• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1072
  • Last Modified:

SIP authentication failure through Cisco ASA to Trixbox

I just recently put in a Cisco ASA5510 security appliance.  Once I did that, all of our external SIP phones are failing to authenticate to our Trixbox.  The issue is, the ASA is doing its job and rewriting the SIP header with the appropriate external IP.  However, when the Trixbox goes to run the MD5 has on the password, it uses its internal IP instead of the external IP so the hash's don't match, and the remote phones are not authenticated.  If I enable the NAT settings on the Trixbox, my Trunk to the ITSP stops working, (The ASA thinks its a Lan attack).  I know there is another way for the Trixbox to seed the Hash value (instead of the IP address of the box), however, I have no idea where to make it, and the phone, use that value, or even where to set the value.  Any idea?   (Additionally, will the change affect the internal phones as well?)
Thanks in advance!
0
digital0g1c
Asked:
digital0g1c
  • 2
  • 2
1 Solution
 
alex_firewall_guyCommented:
I am not altogether familiar with sip but do know that we had to remove the sip inspect out of our inspection policy (right at the end of the ASA config) to get our external sip phones to work correctly.  Not sure if it will help you in this case, but it may at least be somethign to look at.
0
 
alex_firewall_guyCommented:
what version of code are you running on that ASA?  I found quite a bit of info on a couple of versions where there were lots of open caveats for SIP type traffic.  It might help me find more useful info if I knew which version you were running?  After re-reading your original post, it also sounds like it is the nat that is killing you.  If you were to add another interface on the ASA (call it a SIP-DMZ or something) and use public ips on that interface so your external and internal ip address are the same for the Trixbox, that may help too.  I'll keep looking to see what else I can find.  Have you tried removing the inspection to see if that gets you what you need?  Removing that inspection puts more responsibility on the Trixbox to be able to handle possible bad packets because the ASA isn't inspecting those packets but it should also make it so the ASA doesn't re-write the packet.  Out of curiosity (while I typed this something else came to me) how are you handling your nat and/or your static for this Trixbox?  That could make a difference too.

static (inside,outside)

or

static (outside,inside)
0
 
digital0g1cAuthor Commented:
Well, I had to remove the inspection of SIP to get it working.  I did not want to do this but needed to get it up.  I will revisit this in a test lab when I have some time.
0
 
digital0g1cAuthor Commented:
This worked, however it is not the proper solution, just a temporary fix.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now