PAT is not supported with inspection but check if inspection drop some traffic and probably you need configuring a SIP Inspection Policy Map for Additional Inspection Control

rate if i helped you

ruben

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Adrian Jones
Level 1
Level 1
In response to Ruben Cocheno

‎04-17-2014 11:19 AM

The previous version would have been 8.4 - not sure of exact version as this has been upgraded and redployed.

 

Remote end did some analysis and reported they are seeing the local IP in the sip traffic. The VOIP server has NAT traversal enabled. When I browse from the server I have a public IP address. NAT is working - maybe not for SIP. You would hope a Cisco product over a Cisco product would be okay. Calls outbound only have voice traffic missing - calls establish. Inbound calls have sessions establish and bi-directional voice traffic with no problems.

 

What are the addition Inspection Control?

0 Helpful

naveenrawat007
Level 1
Level 1

‎04-06-2014 11:49 PM

Hi Adrian,

Was this outgoing VOIP traffic working fine on the ASA 5505 device with the previous IOS version ?

What was the previous IOS version ?

Please check and post "show service-policy " output to verify if there are any inspection drops or not.

Also apply caputres on ingress and egress interfaces to check if the inspection is working for this stream or not.
Please folow this link to apply the captures:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

Please post the ACL, NAT and insoection configuration from previous version and current device.

Cheers,

Naveen

Hope it helps Cheers, Naveen Please Rate Helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card