Cisco ASA SIP - one way audio on external phone

Posted on 2011-05-05
Last Modified: 2012-05-11

I have a Cisco ASA 5505 with an Asterisk server on the inside of the network (most phone on the LAN side as well) using an Internet-based SIP Trunk provider. All works well.

We are trying to connect an EXTERNAL phone (on the Internet) to the Asterisk server now as well. SIP protocol is opened through the ASA, and the phone is able to register. The phone is able to dial an internal extension on the PBX which reads the extension number -- the audio is received by the phone fine.

We are NOT able to SEND audio from the phone to the PBX however, and appears to be blocked by the ASA.

The (hopefully) relevant portions of the ASA config are in the attached file. Another interesting point is that "show service-policy" doesn't show any SIP-related packets:

r-baker# sh service-policy  inspect  sip

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Interface outside:
  Service-policy: QOS
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Open in new window

Question by:hassler
    LVL 33

    Expert Comment

    I think you may need to force RTP through the asterisk server for this external phone.    Once the call signalling is complete and the call is established, the asterisk drops out of it and RTP is sent phone to phone.    The internal phone can send outbound of course, but the external phone cant sent RTP inbound since the static that it used to intiate the call still points to the asterisk host.   Thus the inbound RTP will fail.  

    You need to use in sip.conf:

    That way RTP goes through the asterisk host.


    Author Comment

    We already have canreinvite=no on all extensions. The problem is that the RTP traffic isn't getting through the ASA (as far as we can tell). I do agree with your comment about canreinvite, if it had been turned on, but it's not applicable here.
    LVL 33

    Accepted Solution

    Ok then, lets see if the ASA is blocking the traffic with the logs.    Turn up the logging to Informational in either your syslog server, ASDM, or console logging... whatever you are using.     Try a call then lets look at the log.   If the ASA is dropping any packets due to ACL (or whatever), the logs will show us what's happening there.  


    Author Comment

    Mike, thanks for your assistance. It is working now.... magically...

    There were several things I changed yesterday (before entering this question here)  including adding "inspect sip" to the global_policy (it had been in the 'global-policy" (dash, versus underscore) previously, so was definitely not in place properly. At that time, "show sip" didn't show ANYTHING, and the inspection packet counts showed all zeros (as above).

    IN the meantime, in order to complete the test I needed to accomplish, I added a VPN tunnel from the client's PBX directly back to my firewall so I could configure a LAN-based connection and bypass the ASA and was able to get calls through fine.

    This morning, I knocked the VPN tunnel down, reconfigured my phone to the Internet address, and VOILA! everything is working. The ASA is now reporting packet counts on "show sip", and I have confirmed via tcpdump on an intermediate router that the SIP protocol is showing NAT'd addresses for RTP, where it had not been yesterday.

    Oh well, chalk one up for letting the ASA simmer on the configuration overnight......

    Author Closing Comment

    Not really a "solution", but it led me down the right path as per comments.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now