Here is a basic layout of hte network. There are 6 location on an MPLS network that reside behinnd an ASA 5510 for internet. The ASA is last resort for routing, all internal routing is handeled by a Core router in the MPLS infrastructure. At each site is a Polycom Video phone. On the ASA are static 1:1 maps for each phone. If one site calls another via the mapped public IP, they work just fine, they are hairpinned on the ASA, everything is happy. When a call is place to an outside IP, this is where things go screwy.
The ASA has version 8.2(2) installed on it.
The one we were working with is 192.168.2.15, mapped to public x.x.x.97. A call was placed internally to 126.96.36.199, which is a polycom address. The ASA ACL has permit ip any to host, and icmp any to host, so basically nothing should be blocked. I can ping fine both ways, and see the correct translations, etc. However, when the call is initiated, I immediately get Deny TCP(no Connections) on port 5060 from both the public mapped IP and the destination IP, in both directions.
I ran a capture that included both public IP's and the private IP's in both directions. The capture came back with some interesting results. I see the packet inter the inside interface from the private IP, exit to the public IP, I see the return packet from the public IP hit the mapped public IP, but I do not see it being untranslated back to the private IP.
Thinking it might have something to do with Sip and H323 inspection I bypassed the inspect using an ACL and class map that denied the private and public mapped IP's from the inspection and allows all else. This is something we found we needed to do for secure FTP through the firewall. No joy though, same results.
It appears as if the incoming packet is not being untranslated back to the private IP, but I cant seem to find any reason why. From the capture I can see the external connections, but without the reponse back to the internal, the connections are bing dropped.One other thing I tried was increasing the DNS message length to 1500.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :