Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Strange problem with Polycom on 5510

Here is a basic layout of hte network. There are 6 location on an MPLS network that reside behinnd an ASA 5510 for internet. The ASA is last resort for routing, all internal routing is handeled by a Core router in the MPLS infrastructure.  At each site is a Polycom Video phone. On the ASA are static 1:1 maps for each phone. If one site calls another via the mapped public IP, they work just fine, they are hairpinned on the ASA, everything is happy. When a call is place to an outside IP, this is where things go screwy.

The ASA has version 8.2(2) installed on it.

The one we were working with  is, mapped to public x.x.x.97.  A call was placed internally to, which is a polycom address. The ASA ACL has permit ip any to host, and icmp any to host, so basically nothing should be blocked. I can ping fine both ways, and see the correct translations, etc. However, when the call is initiated, I immediately get Deny TCP(no Connections) on port 5060 from both the public mapped IP and the destination IP, in both directions.

I ran a capture that included both public IP's and the private IP's in both directions. The capture came back with some interesting results. I see the packet inter the inside interface from the private IP, exit to the public IP, I see the return packet from the public IP hit the mapped public IP, but I do not see it being untranslated back to the private IP.

  4: 07:59:01.319548 > x.x.x.97.5060: S 591883322:591883322(0) ack 3961120088 win 5840 <mss 1460,nop,nop,sackOK>
   5: 07:59:04.290313 > S 3833084348:3833084348(0) win 5840 <mss 1460,sackOK,timestamp 1803832 0,nop,wscale 5>
   6: 07:59:04.320234 > x.x.x.97.5060: S 591883322:591883322(0) ack 3961120088 win 5840 <mss 1460,nop,nop,sackOK>

When I run a PING though

  25: 07:43:59.257982 > icmp: echo request
  26: 07:43:59.289520 > x.x.x.97: icmp: echo reply
  27: 07:43:59.289718 > x.x.x.97: icmp: echo reply
  28: 07:43:59.289825 > x.x.x.97: icmp: echo reply
  29: 07:43:59.289978 > icmp: echo reply

Thinking it might have something to do with Sip and H323 inspection I bypassed the inspect using an ACL and class map that denied the private and public mapped IP's from the inspection and allows all else. This is something we found we needed to do for secure FTP through the firewall. No joy though, same results.

It appears as if the incoming packet is not being untranslated back to the private IP, but I cant seem to find any reason why. From the capture I can see the external connections, but without the reponse back to the internal, the connections are bing dropped.One other thing I tried was increasing the DNS message length to 1500.

Any help on this would be appreciated.


Re: Strange problem with Polycom on 5510

Can you post the topology in order to understand better the scenario. And just to check can you also run a capture with the ASP option.

Capture test type asp all.

CreatePlease to create content