Cisco ASA SIP - one way audio on external phone

Posted on 2011-05-05
Medium Priority
Last Modified: 2012-05-11

I have a Cisco ASA 5505 with an Asterisk server on the inside of the network (most phone on the LAN side as well) using an Internet-based SIP Trunk provider. All works well.

We are trying to connect an EXTERNAL phone (on the Internet) to the Asterisk server now as well. SIP protocol is opened through the ASA, and the phone is able to register. The phone is able to dial an internal extension on the PBX which reads the extension number -- the audio is received by the phone fine.

We are NOT able to SEND audio from the phone to the PBX however, and appears to be blocked by the ASA.

The (hopefully) relevant portions of the ASA config are in the attached file. Another interesting point is that "show service-policy" doesn't show any SIP-related packets:

r-baker# sh service-policy  inspect  sip

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Interface outside:
  Service-policy: QOS
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Open in new window

Question by:hassler
  • 3
  • 2
LVL 33

Expert Comment

ID: 35700298
I think you may need to force RTP through the asterisk server for this external phone.    Once the call signalling is complete and the call is established, the asterisk drops out of it and RTP is sent phone to phone.    The internal phone can send outbound of course, but the external phone cant sent RTP inbound since the static that it used to intiate the call still points to the asterisk host.   Thus the inbound RTP will fail.  

You need to use in sip.conf:

That way RTP goes through the asterisk host.


Author Comment

ID: 35700330
We already have canreinvite=no on all extensions. The problem is that the RTP traffic isn't getting through the ASA (as far as we can tell). I do agree with your comment about canreinvite, if it had been turned on, but it's not applicable here.
LVL 33

Accepted Solution

MikeKane earned 750 total points
ID: 35700575
Ok then, lets see if the ASA is blocking the traffic with the logs.    Turn up the logging to Informational in either your syslog server, ASDM, or console logging... whatever you are using.     Try a call then lets look at the log.   If the ASA is dropping any packets due to ACL (or whatever), the logs will show us what's happening there.  


Author Comment

ID: 35706592
Mike, thanks for your assistance. It is working now.... magically...

There were several things I changed yesterday (before entering this question here)  including adding "inspect sip" to the global_policy (it had been in the 'global-policy" (dash, versus underscore) previously, so was definitely not in place properly. At that time, "show sip" didn't show ANYTHING, and the inspection packet counts showed all zeros (as above).

IN the meantime, in order to complete the test I needed to accomplish, I added a VPN tunnel from the client's PBX directly back to my firewall so I could configure a LAN-based connection and bypass the ASA and was able to get calls through fine.

This morning, I knocked the VPN tunnel down, reconfigured my phone to the Internet address, and VOILA! everything is working. The ASA is now reporting packet counts on "show sip", and I have confirmed via tcpdump on an intermediate router that the SIP protocol is showing NAT'd addresses for RTP, where it had not been yesterday.

Oh well, chalk one up for letting the ASA simmer on the configuration overnight......

Author Closing Comment

ID: 35706608
Not really a "solution", but it led me down the right path as per comments.

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month16 days, 21 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question