Cisco ASA SIP - one way audio on external phone


I have a Cisco ASA 5505 with an Asterisk server on the inside of the network (most phone on the LAN side as well) using an Internet-based SIP Trunk provider. All works well.

We are trying to connect an EXTERNAL phone (on the Internet) to the Asterisk server now as well. SIP protocol is opened through the ASA, and the phone is able to register. The phone is able to dial an internal extension on the PBX which reads the extension number -- the audio is received by the phone fine.

We are NOT able to SEND audio from the phone to the PBX however, and appears to be blocked by the ASA.

The (hopefully) relevant portions of the ASA config are in the attached file. Another interesting point is that "show service-policy" doesn't show any SIP-related packets:

r-baker# sh service-policy  inspect  sip

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Interface outside:
  Service-policy: QOS
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Open in new window

Who is Participating?
MikeKaneConnect With a Mentor Commented:
Ok then, lets see if the ASA is blocking the traffic with the logs.    Turn up the logging to Informational in either your syslog server, ASDM, or console logging... whatever you are using.     Try a call then lets look at the log.   If the ASA is dropping any packets due to ACL (or whatever), the logs will show us what's happening there.  

I think you may need to force RTP through the asterisk server for this external phone.    Once the call signalling is complete and the call is established, the asterisk drops out of it and RTP is sent phone to phone.    The internal phone can send outbound of course, but the external phone cant sent RTP inbound since the static that it used to intiate the call still points to the asterisk host.   Thus the inbound RTP will fail.  

You need to use in sip.conf:

That way RTP goes through the asterisk host.

hasslerAuthor Commented:
We already have canreinvite=no on all extensions. The problem is that the RTP traffic isn't getting through the ASA (as far as we can tell). I do agree with your comment about canreinvite, if it had been turned on, but it's not applicable here.
hasslerAuthor Commented:
Mike, thanks for your assistance. It is working now.... magically...

There were several things I changed yesterday (before entering this question here)  including adding "inspect sip" to the global_policy (it had been in the 'global-policy" (dash, versus underscore) previously, so was definitely not in place properly. At that time, "show sip" didn't show ANYTHING, and the inspection packet counts showed all zeros (as above).

IN the meantime, in order to complete the test I needed to accomplish, I added a VPN tunnel from the client's PBX directly back to my firewall so I could configure a LAN-based connection and bypass the ASA and was able to get calls through fine.

This morning, I knocked the VPN tunnel down, reconfigured my phone to the Internet address, and VOILA! everything is working. The ASA is now reporting packet counts on "show sip", and I have confirmed via tcpdump on an intermediate router that the SIP protocol is showing NAT'd addresses for RTP, where it had not been yesterday.

Oh well, chalk one up for letting the ASA simmer on the configuration overnight......
hasslerAuthor Commented:
Not really a "solution", but it led me down the right path as per comments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.