Cisco ASA 5505 Allow SIP Through

Posted on 2011-10-19
Last Modified: 2012-06-21
I'm having issues with my VoIP Phones, where I'm getting one way audio.  I setup wireshark and tracked packets and can see my firewall is blocking some of the packets.

I want to allow all SIP and RTP traffic from specific IP range through my firewall.  What are the correct commands to do this?
Question by:Railroad
    LVL 28

    Expert Comment

    We need network topology.

    Is this all internal traffic?  (i.e., the ASA is blocking traffic that should be routed internally)

    Or is this SIP traffic that's supposed to be traversing the firewall?

    (Lots of folks try to use the ASA as a router, when it is really a firewall.  It blocks traffic that a router would pass, because it only sees one side of the conversation, and so it blocks the traffic.)

    If this is all internal traffic, try adding a static route for that particular destination.
    LVL 36

    Expert Comment

    Do you have any other sip phones behind the firewall?
    Do you have sip inspection enabled on the ASA?
    Are you phones configured to enable ICE?
    Are your phones configured to use a STUN server?

    Author Comment

    We are using a hosted VoIP system, so yes all the traffic has to pass through the firewall.

    I have in the firewall:

    object-group network SIP_SERVERS
     network-object x.x.x.96
    object-group service SIP_PORTS
     service-object udp range 10000 20000
     service-object udp eq sip

    And then for testing:

    access-list outside_access_in extended permit udp any object-group SIP_SERVERS
    access-list outside_access_in extended permit tcp any object-group SIP_SERVERS

    The ASA is still blocking/dropping traffic from the servers however, although it's not reporting it's doing to in any of the debug logging.

    No SIP inspect is not turned on, I was told by the VoIP provider to turn this off.

    There are 21 phones behind the firewall.

    Unsure about ICE and STUN, don't know what they are.  The phone were pre-configured by the vendor.

    Author Comment

    I removed the two testing commands and added:

    access-list outside_access_in extended permit object-group SIP_PORTS object-group SIP_SERVERS any
    LVL 36

    Expert Comment

    Your two access lists are allowing completely different traffic. Are x.x.x.96 you ip addresses or those of the VoIP provider?

    Normally what would happen when your phone makes a call is it will advertise the ip address the audio should be sent to. This will normally be your internal ip address so if the pbx tries to send traffic to this internal address it won't go anywhere.
    You can have detection built into the pbx, have stun or ice support enabled on the phones or have sip inspection enabled on the firewall. Normally any of these will fix the problem (but some methods can have issues with call transfers) but trying to use more than one method at a time can stop it from working.

    There s nothing you have to do on the firewall to make it work as incoming audio should be treated as a reply but some config can make things work better. I would suggest increasing the udp connection timeout to at least a couple of minutes though.

    I would contact the people who supplied the pbx and ask what nat detection method they are using.

    Author Comment

    The x.x.x.96/27 are the VoIP Servers from the provider.

    FYI, this all worked well (For 2 months), without any special statements in the firewall until Monday.  Then Monday morning we started getting one-way audio.  It's always, that the person being called can not hear the caller.

    Nothing was change on my ASA and supposedly nothing changed on the providers end.  It's happening to four different sites, three with Cisco ASA 5505 and 1 with m0n0wall.

    In sniffing the traffic on the ASA, I can see the packets hitting the outside interface of the ASA, but then are not transmitted on the inside interface.  And debug logging shows no dropped packets.

    FYI, upgrading the ASA to 8.2(5) and the reboot didn't correct the issue.
    LVL 36

    Expert Comment

    Always the person being called? Regardless of outgoing or incoming call?
    Or is it always you don't hear the audio?
    Who is calling? From one location to another?
    Does it work ok with calls out to general destinations where the call has to go over regular telephone system?

    Author Comment

    Yes, it is always the person being called that can not hear the caller; if the one way audio issue arises, it doesn't always.

    There is a fifth site, which is connected to the local network of the VoIP provider; this site has no issues.  If an "off-site" phone calls an extension at this "on-site", there are no issues with the call.

    If the off-site locations call another off-site location, local to that site or not, this is where the issue arises.  But it doesn't always happen, I haven't figured out any pattern to it.

    If an off-site phone calls a POTS lines, there are no issues.  If a POTS line calls and off-site phone there is an issue.

    Boggles my mind, can not figure it out.
    LVL 36

    Expert Comment

    It does sound like a firewall/NAT issue and you did say you can see the traffic coming back in and hitting the firewall.

    For the traffic going out does the source port and IP address match the destination port and IP address for the incoming traffic?
    This would be required for the firewall to think they are replies to the already established outbound connection and therefore permit the traffic back in and also know which internal IP address and port the traffic should be forwarded to.

    Accepted Solution

    Cisco TAC installed an upgraded Firmware for the ASA and rebuild the inspect rule.  Solved issue.

    Author Closing Comment

    It's what solved the issue.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now