Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

not able to SIP through ASA client VPN

Dears,


I have configured VPN client on my ASA 5510,


I am trying now to telnet my call manager on port 5060 and on port 2000.


When i am connected localy i am able to telnet both ports, but when i am trying to connect through cisco VPN client i am able to telnet the port 2000 and not able to telnet 5060. Both ports are on the same call manager.


When using windows VPN i am able to telnet both ports.


Can somone please advise if there's a special configuration for SIP on my ASA.


Please note that i have same issue even if i removed inspect SIP from:

policy-map global_policy

class inspection_default


Regards

Everyone's tags (5)
8 REPLIES
Hall of Fame Super Silver

not able to SIP through ASA client VPN

Please post your ASA configuration. There are many different ways to configure VPN client (clientless SSL VPN, VPN client-based SSL VPN, IPsec remote access VPN, etc.). One cannot troubleshoot a problem like this without seeing the details of the way you are using.

New Member

not able to SIP through ASA client VPN

hi,

Thanks for your support,

below is my ASA config:

ASA Version 7.0(7)

!

hostname FW

domain-name Company.com

enable password iqz6QVJ1vegoHbdy encrypted

names

name 192.168.0.0 inside_network

name 172.16.0.0 dmz_network

name 10.10.10.0 outside_network

name 10.10.10.2 server1

name 10.10.10.3 server2

dns-guard

!

interface Ethernet0/0

speed 10

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 90

ip address 172.16.0.1 255.255.255.0

!

passwd iqaszg6gQVJ1dvcfssgoHgbndy encrypted

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 0:00 last Sun Oct 0:00

access-list inside_to_outside extended permit ip inside_network 255.255.255.0 any

access-list outside_to_inside extended permit ip any server1

access-list outside_to_inside extended permit ip any server2

access-list dmz_acl extended permit ip host 172.16.0.10 any

access-list 90 extended permit ip inside_network 255.255.255.0 192.168.145.0 255.255.255.0

access-list 90 extended permit ip inside_network 255.255.255.0 192.168.0.248 255.255.255.248

access-list ClientVPN_splitTunnelAcl standard permit inside_network 255.255.255.0

access-list ClientVPN_splitTunnelAcl standard permit dmz_network 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu WhozDMZ 1500

ip local pool VPNIpPool 192.168.0.250-192.168.0.252 mask 255.255.255.0

icmp deny any outside

asdm image disk0:/asdm-509.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.10.10.254

nat (inside) 0 access-list 90

nat (inside) 1 inside_network 255.255.255.0

static (inside,outside) server1 192.168.0.66 netmask 255.255.255.255

static (inside,outside) server2 192.168.0.67 netmask 255.255.255.255

access-group outside_to_inside in interface outside

access-group inside_to_outside in interface inside

access-group dmz_acl in interface dmz

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy ClientVPN internal

group-policy ClientVPN attributes

dns-server value 192.168.0.30

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ClientVPN_splitTunnelAcl

default-domain value inmobiles.local

webvpn

username user1 password X.a/bhwgdLG6Bswg5Df0F encrypted privilege 0

username user1 attributes

vpn-group-policy ClientVPN

webvpn

http server enable

http inside_network 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Client_Site_VPN esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set Client_Site_VPN

crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map ToOutside interface outside

isakmp identity address

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash md5

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

isakmp nat-traversal  20

tunnel-group ClientVPN type ipsec-ra

tunnel-group ClientVPN general-attributes

address-pool VPNIpPool

default-group-policy ClientVPN

tunnel-group ClientVPN ipsec-attributes

pre-shared-key *

telnet inside_network 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect icmp

  inspect mgcp

  inspect sip

  inspect skinny

  inspect h323 h225

  inspect h323 ras

!

service-policy global_policy global

Cryptochecksum:1dd382f1ae1f1080581e4a490a9174be

: end

Regards

Hall of Fame Super Silver

not able to SIP through ASA client VPN

Thanks for the details.

Your configuration looks pretty straightforward. I don't see and access-lists or policies that would prevent telnet from working on 5060 (SIP) when it works on port 2000 (SCCP or 'skinny'). You've not changed the default port assignments with the fixup command.

I would assume your VPN client is assigned an address from the pool 192.168.0.250-192.168.0.252 . What is the destination IP of your server?

The policy-map should be allowing both protocols. You can verify that is it by using the commands:

     show service-policy inspect sip

     show service-policy inspect skinny

When you say you are not able to telnet on port 5060, what exactly do you see happening?

New Member

not able to SIP through ASA client VPN

hi,

Thank you for your help,

The destination server is in the DMZ zone and his ip is 172.16.0.10


     show service-policy inspect sip

     show service-policy inspect skinny

are not working on my ASA.

We have the below CLI commands:

show service-policy ?

exec mode commands/options:

  flow       Show all policies that are enabled on a flow

  global     show status/statistics of the global policy

  interface  show status/statistics of an interface policy

  ips        Show status/statistics of 'ips' policy

  police     Show status/statistics of 'police' policy

  priority   Show status/statistics of 'priority' policy

  set        Show status/statistics of 'set' policy

  |          Output modifiers

Could it be my IOS version, all posts says that in some ASA ios there was a SIP bug and we should upgrade.?

Regards

New Member

not able to SIP through ASA client VPN

Hi,

I am trying to use normal windows CMD telnet and i am getting

C:\Windows\System32>telnet 172.16.0.10 5060

Connecting To 172.16.0.10...Could not open connection to the host, on port 5060: Connect failed

on port 2000 is working just fine.

Reagrds

Hall of Fame Super Silver

not able to SIP through ASA client VPN

It could be your ASA version. 7.0(7) is very old for an ASA release. I always hesitate to just answer "upgrade" as that is often given as an answer without taking time to fully understand the problem. If you are willing, it would be a good thing to try - you would need to do several step upgrade to get up to at least 8.2(5) from 7.0(7).

New Member

not able to SIP through ASA client VPN

hi i have upgraded my asa to 8.2(1) and i have configured no nat on the VPN client ip pool.

And it's working fine now.

Tks

New Member

not able to SIP through ASA client VPN

access-list NONATdmz extended permit ip dmz 255.255.255.0 192.168.0.250 255.255.255.0

access-list NONATdmz extended permit ip dmz 255.255.255.0 192.168.0.251 255.255.255.0

access-list NONATdmz extended permit ip dmz 255.255.255.0 192.168.0.252 255.255.255.0

nat (DMZ) 0 access-list NONATdmz

2296
Views
0
Helpful
8
Replies