Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

not able to SIP through ASA client VPN


I have configured VPN client on my ASA 5510,

I am trying now to telnet my call manager on port 5060 and on port 2000.

When i am connected localy i am able to telnet both ports, but when i am trying to connect through cisco VPN client i am able to telnet the port 2000 and not able to telnet 5060. Both ports are on the same call manager.

When using windows VPN i am able to telnet both ports.

Can somone please advise if there's a special configuration for SIP on my ASA.

Please note that i have same issue even if i removed inspect SIP from:

policy-map global_policy

class inspection_default


Everyone's tags (5)
Hall of Fame Super Silver

not able to SIP through ASA client VPN

Please post your ASA configuration. There are many different ways to configure VPN client (clientless SSL VPN, VPN client-based SSL VPN, IPsec remote access VPN, etc.). One cannot troubleshoot a problem like this without seeing the details of the way you are using.

New Member

not able to SIP through ASA client VPN


Thanks for your support,

below is my ASA config:

ASA Version 7.0(7)


hostname FW


enable password iqz6QVJ1vegoHbdy encrypted


name inside_network

name dmz_network

name outside_network

name server1

name server2



interface Ethernet0/0

speed 10

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2

nameif dmz

security-level 90

ip address


passwd iqaszg6gQVJ1dvcfssgoHgbndy encrypted

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 0:00 last Sun Oct 0:00

access-list inside_to_outside extended permit ip inside_network any

access-list outside_to_inside extended permit ip any server1

access-list outside_to_inside extended permit ip any server2

access-list dmz_acl extended permit ip host any

access-list 90 extended permit ip inside_network

access-list 90 extended permit ip inside_network

access-list ClientVPN_splitTunnelAcl standard permit inside_network

access-list ClientVPN_splitTunnelAcl standard permit dmz_network

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu WhozDMZ 1500

ip local pool VPNIpPool mask

icmp deny any outside

asdm image disk0:/asdm-509.bin

no asdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list 90

nat (inside) 1 inside_network

static (inside,outside) server1 netmask

static (inside,outside) server2 netmask

access-group outside_to_inside in interface outside

access-group inside_to_outside in interface inside

access-group dmz_acl in interface dmz

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy ClientVPN internal

group-policy ClientVPN attributes

dns-server value

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ClientVPN_splitTunnelAcl

default-domain value inmobiles.local


username user1 password X.a/bhwgdLG6Bswg5Df0F encrypted privilege 0

username user1 attributes

vpn-group-policy ClientVPN


http server enable

http inside_network inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Client_Site_VPN esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set Client_Site_VPN

crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map ToOutside interface outside

isakmp identity address

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash md5

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

isakmp nat-traversal  20

tunnel-group ClientVPN type ipsec-ra

tunnel-group ClientVPN general-attributes

address-pool VPNIpPool

default-group-policy ClientVPN

tunnel-group ClientVPN ipsec-attributes

pre-shared-key *

telnet inside_network inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

  inspect ftp

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect icmp

  inspect mgcp

  inspect sip

  inspect skinny

  inspect h323 h225

  inspect h323 ras


service-policy global_policy global


: end


Hall of Fame Super Silver

not able to SIP through ASA client VPN

Thanks for the details.

Your configuration looks pretty straightforward. I don't see and access-lists or policies that would prevent telnet from working on 5060 (SIP) when it works on port 2000 (SCCP or 'skinny'). You've not changed the default port assignments with the fixup command.

I would assume your VPN client is assigned an address from the pool . What is the destination IP of your server?

The policy-map should be allowing both protocols. You can verify that is it by using the commands:

     show service-policy inspect sip

     show service-policy inspect skinny

When you say you are not able to telnet on port 5060, what exactly do you see happening?

New Member

not able to SIP through ASA client VPN


Thank you for your help,

The destination server is in the DMZ zone and his ip is

     show service-policy inspect sip

     show service-policy inspect skinny

are not working on my ASA.

We have the below CLI commands:

show service-policy ?

exec mode commands/options:

  flow       Show all policies that are enabled on a flow

  global     show status/statistics of the global policy

  interface  show status/statistics of an interface policy

  ips        Show status/statistics of 'ips' policy

  police     Show status/statistics of 'police' policy

  priority   Show status/statistics of 'priority' policy

  set        Show status/statistics of 'set' policy

  |          Output modifiers

Could it be my IOS version, all posts says that in some ASA ios there was a SIP bug and we should upgrade.?


New Member

not able to SIP through ASA client VPN


I am trying to use normal windows CMD telnet and i am getting

C:\Windows\System32>telnet 5060

Connecting To not open connection to the host, on port 5060: Connect failed

on port 2000 is working just fine.


Hall of Fame Super Silver

not able to SIP through ASA client VPN

It could be your ASA version. 7.0(7) is very old for an ASA release. I always hesitate to just answer "upgrade" as that is often given as an answer without taking time to fully understand the problem. If you are willing, it would be a good thing to try - you would need to do several step upgrade to get up to at least 8.2(5) from 7.0(7).

New Member

not able to SIP through ASA client VPN

hi i have upgraded my asa to 8.2(1) and i have configured no nat on the VPN client ip pool.

And it's working fine now.


New Member

not able to SIP through ASA client VPN

access-list NONATdmz extended permit ip dmz

access-list NONATdmz extended permit ip dmz

access-list NONATdmz extended permit ip dmz

nat (DMZ) 0 access-list NONATdmz