Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SIP authentication failure through Cisco ASA to Trixbox

Posted on 2011-02-17
4
Medium Priority
?
1,068 Views
Last Modified: 2012-05-11
I just recently put in a Cisco ASA5510 security appliance.  Once I did that, all of our external SIP phones are failing to authenticate to our Trixbox.  The issue is, the ASA is doing its job and rewriting the SIP header with the appropriate external IP.  However, when the Trixbox goes to run the MD5 has on the password, it uses its internal IP instead of the external IP so the hash's don't match, and the remote phones are not authenticated.  If I enable the NAT settings on the Trixbox, my Trunk to the ITSP stops working, (The ASA thinks its a Lan attack).  I know there is another way for the Trixbox to seed the Hash value (instead of the IP address of the box), however, I have no idea where to make it, and the phone, use that value, or even where to set the value.  Any idea?   (Additionally, will the change affect the internal phones as well?)
Thanks in advance!
0
Comment
Question by:digital0g1c
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
alex_firewall_guy earned 1000 total points
ID: 34925967
I am not altogether familiar with sip but do know that we had to remove the sip inspect out of our inspection policy (right at the end of the ASA config) to get our external sip phones to work correctly.  Not sure if it will help you in this case, but it may at least be somethign to look at.
0
 
LVL 1

Expert Comment

by:alex_firewall_guy
ID: 34951449
what version of code are you running on that ASA?  I found quite a bit of info on a couple of versions where there were lots of open caveats for SIP type traffic.  It might help me find more useful info if I knew which version you were running?  After re-reading your original post, it also sounds like it is the nat that is killing you.  If you were to add another interface on the ASA (call it a SIP-DMZ or something) and use public ips on that interface so your external and internal ip address are the same for the Trixbox, that may help too.  I'll keep looking to see what else I can find.  Have you tried removing the inspection to see if that gets you what you need?  Removing that inspection puts more responsibility on the Trixbox to be able to handle possible bad packets because the ASA isn't inspecting those packets but it should also make it so the ASA doesn't re-write the packet.  Out of curiosity (while I typed this something else came to me) how are you handling your nat and/or your static for this Trixbox?  That could make a difference too.

static (inside,outside)

or

static (outside,inside)
0
 
LVL 1

Author Comment

by:digital0g1c
ID: 34962879
Well, I had to remove the inspection of SIP to get it working.  I did not want to do this but needed to get it up.  I will revisit this in a test lab when I have some time.
0
 
LVL 1

Author Closing Comment

by:digital0g1c
ID: 34962891
This worked, however it is not the proper solution, just a temporary fix.
0

Featured Post

Eye-catchers on the conference table

Challenge: The i-unit group was not satisfied with the audio quality during remote meetings. They were looking for a portable solution with excellent audio quality for use in their conference room but also at their client’s offices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question