Cisco Support Community

SIP BYEs don't pass through with ASA 8.4 double-nat


I got the following situation:

CellPhone - PSTN - SIP Provider - Internet - Cisco ASA 5550 with 8.4 - Cisco 3845 CUBE - SIP Media Server IVR

SIP Provider initiates SIP control through ASA to 3845 to Media Server

Media Server inititates SIP media through ASA to SIP Provider

ASA5550 is setup with Double-Nat and SIP inspection. Double-NAT is necessary because we will have multiple ASA 5550 firewalls and need the return traffic to come back through the correct ASA.

Invites and Voice is working fine. The problem is with call disconnect.

1. When Double-NAT is disabled, and only inside>outside Nat is enabled, then there are no problems. If IVR on Media Server needs to disconnect the call, it sends SIP BYE to CUBE, CUBE sends SIP BYE to ASA, ASA sends SIP BYE to provider, and Cell Phone will see the call disconnect. No issues.

2. When Double-NAT is enabled, we have a problem. IVR on Media Server sends SIP BYE to CUBE, CUBE sends SIP BYE to ASA (I see it in debug ccsip messages), and ASA seems to lose this SIP BYE during inspection, because provider claims that never sip SIP BYE come from us. Consequently, cell phone never seens the call disconnect. If the user forgets to hang up we get charged for extra minutes.

ASA outside nat config:

object network obj-



nat (outside,inside) source dynamic any obj- service udp udp

Any suggestions/ideas?

CreatePlease to create content