hassler
asked on
Cisco ASA SIP - one way audio on external phone
Hi,
I have a Cisco ASA 5505 with an Asterisk server on the inside of the network (most phone on the LAN side as well) using an Internet-based SIP Trunk provider. All works well.
We are trying to connect an EXTERNAL phone (on the Internet) to the Asterisk server now as well. SIP protocol is opened through the ASA, and the phone is able to register. The phone is able to dial an internal extension on the PBX which reads the extension number -- the audio is received by the phone fine.
We are NOT able to SEND audio from the phone to the PBX however, and appears to be blocked by the ASA.
The (hopefully) relevant portions of the ASA config are in the attached file. Another interesting point is that "show service-policy" doesn't show any SIP-related packets:
bkasa.txt
I have a Cisco ASA 5505 with an Asterisk server on the inside of the network (most phone on the LAN side as well) using an Internet-based SIP Trunk provider. All works well.
We are trying to connect an EXTERNAL phone (on the Internet) to the Asterisk server now as well. SIP protocol is opened through the ASA, and the phone is able to register. The phone is able to dial an internal extension on the PBX which reads the extension number -- the audio is received by the phone fine.
We are NOT able to SEND audio from the phone to the PBX however, and appears to be blocked by the ASA.
The (hopefully) relevant portions of the ASA config are in the attached file. Another interesting point is that "show service-policy" doesn't show any SIP-related packets:
r-baker# sh service-policy inspect sip
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface outside:
Service-policy: QOS
Class-map: inspection_default
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
bkasa.txt
ASKER
We already have canreinvite=no on all extensions. The problem is that the RTP traffic isn't getting through the ASA (as far as we can tell). I do agree with your comment about canreinvite, if it had been turned on, but it's not applicable here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mike, thanks for your assistance. It is working now.... magically...
There were several things I changed yesterday (before entering this question here) including adding "inspect sip" to the global_policy (it had been in the 'global-policy" (dash, versus underscore) previously, so was definitely not in place properly. At that time, "show sip" didn't show ANYTHING, and the inspection packet counts showed all zeros (as above).
IN the meantime, in order to complete the test I needed to accomplish, I added a VPN tunnel from the client's PBX directly back to my firewall so I could configure a LAN-based connection and bypass the ASA and was able to get calls through fine.
This morning, I knocked the VPN tunnel down, reconfigured my phone to the Internet address, and VOILA! everything is working. The ASA is now reporting packet counts on "show sip", and I have confirmed via tcpdump on an intermediate router that the SIP protocol is showing NAT'd addresses for RTP, where it had not been yesterday.
Oh well, chalk one up for letting the ASA simmer on the configuration overnight......
There were several things I changed yesterday (before entering this question here) including adding "inspect sip" to the global_policy (it had been in the 'global-policy" (dash, versus underscore) previously, so was definitely not in place properly. At that time, "show sip" didn't show ANYTHING, and the inspection packet counts showed all zeros (as above).
IN the meantime, in order to complete the test I needed to accomplish, I added a VPN tunnel from the client's PBX directly back to my firewall so I could configure a LAN-based connection and bypass the ASA and was able to get calls through fine.
This morning, I knocked the VPN tunnel down, reconfigured my phone to the Internet address, and VOILA! everything is working. The ASA is now reporting packet counts on "show sip", and I have confirmed via tcpdump on an intermediate router that the SIP protocol is showing NAT'd addresses for RTP, where it had not been yesterday.
Oh well, chalk one up for letting the ASA simmer on the configuration overnight......
ASKER
Not really a "solution", but it led me down the right path as per comments.
You need to use in sip.conf:
That way RTP goes through the asterisk host.