Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2964
Views
0
Helpful
1
Replies

Configure ASA and SIP

charbel.soueid
Level 1
Level 1

‎11-15-2011 11:15 AM - edited ‎03-11-2019 02:51 PM

Dear Team,

I have the following issue,

We need to configure our Cisco Call manager express (CME) and our Cisco ASA in order to allow connection for Sip clients outside the company.

Below is the configuration of our ASA and CME:

ASA config

-----------

hostname FW

domain-name mycompany.net

enable password iqz6QVfd1vedgoadHbdy encrypted

names

dns-guard

!

interface Ethernet0/0

speed 10

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZVoice

security-level 90

ip address 192.168.2.1 255.255.255.0

access-list idm extended permit ip any host 192.168.2.10

access-list Outside_IN extended permit tcp any host 1.1.1.10

access-list Outside_IN extended permit udp any host 1.1.1.10

access-list Outside_IN extended permit ip any host 1.1.1.10

access-list DMZVoice_access_in extended permit ip host 192.168.2.10 any

mtu outside 1500

mtu inside 1500

mtu DMZVoice 1500

global (outside) 1 1.1.1.254

global (DMZVoice) 1 192.168.2.2

nat (inside) 0 access-list 90

nat (inside) 1 192.168.0.0 255.255.255.0

nat (DMZVoice) 1 192.168.2.0 255.255.255.0

static (DMZVoice,outside) 1.1.1.10 192.168.2.10 netmask 255.255.255.255

access-group Outside_IN in interface outside

access-group idm in interface inside

access-group DMZVoice_access_in in interface DMZVoice

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect icmp

  inspect mgcp

  inspect sip

!

service-policy global_policy global

Cryptochecksum:1f1eacc9b3e66a8ddc8f3f6fddc699b9

: end

CME Config

----------

telephony-service

no auto-reg-ephone

fxo hook-flash

max-ephones 58

max-dn 300

ip source-address 192.168.2.10 port 2000

timeouts interdigit 5

system message My Company

url authentication http://192.168.2.10/CCMCIP/authenticate.asp extmob psswrd

load 7915-24 B015-1-0-3

load 7916-24 B016-1-0-3

load 7911 SCCP11.8-5-4S

load 7942 SCCP42.8-5-4S

load 7945 SCCP45.8-5-4S

load 7962 SCCP42.8-5-4S

load 7965 SCCP45.8-5-4S

time-zone 26

date-format dd-mm-yy

voicemail 800

max-conferences 8 gain -6

call-forward pattern .T

moh music-on-hold.au

multicast moh 239.1.1.1 port 2000s

web admin system name cisco secret 5 $1$Sii$wdhL0yfBaVhV%fePYB3FY.LK1

dn-webedit

time-webedit

transfer-system full-consult

transfer-pattern .T

secondary-dialtone 9

create cnf-files version-stamp Jan 01 2002 00:00:00

interface GigabitEthernet0/0

description ---- CCME connection to Core switch

ip address 192.168.2.10 255.255.255.0

duplex auto

speed auto

h323-gateway voip interface

h323-gateway voip bind srcaddr 192.168.2.10

!

interface ISM0/0

ip unnumbered GigabitEthernet0/0

!Application: CUE Running on ISM

----------------------------------

We are able to telnet the CME interface 1.1.1.10 on port 5060 from both inside and outside the company .

The sip client get register successsfuly from the inside but no success when trying from the outside.

This is a debug from the SIP client:


------------------------

Attemping to connect to 1.1.1.10

Phone got as local port 57128

Jabra not connected

RTP engine ok

SIP engine ok

Sending STUN request

Phone connection failed, PBX not responding

--------------------------

I am getting the request on my ASA and below is the debud from the ASA:

-------------------------

SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060

        Found port 5060

        Found port 56400

Via Port 56400

        Found port 33891

        Found port 5060

        Found port 5060

SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)

SIP::Found To addr "sip:512@192.168.2.10:5060" (27)

SIP::Found From addr "sip:512@192.168.2.10:5060" (27)

SIP::Found From addr tag "14726e1d" (8)

SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)

SIP::Found CSeq 1 REGISTER

SIP::Found expires, 120 seconds

SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00

SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060

        Found port 5060

        Found port 56400

Via Port 56400

        Found port 33891

        Found port 5060

        Found port 5060

SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)

SIP::Found To addr "sip:512@192.168.2.10:5060" (27)

SIP::Found From addr "sip:512@192.168.2.10:5060" (27)

SIP::Found From addr tag "14726e1d" (8)

SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)

SIP::Found CSeq 1 REGISTER

SIP::Found expires, 120 seconds

SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00

SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060

        Found port 5060

        Found port 56400

Via Port 56400

        Found port 33891

        Found port 5060

        Found port 5060

SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)

SIP::Found To addr "sip:512@192.168.2.10:5060" (27)

SIP::Found From addr "sip:512@192.168.2.10:5060" (27)

SIP::Found From addr tag "14726e1d" (8)

SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)

SIP::Found CSeq 1 REGISTER

SIP::Found expires, 120 seconds

SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00

----------------------------------------

Can someone please advice me what should be done to make this work?

Is there any config that should be done on the CME (telephony-service)?

Thanks for the help.

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎11-19-2011 06:36 AM

Hi Charbel,

I would start by following this guide to setup packet captures on the inside and outside interfaces of the ASA:

https://supportforums.cisco.com/docs/DOC-17345

Once you've captured a failed registration, you'll need to see exactly what part of the process is failing. The debugs show the ASA is receiving the REGISTER message so you'll want to make sure it is passing it on correctly to CME. If you confirm that, check the CME to make sure the REGISTER is processed correctly and a response is sent back toward the ASA, who should pass it through to the phone.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card