Hi I have a question regarding allowing SIP traffic through an ASA.
I have the following situation.
'LAN A' with Call Manager and Phones <---> ASA 5520(running 8.3) <-----> internet <---> Another 3rd Party Firewall <---------> 'LAN B' 2 Cisco IP Phones
The remote phones in 'LAN B' will be configured to send SIP traffic to the Call Manager in 'LAN A'
Now I want to let my phones in the LAN make calls to the 2 Cisco IP Phones behind the other firewall.
To make calls FROM the 'LAN A' to the phones in 'LAN B' on the ASA 5520 I was thinking I need to;
1) Enable SIP inspection and RTSP inspection 2) Put in a static nat translation and ACE to expose the Cisco Call manager to the remote phones. 3) Put in a rule allowing outbound SIP Traffic to the remote phones. 4) Setup Proirity Queuing for VOIP.
My questions are
1) Does this sound sufficient from the point of view of the ASA 5520 configuration? If not, what am I missing?
2) From my understanding the SIP inspection will NAT the IP's of the phones for the RTP(voice) and open up pinholes. Does this mean I should not need to create any NAT's or ACL's for the RTP traffic? If this is true how does the SIP inspection decide what to NAT the phone IP's to for RTP traffic? I can't seem to find the answer anywhere.
3) Is the configuration similar if the traffic is Skinny instead?
I am not really a voice guy but for the RTP stream that is negotiated between the phones, the ASA will dynamically open up pinholes (after looking into the SIP payloads) as you have said. How the ASA decides to which IP the phone gets NATed (within the payload as well) depends on the NAT configuration on the ASA. You can find information about what all inspection for SIP does in the firstl link above under Technical details. Hope this helps.
With regards to skinny, I would assume the above config would suffice (just replacing inspection for sip with inspection for skinny).
I've had a read through the documentation you provided, especially under the 'technical documentation' section, but I can't seem to see where it explains what the outgoing rtp traffic is NAT'ed to.... or what incoming address the remote phones would be told to reach.
Could you please show me the part that states how the NAT'ing works?
I have not configured the firewalls for this setup yet as I am still planning my approach before implementing it.
However, The plan is the following.
A Static NAT will be setup to expose the internal callmanager. So for example on "LAN A"
Call Manager - real IP : 192.168.1.10 Natted IP: 188.8.131.52
For SIP the phones speak to the call manager directly and I understand how to allow this to happen of course, my question is how the SIP inspection will choose what IP to NAT the internal phones IP's too.
I'm trying to determine if it would be 184.108.40.206 or something else. i.e the interface IP. i.e 220.127.116.11
You definitely need the call manager ip to be static NAT'd because the internal phones need to reach the call manager to register.
The internal phones while trying to register will get out through the PAT'd ip (i could see that you have done a PAT of the outside interface). The management of each internal phones getting PAT'd to the same ip address and trying to make a call is governed by the "inspect sip" which does more than inspecting sip by controlling the RTP/RTCP stream.
Since the calling process involves accessing the call manager and the call manager redirecting the call to the proper phone makes the PAT to work in this scenario even though both the end phones are being PAT'd.
Hope this helps. Let me know if you have any other concerns.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :