Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[SOLVED] Cisco ASA 5505 Deny UDP

Hello Everyone!

 

I'm relatively new to Cisco ASA firewalls and I recently came across an issue which I wasn't able to google. I'm using 5505 with 8.2 firmware to act as a simple firewall for Asterisk. I'm having no problems doing the inbound calls - signaling and sip traffic works fine. However, when I'm trying to dial out - I'm having issues with both - audio and signalling events. My asterisk is behind the firewall with natted external IP. When I'm trying to analyze the log I see the following:

Nov 03 2014 06:17:19: %ASA-4-106023: Deny udp src outside:207.223.70.133/61776 dst inside200:50.244.X.Y/18864 by access-group "outside2inside" [0x0, 0x0]

Where 50.244.X.X my external IP and outside2inside is the access list which has the following lines:

access-list outside2inside extended permit udp host 64.136.174.30 any
access-list outside2inside extended permit udp 207.223.0.0 255.255.0.0 host 192.168.200.203

here's the static section:

static (inside200,outside) 50.244.X.Y 192.168.200.203 netmask 255.255.255.255

 

My question is why is it blocking the udp traffic with destination as 50.244.X.Y instead of 192.168.200.203?

 

 

Thanks in advance.

 

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

In 8.2 ASA code, you need to

In 8.2 ASA code, you need to reference the public IP in your access-list. In this case, you are allowing UDP to 192.168.200.203 when you should be allowing to 50.244.x.x.

 

Try changing that and see if it works.

3 REPLIES

In 8.2 ASA code, you need to

In 8.2 ASA code, you need to reference the public IP in your access-list. In this case, you are allowing UDP to 192.168.200.203 when you should be allowing to 50.244.x.x.

 

Try changing that and see if it works.

New Member

Thank you for your answer! I

Thank you for your answer! I tried that before but for whatever reason only power cycle of 5505 helped to solve it.

 

I still have issues with outbound calls though. It doesn't block any incoming connections because of any access-lists but it still tearing some of them down. Here's the excerpt from my log:

Nov 04 2014 04:29:33: %ASA-6-302015: Built outbound UDP connection 41 for outside:64.136.174.30/5060 (64.136.174.30/5060) to inside200:192.168.200.203/5060 (50.244.X.Y/5060)
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:33: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-302016: Teardown UDP connection 30 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:02:52 bytes 0
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:34: %ASA-7-609001: Built local-host outside:207.223.70.132
Nov 04 2014 04:29:34: %ASA-6-302015: Built inbound UDP connection 45 for outside:207.223.70.132/48906 (207.223.70.132/48906) to inside200:192.168.200.203/16478 (50.244.X.Y/16478)
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:35: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-302016: Teardown UDP connection 44 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:00:02 bytes 0
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:37: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:39: %ASA-6-302015: Built outbound UDP connection 47 for outside:207.223.70.132/48907 (207.223.70.132/48907) to inside200:192.168.200.203/16479 (50.244.X.Y/16479)
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:41: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:43: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:43: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:46: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:46: %ASA-6-302016: Teardown UDP connection 48 for outside:64.136.174.30/5060 to inside200:192.168.200.203/0 duration 0:00:02 bytes 0
Nov 04 2014 04:29:46: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-302016: Teardown UDP connection 46 for outside:64.136.174.30/0 to outside:50.244.X.Y/5060 duration 0:00:11 bytes 0
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from 200 message
Nov 04 2014 04:29:49: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to outside:207.223.70.132 from 200 message
Nov 04 2014 04:29:53: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:29:53: %ASA-7-609001: Built local-host TWFirewall:192.168.200.203
Nov 04 2014 04:29:53: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:29:53: %ASA-6-302016: Teardown UDP connection 52 for outside:64.136.174.30/5060 to inside200:192.168.200.203/0 duration 0:00:03 bytes 0
Nov 04 2014 04:29:56: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:29:56: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:00: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:30:00: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:04: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:64.136.174.30/5060 to inside200:192.168.200.203 from BYE message
Nov 04 2014 04:30:04: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:64.136.174.30/5060 to TWFirewall:192.168.200.203 from 4xx message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for outside:50.244.X.Y/5060 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:50.244.X.Y/16478 to outside:64.136.174.30 from INVITE message
Nov 04 2014 04:30:05: %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:50.244.X.Y/16479 to outside:64.136.174.30 from INVITE message

 

 

I would appreciate any advice on how to proceed from here

 

Thank you!

New Member

I finally found out what was

I finally found out what was the issue with the outgoing calls. Disabling inspect sip did the trick.

 

1080
Views
0
Helpful
3
Replies