Link to home
Start Free TrialLog in
Avatar of hassler
hassler

asked on

Cisco ASA SIP - one way audio on external phone

Hi,

I have a Cisco ASA 5505 with an Asterisk server on the inside of the network (most phone on the LAN side as well) using an Internet-based SIP Trunk provider. All works well.

We are trying to connect an EXTERNAL phone (on the Internet) to the Asterisk server now as well. SIP protocol is opened through the ASA, and the phone is able to register. The phone is able to dial an internal extension on the PBX which reads the extension number -- the audio is received by the phone fine.

We are NOT able to SEND audio from the phone to the PBX however, and appears to be blocked by the ASA.

The (hopefully) relevant portions of the ASA config are in the attached file. Another interesting point is that "show service-policy" doesn't show any SIP-related packets:

r-baker# sh service-policy  inspect  sip

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Interface outside:
  Service-policy: QOS
    Class-map: inspection_default
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Open in new window


bkasa.txt
Avatar of MikeKane
MikeKane
Flag of United States of America image

I think you may need to force RTP through the asterisk server for this external phone.    Once the call signalling is complete and the call is established, the asterisk drops out of it and RTP is sent phone to phone.    The internal phone can send outbound of course, but the external phone cant sent RTP inbound since the static that it used to intiate the call still points to the asterisk host.   Thus the inbound RTP will fail.  

You need to use in sip.conf:
canreinvite=no


That way RTP goes through the asterisk host.


Avatar of hassler
hassler

ASKER

We already have canreinvite=no on all extensions. The problem is that the RTP traffic isn't getting through the ASA (as far as we can tell). I do agree with your comment about canreinvite, if it had been turned on, but it's not applicable here.
ASKER CERTIFIED SOLUTION
Avatar of MikeKane
MikeKane
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hassler

ASKER

Mike, thanks for your assistance. It is working now.... magically...

There were several things I changed yesterday (before entering this question here)  including adding "inspect sip" to the global_policy (it had been in the 'global-policy" (dash, versus underscore) previously, so was definitely not in place properly. At that time, "show sip" didn't show ANYTHING, and the inspection packet counts showed all zeros (as above).

IN the meantime, in order to complete the test I needed to accomplish, I added a VPN tunnel from the client's PBX directly back to my firewall so I could configure a LAN-based connection and bypass the ASA and was able to get calls through fine.

This morning, I knocked the VPN tunnel down, reconfigured my phone to the Internet address, and VOILA! everything is working. The ASA is now reporting packet counts on "show sip", and I have confirmed via tcpdump on an intermediate router that the SIP protocol is showing NAT'd addresses for RTP, where it had not been yesterday.

Oh well, chalk one up for letting the ASA simmer on the configuration overnight......
Avatar of hassler

ASKER

Not really a "solution", but it led me down the right path as per comments.