ASA Problem -  Nat and UDP Packets

Posted on 2011-05-04
Medium Priority
Last Modified: 2013-11-12
Hey Guys,

Got a very weird problem here with our VOIP system which I believe is related to the NAT config on our ASA’s.

A call between two sites is able to be established however there is no audio present once the call is connected. From the syslog msg’s its receiving the internal IP address of our VOIP system rather than the NAT’d external address… the weird part is that TCP is used to establish the call but the audio packets are UDP. If there is a VPN Tunnel between the two sites then its fine. – Sadly this isn’t an option for us

Site 1

Syslog msg:  %ASA-6-302015: Built outbound UDP connection 66693 for WAN:192.168.3.x/6140 (192.168.3.x/6140) to LAN:192.168.4.x/6150 (196.41.yyy.xxx/6150)


object network obj-192.168.4.x
 nat (LAN,WAN) static 196.41.yyy.xxx

access-list WAN_access_in extended permit ip any host

Site 2

Syslog: %ASA-6-302015: Built outbound UDP connection 6624546 for WAN:192.168.4.x/6144 (192.168.4.x/6144) to LAN:192.168.3.x/6136 (203.29.yyy.xxx/6136)


object network obj-192.168.3.x
 nat (LAN,WAN) static 203.29.yyy.xxx

access-list WAN_access_in extended permit ip any host 192.168.3.x

The thing that baffles me is that fact that the ASA in site 1 is picking up the internal IP address of the VOIP system in Site 2 and not that Nat’d address

Any help or ideas on how to resolve this would be fantastic and much appreciated
Question by:supportemea
  • 3
  • 2
LVL 47

Expert Comment

by:Craig Beck
ID: 35690266
Depending on which VoIP system you use, you may have an option which specifies if the connection is behind NAT.

Also, check this...

LVL 33

Expert Comment

ID: 35690288
At both sites, make sure you have the enabled a class inspection for SIP.  

policy-map global_policy
 class inspection_default
   inspect sip


Author Comment

ID: 35690471
Its an old Intertel/Mitel System… we are not using SIP

The UDP Ports in use are UDP/6004-7039 is there a way to enter those into the inspection list ?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 33

Expert Comment

ID: 35698376
I have no experience with that system....    

The problem you described sounds very close to the SIP issue I have in mind.   Where the outbound SIP requires either STUN Service on the outside, or have the ASA rewrite the SIP packets using that class inspection.  

If this isn't SIP but some kind of proprietary traffic, then I don't know what to suggest next.  

>> ASA in site 1 is picking up the internal IP address of the VOIP system in Site 2 and not that Nat’d address
This sounds exactly like the issue where the packets must be rewritten to use the external IP instead of the internal IP.  This is what sip inspection does on the ASA.  


Author Comment

ID: 35698573
Thanks Mike this makes alot of sense. so the question is becuase its not SIP, how to I go about using a class inspection for the traffic ? Addtionally why does TCP work fine but UDP doesnt ?

UDP in use are 6004-1713
LVL 33

Accepted Solution

MikeKane earned 2000 total points
ID: 35700624
Something else i just thought of.     You said that the call can be established, but no audio.   Sounds like signalling is handled ok but RTP is failing.     What if you forced RTP through the Call host instead of phone to phone.    In asterisk it would be "canreinvite=no" for sip conf.   Not sure you you would do that on your system though.    It might be worth a test.


Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question