Solved

SIP inspection Cisco asa 5505

Posted on 2011-03-24
11
2,650 Views
Last Modified: 2012-05-11
The problem with the incoming voice to sip phone behind cisco asa 5505. Network diagram is as follows:the asterisk is it in the DMZ for cisco asa 5505  in city A. Included static nat 5060 and included inspect SIP. Everything works. cisco asa 5505 have put in city B too, included  inspect SIP. But SIP phone did not work correctly (no incoming voice). SIP phone is in the inside network. If SIP phone get without cisco asa 5505, then everything works.
0
Comment
Question by:RuslanMith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35205015
Anything showing in the logs of the ASA?
0
 

Author Comment

by:RuslanMith
ID: 35205611

Teardown UDP connection 13274 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13273 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13272 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13271 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13270 for outside:vakazanova-primary/0 to inside:rdp_host/5060
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35205624
So in city B the asterisk is in the DMZ as well?
I ask because I see the connections going from the outside to the inside (?)
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:RuslanMith
ID: 35205647
No, asterisk is only city A in dmz behind ciscoasa1 and work perfect. Sip phone is city B in inside behind ciscoasa2 and not incoming voice. If SIP phone get without ciscoasa2 in city B, then everything works
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35205657
Looks like something is being blocked. In city B you also allowed the correct ports from the outside to the inside (the phone)?
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35208030
exclude SIP Inspection from the new firewall...
0
 

Author Comment

by:RuslanMith
ID: 35229337
If disable inspect in the city B, then SIP phone didn't register to asterisk in the city A. But SIP phone register on any SIP ISP. If enable inspect SIP in the city B,  then I see strange logs in the city A.Instead 192.168.1.8  must Public IP. When problem? Logs
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35229806
Just remembered:
Check the sip.conf on the asterisk server to see if externip and localnet are defined you need to set those otherwise you get those strange logs.

So externip should be the public address of the sip server
externip = 80.80.80.80
and localnet the internal ip range the server is in:
localnet = 192.168.1.0/24

Let's see if that helps.
0
 

Accepted Solution

by:
RuslanMith earned 0 total points
ID: 35230536
Solved the problem. Should be included on cisco asa Inspect RTSP.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35481687
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question