I have an issue I hope someone can help with. I am not sure of the entire setup but I will try and explain what I know. A client has an application through which they login and somehow calls are pushed to them. They are able to receive the call but it timeouts out after about 30secs during which time neither side can hear each other. The remote end says that they see the setup (SIP is being used) but the audio is not working and they say that ports need to be opened to allow RTP.
The setup at the client is pretty simple, it is a switch connected to a PIX running 8.0(4), which then connects to the Internet. I am not sure how I am suppose to open these ports because it's not inbound traffic so I would not need any static nat entries or an acl on the outisde interface to permit the traffic. I don't get why it does not work either because the pix is configured to allow a SIP trunk from a different external party to the pbx and that works fine.
If I do a sh conn the following is displayed (ip address changed). It seems that it is "SIP transient and incomplete." not sure what that means.
Ok so I made some progress or not much at all. As mentioned before there is an application that resides on end user PCs and when they login it registers with a sip server and they are able to pull calls. According to the admins on the other end, they are currently using an Astericks pbx and as such it is a requirement that sip inspection be turned off in order for it to work, however I have an existing sip trunk.
The exising sip trunk is a static nat which forwards traffic to the pbx with the accompanying acl on the outside interface and this works fine with the sip inspection.
So at first I tried to only allow the existing sip trunk to be inspected while denying anything else from being inspected. See change below.
access-list SIP extended permit tcp host 192.168.50.1 any eq sip
access-list SIP extended permit udp host 192.168.50.1 any eq sip
access-list SIP extended permit tcp any host 192.168.50.1 eq sip
access-list SIP extended permit udp any host 192.168.50.1 eq sip access-list SIP extended deny tcp any any eq sip access-list SIP extended deny udp any any eq sip
class-map SIP match access-list SIP
no inspect sip
As soon as this change was made I started receiving a lot of land attacks in the syslog from ip 192.168.50.1 to 192.168.50.1 and the sip trunk immediately stops working, while the new sip connection would work fine. So I thought maybe I should disable sip inspection all together but once again the land attacks start appearing in the syslog again and the sip trunk stops working, while the one that requires sip inspection turned off works fine.
It seems to me that sip inspection is not enabled at all even with the changes that were made to the global policy to try and match the specific traffic.
So what I would really like to know is if it is even possible to do selective sip inspection on a pix or asa? Any responses to this would be greatly appreciated, please, thanks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...