Solved

SIP authentication failure through Cisco ASA to Trixbox

Posted on 2011-02-17
4
1,065 Views
Last Modified: 2012-05-11
I just recently put in a Cisco ASA5510 security appliance.  Once I did that, all of our external SIP phones are failing to authenticate to our Trixbox.  The issue is, the ASA is doing its job and rewriting the SIP header with the appropriate external IP.  However, when the Trixbox goes to run the MD5 has on the password, it uses its internal IP instead of the external IP so the hash's don't match, and the remote phones are not authenticated.  If I enable the NAT settings on the Trixbox, my Trunk to the ITSP stops working, (The ASA thinks its a Lan attack).  I know there is another way for the Trixbox to seed the Hash value (instead of the IP address of the box), however, I have no idea where to make it, and the phone, use that value, or even where to set the value.  Any idea?   (Additionally, will the change affect the internal phones as well?)
Thanks in advance!
0
Comment
Question by:digital0g1c
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
alex_firewall_guy earned 500 total points
ID: 34925967
I am not altogether familiar with sip but do know that we had to remove the sip inspect out of our inspection policy (right at the end of the ASA config) to get our external sip phones to work correctly.  Not sure if it will help you in this case, but it may at least be somethign to look at.
0
 
LVL 1

Expert Comment

by:alex_firewall_guy
ID: 34951449
what version of code are you running on that ASA?  I found quite a bit of info on a couple of versions where there were lots of open caveats for SIP type traffic.  It might help me find more useful info if I knew which version you were running?  After re-reading your original post, it also sounds like it is the nat that is killing you.  If you were to add another interface on the ASA (call it a SIP-DMZ or something) and use public ips on that interface so your external and internal ip address are the same for the Trixbox, that may help too.  I'll keep looking to see what else I can find.  Have you tried removing the inspection to see if that gets you what you need?  Removing that inspection puts more responsibility on the Trixbox to be able to handle possible bad packets because the ASA isn't inspecting those packets but it should also make it so the ASA doesn't re-write the packet.  Out of curiosity (while I typed this something else came to me) how are you handling your nat and/or your static for this Trixbox?  That could make a difference too.

static (inside,outside)

or

static (outside,inside)
0
 
LVL 1

Author Comment

by:digital0g1c
ID: 34962879
Well, I had to remove the inspection of SIP to get it working.  I did not want to do this but needed to get it up.  I will revisit this in a test lab when I have some time.
0
 
LVL 1

Author Closing Comment

by:digital0g1c
ID: 34962891
This worked, however it is not the proper solution, just a temporary fix.
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question