Solved

SIP inspection Cisco asa 5505

Posted on 2011-03-24
11
2,597 Views
Last Modified: 2012-05-11
The problem with the incoming voice to sip phone behind cisco asa 5505. Network diagram is as follows:the asterisk is it in the DMZ for cisco asa 5505  in city A. Included static nat 5060 and included inspect SIP. Everything works. cisco asa 5505 have put in city B too, included  inspect SIP. But SIP phone did not work correctly (no incoming voice). SIP phone is in the inside network. If SIP phone get without cisco asa 5505, then everything works.
0
Comment
Question by:RuslanMith
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35205015
Anything showing in the logs of the ASA?
0
 

Author Comment

by:RuslanMith
ID: 35205611

Teardown UDP connection 13274 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13273 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13272 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13271 for outside:vakazanova-primary/0 to inside:rdp_host/5060
Teardown UDP connection 13270 for outside:vakazanova-primary/0 to inside:rdp_host/5060
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35205624
So in city B the asterisk is in the DMZ as well?
I ask because I see the connections going from the outside to the inside (?)
0
 

Author Comment

by:RuslanMith
ID: 35205647
No, asterisk is only city A in dmz behind ciscoasa1 and work perfect. Sip phone is city B in inside behind ciscoasa2 and not incoming voice. If SIP phone get without ciscoasa2 in city B, then everything works
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35205657
Looks like something is being blocked. In city B you also allowed the correct ports from the outside to the inside (the phone)?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35208030
exclude SIP Inspection from the new firewall...
0
 

Author Comment

by:RuslanMith
ID: 35229337
If disable inspect in the city B, then SIP phone didn't register to asterisk in the city A. But SIP phone register on any SIP ISP. If enable inspect SIP in the city B,  then I see strange logs in the city A.Instead 192.168.1.8  must Public IP. When problem? Logs
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35229806
Just remembered:
Check the sip.conf on the asterisk server to see if externip and localnet are defined you need to set those otherwise you get those strange logs.

So externip should be the public address of the sip server
externip = 80.80.80.80
and localnet the internal ip range the server is in:
localnet = 192.168.1.0/24

Let's see if that helps.
0
 

Accepted Solution

by:
RuslanMith earned 0 total points
ID: 35230536
Solved the problem. Should be included on cisco asa Inspect RTSP.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35481687
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now