11-15-2011 11:15 AM - edited 03-11-2019 02:51 PM
Dear Team,
I have the following issue,
We need to configure our Cisco Call manager express (CME) and our Cisco ASA in order to allow connection for Sip clients outside the company.
Below is the configuration of our ASA and CME:
ASA config
-----------
hostname FW
domain-name mycompany.net
enable password iqz6QVfd1vedgoadHbdy encrypted
names
dns-guard
!
interface Ethernet0/0
speed 10
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZVoice
security-level 90
ip address 192.168.2.1 255.255.255.0
access-list idm extended permit ip any host 192.168.2.10
access-list Outside_IN extended permit tcp any host 1.1.1.10
access-list Outside_IN extended permit udp any host 1.1.1.10
access-list Outside_IN extended permit ip any host 1.1.1.10
access-list DMZVoice_access_in extended permit ip host 192.168.2.10 any
mtu outside 1500
mtu inside 1500
mtu DMZVoice 1500
global (outside) 1 1.1.1.254
global (DMZVoice) 1 192.168.2.2
nat (inside) 0 access-list 90
nat (inside) 1 192.168.0.0 255.255.255.0
nat (DMZVoice) 1 192.168.2.0 255.255.255.0
static (DMZVoice,outside) 1.1.1.10 192.168.2.10 netmask 255.255.255.255
access-group Outside_IN in interface outside
access-group idm in interface inside
access-group DMZVoice_access_in in interface DMZVoice
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect mgcp
inspect sip
!
service-policy global_policy global
Cryptochecksum:1f1eacc9b3e66a8ddc8f3f6fddc699b9
: end
CME Config
----------
telephony-service
no auto-reg-ephone
fxo hook-flash
max-ephones 58
max-dn 300
ip source-address 192.168.2.10 port 2000
timeouts interdigit 5
system message My Company
url authentication http://192.168.2.10/CCMCIP/authenticate.asp extmob psswrd
load 7915-24 B015-1-0-3
load 7916-24 B016-1-0-3
load 7911 SCCP11.8-5-4S
load 7942 SCCP42.8-5-4S
load 7945 SCCP45.8-5-4S
load 7962 SCCP42.8-5-4S
load 7965 SCCP45.8-5-4S
time-zone 26
date-format dd-mm-yy
voicemail 800
max-conferences 8 gain -6
call-forward pattern .T
moh music-on-hold.au
multicast moh 239.1.1.1 port 2000s
web admin system name cisco secret 5 $1$Sii$wdhL0yfBaVhV%fePYB3FY.LK1
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern .T
secondary-dialtone 9
create cnf-files version-stamp Jan 01 2002 00:00:00
interface GigabitEthernet0/0
description ---- CCME connection to Core switch
ip address 192.168.2.10 255.255.255.0
duplex auto
speed auto
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.2.10
!
interface ISM0/0
ip unnumbered GigabitEthernet0/0
!Application: CUE Running on ISM
----------------------------------
We are able to telnet the CME interface 1.1.1.10 on port 5060 from both inside and outside the company .
The sip client get register successsfuly from the inside but no success when trying from the outside.
This is a debug from the SIP client:
------------------------
Attemping to connect to 1.1.1.10
Phone got as local port 57128
Jabra not connected
RTP engine ok
SIP engine ok
Sending STUN request
Phone connection failed, PBX not responding
--------------------------
I am getting the request on my ASA and below is the debud from the ASA:
-------------------------
SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060
Found port 5060
Found port 56400
Via Port 56400
Found port 33891
Found port 5060
Found port 5060
SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)
SIP::Found To addr "sip:512@192.168.2.10:5060" (27)
SIP::Found From addr "sip:512@192.168.2.10:5060" (27)
SIP::Found From addr tag "14726e1d" (8)
SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)
SIP::Found CSeq 1 REGISTER
SIP::Found expires, 120 seconds
SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00
SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060
Found port 5060
Found port 56400
Via Port 56400
Found port 33891
Found port 5060
Found port 5060
SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)
SIP::Found To addr "sip:512@192.168.2.10:5060" (27)
SIP::Found From addr "sip:512@192.168.2.10:5060" (27)
SIP::Found From addr tag "14726e1d" (8)
SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)
SIP::Found CSeq 1 REGISTER
SIP::Found expires, 120 seconds
SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00
SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060
Found port 5060
Found port 56400
Via Port 56400
Found port 33891
Found port 5060
Found port 5060
SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)
SIP::Found To addr "sip:512@192.168.2.10:5060" (27)
SIP::Found From addr "sip:512@192.168.2.10:5060" (27)
SIP::Found From addr tag "14726e1d" (8)
SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)
SIP::Found CSeq 1 REGISTER
SIP::Found expires, 120 seconds
SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00
----------------------------------------
Can someone please advice me what should be done to make this work?
Is there any config that should be done on the CME (telephony-service)?
Thanks for the help.
11-19-2011 06:36 AM
Hi Charbel,
I would start by following this guide to setup packet captures on the inside and outside interfaces of the ASA:
https://supportforums.cisco.com/docs/DOC-17345
Once you've captured a failed registration, you'll need to see exactly what part of the process is failing. The debugs show the ASA is receiving the REGISTER message so you'll want to make sure it is passing it on correctly to CME. If you confirm that, check the CME to make sure the REGISTER is processed correctly and a response is sent back toward the ASA, who should pass it through to the phone.
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: