[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Microsoft Lync 2010 With ASA 5510

Posted on 2011-10-27
24
Medium Priority
?
6,927 Views
Last Modified: 2012-05-12
Hello Experts,

I have a problem with lync 2010 I can't make voice or video call with external user after a lot troubleshooting I fond the problem with ASA after open the require ports on ASA so if any have clue which best configuration to make lync working with the external users.

FYI : I have two interfaces only on ASA internal and external

sorry guys for my bad english

Thanks
0
Comment
Question by:Anees_Atef
  • 12
  • 10
  • 2
24 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 37042804
When you deploy an Lync Edge Server, you need to have ports 5061 and 443 allowed into the edge server.    

These are the default ports, so if you changed the defaults, the ASA opened ports must match.  
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37043752
yes I know, I didn't change them, and this ports already opened on ASA
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37044310
Hi,

Did you enabled SIP inspection?
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 2

Author Comment

by:Anees_Atef
ID: 37044330
I found on the internet some forms says I have to disable SIP inspection

so I used this command:

(no inspect sip)

but still voice and video not working
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37044463
what shows the log?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37045050
Lets eliminate the ASA from the picture.  With lync, there can be many other issues in the Lync world that can prevent connections.  

Hop on that host, open a browser, go to www.canyouseeme.org.  From here you can test the connectivity on those 2 ports.   LEt us know what it finds.   If connections are successful, then the ASA has nothing to do with it and we need to concentrate on the LYNC services.

IF the tests fail, then you can do a SHOW LOGGING on the asa and look for dropped packets.  Post the log here so we can look.

 
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37048108
Kindly Find the attach for the LOG and the conf :
Drexel-ASA# sh conf
: Saved
: Written by enable_15 at 22:49:40.047 EEST Fri Oct 28 2011
!
ASA Version 8.4(1) 
!
hostname Drexel-ASA
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 62.240.124.165 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!             
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
object network Inside-Net 
 subnet 10.0.0.0 255.255.255.0
object network FTP-Private 
 host 10.0.0.16
object network FTP-Real 
 host 62.240.124.163
 description FTP-Real     
object network Inside-ISA 
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.96_27 
 subnet 10.0.0.96 255.255.255.224
object network Barracuda 
 host 10.0.0.8
object service Mail-Scan 
 service tcp source eq 8000 
object network FTP-NAT 
 host 10.0.0.16
object network Test-Nat 
 host 10.10.10.100
object network NAT-1 
 host 10.10.10.100
object service HTTP 
 service tcp source eq www 
object service HTTPS 
 service tcp source eq https 
object network Mail-Redirect 
 host 10.0.0.13
object service SMTP 
 service tcp source eq smtp 
object network Mail-Real 
 host 62.240.124.162
 description Mail-Real     
object service IMAP-4 
 service tcp source eq imap4 
object network ISA-Server 
 host 10.0.0.2
object service ISAKMP 
 service udp source eq isakmp 
object network ISA-Real 
 host 62.240.124.162
 description ISA-Real     
object service PPTP 
 service tcp source eq pptp 
object network MS-LYNC-Real 
 host 62.240.124.164
object network MS-Lync-Private 
 host 10.0.0.3
object service Port_5061 
 service tcp destination eq 5061 
object network MS-Lync-NAT 
 host 10.0.0.3
object network Test 
 host 10.0.0.29
object service RTP-TCP 
 service tcp destination range 50000 59999 
object service RTP-UDP 
 service udp destination range 50000 59999 
object service STUN 
 service udp destination eq 3478 
object-group service FTP tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object object Inside-ISA
 network-object object Inside-Net
object-group service DM_INLINE_TCP_1 tcp
 port-object eq smtp
 port-object eq 8000
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq imap4
object-group service DM_INLINE_TCP_3 tcp
 port-object eq https
 port-object eq pptp
object-group service DM_INLINE_SERVICE_1
 service-object object Port_5061 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object object RTP-TCP 
object-group service DM_INLINE_SERVICE_2
 service-object object RTP-UDP 
 service-object object STUN 
access-list outside_access_in extended permit ip any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object MS-Lync-Private 
access-list outside_access_in extended permit gre any object ISA-Real 
access-list outside_access_in extended permit gre any object ISA-Server 
access-list outside_access_in extended permit tcp any object FTP-Private object-group FTP 
access-list outside_access_in extended permit tcp any object Mail-Redirect object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit ip any object Test 
access-list outside_access_in extended permit tcp any object Barracuda object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit udp any object ISA-Server eq isakmp 
access-list outside_access_in extended permit tcp any object ISA-Server object-group DM_INLINE_TCP_3 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq h323 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 2000 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq 5061 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 5061 
access-list Inside-access standard permit 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
logging mail emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPN-Pool 10.0.0.101-10.0.0.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
nat (inside,outside) source static Barracuda Mail-Real service any SMTP
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTP
nat (inside,outside) source static Barracuda Mail-Real service any Mail-Scan
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTPS
nat (inside,outside) source static Mail-Redirect Mail-Real service any IMAP-4
nat (inside,outside) source static ISA-Server ISA-Real
!
object network FTP-NAT
 nat (inside,outside) static FTP-Real dns
object network Test
 nat (inside,outside) static 62.240.124.167
!
nat (inside,outside) after-auto source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.0.0.96_27 NETWORK_OBJ_10.0.0.96_27
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.124.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Drx-LDAP protocol ldap
aaa-server Drx-LDAP (inside) host 192.168.1.12
 timeout 5
 server-type auto-detect
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.22 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.0.22 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Drexel-VPN internal
group-policy Drexel-VPN attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-tunnel-protocol ikev1 
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Inside-access
 default-domain value drexelegypt.lcl
 vpn-group-policy Drexel-VPN
 service-type remote-access
 vpn-group-policy Drexel-VPN
 vpn-group-policy Drexel-VPN
tunnel-group Drexel-VPN type remote-access
tunnel-group Drexel-VPN general-attributes
 address-pool VPN-Pool
 default-group-policy Drexel-VPN
tunnel-group Drexel-VPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.13
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Drexel-ASA#

Open in new window

Conf.jpg
LOG-1.jpg
LOG-2.jpg
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37053680
any update Experts ?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37057795
Those log snippits are only showing the buildup and teardowns for traffic to the host on high numbered ports.      Your conf.jpg image shows the hit count on the outside acl on line 1 with 820 hits matching that ACE.        So, to me, looks like the ASA is allowing the traffic in.

Did you try the canyouseeme.org site to verify the ports are open?
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37059725
yes I'm trying to use it but I have a problem I cant select my real IP address ,,, this site select automatic from my real IP pool
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37059848
If you are getting an incorrent IP, then you might have a bad static Nat.     Do a SHOW XLATE on the asa to see current Nat.      Also you could post a sanitized configuration for me to see
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37059859
I get it ,,, I will open this site from EDGE and feedback you
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37066768
443 Open

5061 Close

50000 Close

any advice
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37067247

The edge servers would need 5061 open so it looks like either the ass is blocking or your host is not listening on that port.   Ifyou post a sanitized configuration of the ass I can look there.    You can list out your hosts ports with netstat -a
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37072569
Sorry for delay

Kindly find the netstat result
PS C:\Users\Administrator> netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:135            Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:445            Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:3389           Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:4443           Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:47001          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49152          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49153          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49154          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49155          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49157          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49158          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49168          Drx-EDG-01:0           LISTENING
  TCP    172.16.16.10:139       Drx-EDG-01:0           LISTENING
  TCP    172.16.16.11:443       Drx-EDG-01:0           LISTENING
  TCP    172.16.16.11:5061      Drx-EDG-01:0           LISTENING
  TCP    172.16.16.12:443       Drx-EDG-01:0           LISTENING
  TCP    172.16.16.13:443       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:139        Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:443        Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:3389       Drx-Host:55412         ESTABLISHED
  TCP    192.168.1.9:5061       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:5061       Drx-Lync-01:55325      ESTABLISHED
  TCP    192.168.1.9:5062       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:5062       Drx-Lync-01:55324      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:8057       Drx-Lync-01:63678      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63679      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63680      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63681      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63691      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63692      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63693      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63694      ESTABLISHED
  TCP    192.168.1.9:49204      Drx-Lync-01:5061       ESTABLISHED
  TCP    [::]:80                Drx-EDG-01:0           LISTENING
  TCP    [::]:135               Drx-EDG-01:0           LISTENING
  TCP    [::]:445               Drx-EDG-01:0           LISTENING
  TCP    [::]:3389              Drx-EDG-01:0           LISTENING
  TCP    [::]:4443              Drx-EDG-01:0           LISTENING
  TCP    [::]:47001             Drx-EDG-01:0           LISTENING
  TCP    [::]:49152             Drx-EDG-01:0           LISTENING
  TCP    [::]:49153             Drx-EDG-01:0           LISTENING
  TCP    [::]:49154             Drx-EDG-01:0           LISTENING
  TCP    [::]:49155             Drx-EDG-01:0           LISTENING
  TCP    [::]:49157             Drx-EDG-01:0           LISTENING
  TCP    [::]:49158             Drx-EDG-01:0           LISTENING
  TCP    [::]:49168             Drx-EDG-01:0           LISTENING
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1434           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    127.0.0.1:49912        *:*
  UDP    127.0.0.1:52948        *:*
  UDP    127.0.0.1:56413        *:*
  UDP    172.16.16.10:137       *:*
  UDP    172.16.16.10:138       *:*
  UDP    172.16.16.13:3478      *:*
  UDP    172.16.16.13:50018     *:*
  UDP    172.16.16.13:50030     *:*
  UDP    172.16.16.13:50040     *:*
  UDP    172.16.16.13:50042     *:*
  UDP    172.16.16.13:50043     *:*
  UDP    172.16.16.13:50061     *:*
  UDP    172.16.16.13:50075     *:*
  UDP    172.16.16.13:50154     *:*
  UDP    172.16.16.13:50157     *:*
  UDP    172.16.16.13:50170     *:*
  UDP    172.16.16.13:50174     *:*
  UDP    172.16.16.13:50182     *:*
  UDP    172.16.16.13:50186     *:*
  UDP    172.16.16.13:50205     *:*
  UDP    172.16.16.13:50248     *:*
  UDP    172.16.16.13:50274     *:*
  UDP    172.16.16.13:50281     *:*
  UDP    172.16.16.13:50390     *:*
  UDP    172.16.16.13:50454     *:*
  UDP    172.16.16.13:50498     *:*
  UDP    172.16.16.13:50541     *:*
  UDP    172.16.16.13:50544     *:*
  UDP    172.16.16.13:50545     *:*
  UDP    172.16.16.13:50551     *:*
  UDP    172.16.16.13:50579     *:*
  UDP    172.16.16.13:50591     *:*
  UDP    172.16.16.13:50643     *:*
  UDP    172.16.16.13:50647     *:*
  UDP    172.16.16.13:50654     *:*
  UDP    172.16.16.13:50676     *:*
  UDP    172.16.16.13:50714     *:*
  UDP    172.16.16.13:50748     *:*
  UDP    172.16.16.13:50760     *:*
  UDP    172.16.16.13:50782     *:*
  UDP    172.16.16.13:50785     *:*
  UDP    172.16.16.13:50790     *:*
  UDP    172.16.16.13:50800     *:*
  UDP    172.16.16.13:50809     *:*
  UDP    172.16.16.13:50826     *:*
  UDP    172.16.16.13:50844     *:*
  UDP    172.16.16.13:50852     *:*
  UDP    172.16.16.13:50865     *:*
  UDP    172.16.16.13:50872     *:*
  UDP    172.16.16.13:50897     *:*
  UDP    172.16.16.13:50907     *:*
  UDP    172.16.16.13:50913     *:*
  UDP    172.16.16.13:50924     *:*
  UDP    172.16.16.13:50955     *:*
  UDP    172.16.16.13:50960     *:*
  UDP    172.16.16.13:50998     *:*
  UDP    172.16.16.13:51002     *:*
  UDP    172.16.16.13:51025     *:*
  UDP    172.16.16.13:51037     *:*
  UDP    172.16.16.13:51048     *:*
  UDP    172.16.16.13:51076     *:*
  UDP    172.16.16.13:51081     *:*
  UDP    172.16.16.13:51085     *:*
  UDP    172.16.16.13:51087     *:*
  UDP    172.16.16.13:51088     *:*
  UDP    172.16.16.13:51089     *:*
  UDP    172.16.16.13:51090     *:*
  UDP    172.16.16.13:51104     *:*
  UDP    172.16.16.13:51127     *:*
  UDP    172.16.16.13:51163     *:*
  UDP    172.16.16.13:51191     *:*
  UDP    172.16.16.13:51199     *:*
  UDP    172.16.16.13:51223     *:*
  UDP    172.16.16.13:51234     *:*
  UDP    172.16.16.13:51237     *:*
  UDP    172.16.16.13:51296     *:*
  UDP    172.16.16.13:51298     *:*
  UDP    172.16.16.13:51315     *:*
  UDP    172.16.16.13:51321     *:*
  UDP    172.16.16.13:51322     *:*
  UDP    172.16.16.13:51357     *:*
  UDP    172.16.16.13:51366     *:*
  UDP    172.16.16.13:51384     *:*
  UDP    172.16.16.13:51386     *:*
  UDP    172.16.16.13:51408     *:*
  UDP    172.16.16.13:51418     *:*
  UDP    172.16.16.13:51423     *:*
  UDP    172.16.16.13:51447     *:*
  UDP    172.16.16.13:51452     *:*
  UDP    172.16.16.13:51456     *:*
  UDP    172.16.16.13:51538     *:*
  UDP    172.16.16.13:51539     *:*
  UDP    172.16.16.13:51562     *:*
  UDP    172.16.16.13:51568     *:*
  UDP    172.16.16.13:51593     *:*
  UDP    172.16.16.13:51616     *:*
  UDP    172.16.16.13:51648     *:*
  UDP    172.16.16.13:51695     *:*
  UDP    172.16.16.13:51701     *:*
  UDP    172.16.16.13:51716     *:*
  UDP    172.16.16.13:51755     *:*
  UDP    172.16.16.13:51767     *:*
  UDP    172.16.16.13:51781     *:*
  UDP    172.16.16.13:51824     *:*
  UDP    172.16.16.13:51825     *:*
  UDP    172.16.16.13:51832     *:*
  UDP    172.16.16.13:51839     *:*
  UDP    172.16.16.13:51849     *:*
  UDP    172.16.16.13:51857     *:*
  UDP    172.16.16.13:51885     *:*
  UDP    172.16.16.13:51892     *:*
  UDP    172.16.16.13:51903     *:*
  UDP    172.16.16.13:51959     *:*
  UDP    172.16.16.13:51967     *:*
  UDP    172.16.16.13:52038     *:*
  UDP    172.16.16.13:52048     *:*
  UDP    172.16.16.13:52117     *:*
  UDP    172.16.16.13:52132     *:*
  UDP    172.16.16.13:52138     *:*
  UDP    172.16.16.13:52155     *:*
  UDP    172.16.16.13:52176     *:*
  UDP    172.16.16.13:52200     *:*
  UDP    172.16.16.13:52215     *:*
  UDP    172.16.16.13:52217     *:*
  UDP    172.16.16.13:52276     *:*
  UDP    172.16.16.13:52300     *:*
  UDP    172.16.16.13:52320     *:*
  UDP    172.16.16.13:52341     *:*
  UDP    172.16.16.13:52353     *:*
  UDP    172.16.16.13:52363     *:*
  UDP    172.16.16.13:52409     *:*
  UDP    172.16.16.13:52453     *:*
  UDP    172.16.16.13:52480     *:*
  UDP    172.16.16.13:52501     *:*
  UDP    172.16.16.13:52503     *:*
  UDP    172.16.16.13:52506     *:*
  UDP    172.16.16.13:52542     *:*
  UDP    172.16.16.13:52554     *:*
  UDP    172.16.16.13:52555     *:*
  UDP    172.16.16.13:52561     *:*
  UDP    172.16.16.13:52583     *:*
  UDP    172.16.16.13:52614     *:*
  UDP    172.16.16.13:52617     *:*
  UDP    172.16.16.13:52632     *:*
  UDP    172.16.16.13:52688     *:*
  UDP    172.16.16.13:52721     *:*
  UDP    172.16.16.13:52735     *:*
  UDP    172.16.16.13:52736     *:*
  UDP    172.16.16.13:52739     *:*
  UDP    172.16.16.13:52740     *:*
  UDP    172.16.16.13:52780     *:*
  UDP    172.16.16.13:52790     *:*
  UDP    172.16.16.13:52810     *:*
  UDP    172.16.16.13:52823     *:*
  UDP    172.16.16.13:52886     *:*
  UDP    172.16.16.13:52915     *:*
  UDP    172.16.16.13:52961     *:*
  UDP    172.16.16.13:52985     *:*
  UDP    172.16.16.13:53016     *:*
  UDP    172.16.16.13:53020     *:*
  UDP    172.16.16.13:53066     *:*
  UDP    172.16.16.13:53082     *:*
  UDP    172.16.16.13:53091     *:*
  UDP    172.16.16.13:53093     *:*
  UDP    172.16.16.13:53096     *:*
  UDP    172.16.16.13:53107     *:*
  UDP    172.16.16.13:53117     *:*
  UDP    172.16.16.13:53121     *:*
  UDP    172.16.16.13:53158     *:*
  UDP    172.16.16.13:53183     *:*
  UDP    172.16.16.13:53223     *:*
  UDP    172.16.16.13:53239     *:*
  UDP    172.16.16.13:53243     *:*
  UDP    172.16.16.13:53244     *:*
  UDP    172.16.16.13:53245     *:*
  UDP    172.16.16.13:53256     *:*
  UDP    172.16.16.13:53257     *:*
  UDP    172.16.16.13:53266     *:*
  UDP    172.16.16.13:53290     *:*
  UDP    172.16.16.13:53294     *:*
  UDP    172.16.16.13:53378     *:*
  UDP    172.16.16.13:53412     *:*
  UDP    172.16.16.13:53424     *:*
  UDP    172.16.16.13:53431     *:*
  UDP    172.16.16.13:53475     *:*
  UDP    172.16.16.13:53479     *:*
  UDP    172.16.16.13:53480     *:*
  UDP    172.16.16.13:53506     *:*
  UDP    172.16.16.13:53517     *:*
  UDP    172.16.16.13:53540     *:*
  UDP    172.16.16.13:53566     *:*
  UDP    172.16.16.13:53572     *:*
  UDP    172.16.16.13:53623     *:*
  UDP    172.16.16.13:53629     *:*
  UDP    172.16.16.13:53666     *:*
  UDP    172.16.16.13:53675     *:*
  UDP    172.16.16.13:53715     *:*
  UDP    172.16.16.13:53724     *:*
  UDP    172.16.16.13:53749     *:*
  UDP    172.16.16.13:53756     *:*
  UDP    172.16.16.13:53758     *:*
  UDP    172.16.16.13:53759     *:*
  UDP    172.16.16.13:53764     *:*
  UDP    172.16.16.13:53831     *:*
  UDP    172.16.16.13:53859     *:*
  UDP    172.16.16.13:53864     *:*
  UDP    172.16.16.13:53882     *:*
  UDP    172.16.16.13:53910     *:*
  UDP    172.16.16.13:53923     *:*
  UDP    172.16.16.13:53941     *:*
  UDP    172.16.16.13:53970     *:*
  UDP    172.16.16.13:53972     *:*
  UDP    172.16.16.13:53977     *:*
  UDP    172.16.16.13:53994     *:*
  UDP    172.16.16.13:54127     *:*
  UDP    172.16.16.13:54130     *:*
  UDP    172.16.16.13:54138     *:*
  UDP    172.16.16.13:54152     *:*
  UDP    172.16.16.13:54177     *:*
  UDP    172.16.16.13:54180     *:*
  UDP    172.16.16.13:54192     *:*
  UDP    172.16.16.13:54204     *:*
  UDP    172.16.16.13:54213     *:*
  UDP    172.16.16.13:54252     *:*
  UDP    172.16.16.13:54301     *:*
  UDP    172.16.16.13:54309     *:*
  UDP    172.16.16.13:54313     *:*
  UDP    172.16.16.13:54342     *:*
  UDP    172.16.16.13:54353     *:*
  UDP    172.16.16.13:54362     *:*
  UDP    172.16.16.13:54406     *:*
  UDP    172.16.16.13:54499     *:*
  UDP    172.16.16.13:54505     *:*
  UDP    172.16.16.13:54516     *:*
  UDP    172.16.16.13:54564     *:*
  UDP    172.16.16.13:54569     *:*
  UDP    172.16.16.13:54655     *:*
  UDP    172.16.16.13:54657     *:*
  UDP    172.16.16.13:54659     *:*
  UDP    172.16.16.13:54682     *:*
  UDP    172.16.16.13:54686     *:*
  UDP    172.16.16.13:54691     *:*
  UDP    172.16.16.13:54700     *:*
  UDP    172.16.16.13:54713     *:*
  UDP    172.16.16.13:54719     *:*
  UDP    172.16.16.13:54756     *:*
  UDP    172.16.16.13:54770     *:*
  UDP    172.16.16.13:54811     *:*
  UDP    172.16.16.13:54821     *:*
  UDP    172.16.16.13:54822     *:*
  UDP    172.16.16.13:54834     *:*
  UDP    172.16.16.13:54839     *:*
  UDP    172.16.16.13:54879     *:*
  UDP    172.16.16.13:54906     *:*
  UDP    172.16.16.13:54913     *:*
  UDP    172.16.16.13:54922     *:*
  UDP    172.16.16.13:54935     *:*
  UDP    172.16.16.13:54954     *:*
  UDP    172.16.16.13:54958     *:*
  UDP    172.16.16.13:55018     *:*
  UDP    172.16.16.13:55022     *:*
  UDP    172.16.16.13:55023     *:*
  UDP    172.16.16.13:55052     *:*
  UDP    172.16.16.13:55080     *:*
  UDP    172.16.16.13:55108     *:*
  UDP    172.16.16.13:55142     *:*
  UDP    172.16.16.13:55146     *:*
  UDP    172.16.16.13:55149     *:*
  UDP    172.16.16.13:55182     *:*
  UDP    172.16.16.13:55253     *:*
  UDP    172.16.16.13:55254     *:*
  UDP    172.16.16.13:55255     *:*
  UDP    172.16.16.13:55310     *:*
  UDP    172.16.16.13:55311     *:*
  UDP    172.16.16.13:55345     *:*
  UDP    172.16.16.13:55373     *:*
  UDP    172.16.16.13:55479     *:*
  UDP    172.16.16.13:55622     *:*
  UDP    172.16.16.13:55632     *:*
  UDP    172.16.16.13:55635     *:*
  UDP    172.16.16.13:55636     *:*
  UDP    172.16.16.13:55646     *:*
  UDP    172.16.16.13:55649     *:*
  UDP    172.16.16.13:55655     *:*
  UDP    172.16.16.13:55660     *:*
  UDP    172.16.16.13:55675     *:*
  UDP    172.16.16.13:55696     *:*
  UDP    172.16.16.13:55740     *:*
  UDP    172.16.16.13:55748     *:*
  UDP    172.16.16.13:55760     *:*
  UDP    172.16.16.13:55767     *:*
  UDP    172.16.16.13:55778     *:*
  UDP    172.16.16.13:55806     *:*
  UDP    172.16.16.13:55815     *:*
  UDP    172.16.16.13:55872     *:*
  UDP    172.16.16.13:55885     *:*
  UDP    172.16.16.13:55889     *:*
  UDP    172.16.16.13:55920     *:*
  UDP    172.16.16.13:55930     *:*
  UDP    172.16.16.13:55932     *:*
  UDP    172.16.16.13:55951     *:*
  UDP    172.16.16.13:55959     *:*
  UDP    172.16.16.13:55960     *:*
  UDP    172.16.16.13:55981     *:*
  UDP    172.16.16.13:55985     *:*
  UDP    172.16.16.13:55986     *:*
  UDP    172.16.16.13:56005     *:*
  UDP    172.16.16.13:56006     *:*
  UDP    172.16.16.13:56009     *:*
  UDP    172.16.16.13:56051     *:*
  UDP    172.16.16.13:56082     *:*
  UDP    172.16.16.13:56106     *:*
  UDP    172.16.16.13:56122     *:*
  UDP    172.16.16.13:56138     *:*
  UDP    172.16.16.13:56144     *:*
  UDP    172.16.16.13:56157     *:*
  UDP    172.16.16.13:56169     *:*
  UDP    172.16.16.13:56210     *:*
  UDP    172.16.16.13:56238     *:*
  UDP    172.16.16.13:56251     *:*
  UDP    172.16.16.13:56261     *:*
  UDP    172.16.16.13:56291     *:*
  UDP    172.16.16.13:56293     *:*
  UDP    172.16.16.13:56305     *:*
  UDP    172.16.16.13:56306     *:*
  UDP    172.16.16.13:56317     *:*
  UDP    172.16.16.13:56337     *:*
  UDP    172.16.16.13:56358     *:*
  UDP    172.16.16.13:56366     *:*
  UDP    172.16.16.13:56436     *:*
  UDP    172.16.16.13:56467     *:*
  UDP    172.16.16.13:56594     *:*
  UDP    172.16.16.13:56627     *:*
  UDP    172.16.16.13:56651     *:*
  UDP    172.16.16.13:56689     *:*
  UDP    172.16.16.13:56721     *:*
  UDP    172.16.16.13:56752     *:*
  UDP    172.16.16.13:56775     *:*
  UDP    172.16.16.13:56803     *:*
  UDP    172.16.16.13:56820     *:*
  UDP    172.16.16.13:56847     *:*
  UDP    172.16.16.13:56855     *:*
  UDP    172.16.16.13:56877     *:*
  UDP    172.16.16.13:56884     *:*
  UDP    172.16.16.13:56899     *:*
  UDP    172.16.16.13:56919     *:*
  UDP    172.16.16.13:56980     *:*
  UDP    172.16.16.13:56982     *:*
  UDP    172.16.16.13:56985     *:*
  UDP    172.16.16.13:56986     *:*
  UDP    172.16.16.13:56988     *:*
  UDP    172.16.16.13:56991     *:*
  UDP    172.16.16.13:57005     *:*
  UDP    172.16.16.13:57030     *:*
  UDP    172.16.16.13:57031     *:*
  UDP    172.16.16.13:57124     *:*
  UDP    172.16.16.13:57143     *:*
  UDP    172.16.16.13:57166     *:*
  UDP    172.16.16.13:57208     *:*
  UDP    172.16.16.13:57213     *:*
  UDP    172.16.16.13:57232     *:*
  UDP    172.16.16.13:57332     *:*
  UDP    172.16.16.13:57345     *:*
  UDP    172.16.16.13:57363     *:*
  UDP    172.16.16.13:57380     *:*
  UDP    172.16.16.13:57388     *:*
  UDP    172.16.16.13:57400     *:*
  UDP    172.16.16.13:57441     *:*
  UDP    172.16.16.13:57442     *:*
  UDP    172.16.16.13:57449     *:*
  UDP    172.16.16.13:57481     *:*
  UDP    172.16.16.13:57499     *:*
  UDP    172.16.16.13:57502     *:*
  UDP    172.16.16.13:57517     *:*
  UDP    172.16.16.13:57525     *:*
  UDP    172.16.16.13:57527     *:*
  UDP    172.16.16.13:57544     *:*
  UDP    172.16.16.13:57548     *:*
  UDP    172.16.16.13:57549     *:*
  UDP    172.16.16.13:57570     *:*
  UDP    172.16.16.13:57581     *:*
  UDP    172.16.16.13:57587     *:*
  UDP    172.16.16.13:57589     *:*
  UDP    172.16.16.13:57612     *:*
  UDP    172.16.16.13:57614     *:*
  UDP    172.16.16.13:57625     *:*
  UDP    172.16.16.13:57642     *:*
  UDP    172.16.16.13:57673     *:*
  UDP    172.16.16.13:57685     *:*
  UDP    172.16.16.13:57727     *:*
  UDP    172.16.16.13:57789     *:*
  UDP    172.16.16.13:57805     *:*
  UDP    172.16.16.13:57845     *:*
  UDP    172.16.16.13:57870     *:*
  UDP    172.16.16.13:57871     *:*
  UDP    172.16.16.13:57919     *:*
  UDP    172.16.16.13:57925     *:*
  UDP    172.16.16.13:57938     *:*
  UDP    172.16.16.13:57960     *:*
  UDP    172.16.16.13:57966     *:*
  UDP    172.16.16.13:57970     *:*
  UDP    172.16.16.13:57992     *:*
  UDP    172.16.16.13:58009     *:*
  UDP    172.16.16.13:58017     *:*
  UDP    172.16.16.13:58024     *:*
  UDP    172.16.16.13:58062     *:*
  UDP    172.16.16.13:58065     *:*
  UDP    172.16.16.13:58126     *:*
  UDP    172.16.16.13:58153     *:*
  UDP    172.16.16.13:58155     *:*
  UDP    172.16.16.13:58174     *:*
  UDP    172.16.16.13:58178     *:*
  UDP    172.16.16.13:58200     *:*
  UDP    172.16.16.13:58211     *:*
  UDP    172.16.16.13:58220     *:*
  UDP    172.16.16.13:58226     *:*
  UDP    172.16.16.13:58230     *:*
  UDP    172.16.16.13:58245     *:*
  UDP    172.16.16.13:58274     *:*
  UDP    172.16.16.13:58277     *:*
  UDP    172.16.16.13:58297     *:*
  UDP    172.16.16.13:58338     *:*
  UDP    172.16.16.13:58360     *:*
  UDP    172.16.16.13:58417     *:*
  UDP    172.16.16.13:58434     *:*
  UDP    172.16.16.13:58436     *:*
  UDP    172.16.16.13:58437     *:*
  UDP    172.16.16.13:58460     *:*
  UDP    172.16.16.13:58467     *:*
  UDP    172.16.16.13:58470     *:*
  UDP    172.16.16.13:58471     *:*
  UDP    172.16.16.13:58483     *:*
  UDP    172.16.16.13:58492     *:*
  UDP    172.16.16.13:58513     *:*
  UDP    172.16.16.13:58514     *:*
  UDP    172.16.16.13:58543     *:*
  UDP    172.16.16.13:58547     *:*
  UDP    172.16.16.13:58553     *:*
  UDP    172.16.16.13:58569     *:*
  UDP    172.16.16.13:58576     *:*
  UDP    172.16.16.13:58582     *:*
  UDP    172.16.16.13:58613     *:*
  UDP    172.16.16.13:58702     *:*
  UDP    172.16.16.13:58715     *:*
  UDP    172.16.16.13:58728     *:*
  UDP    172.16.16.13:58747     *:*
  UDP    172.16.16.13:58748     *:*
  UDP    172.16.16.13:58770     *:*
  UDP    172.16.16.13:58817     *:*
  UDP    172.16.16.13:58826     *:*
  UDP    172.16.16.13:58873     *:*
  UDP    172.16.16.13:58888     *:*
  UDP    172.16.16.13:58889     *:*
  UDP    172.16.16.13:58893     *:*
  UDP    172.16.16.13:58928     *:*
  UDP    172.16.16.13:58965     *:*
  UDP    172.16.16.13:58996     *:*
  UDP    172.16.16.13:59011     *:*
  UDP    172.16.16.13:59020     *:*
  UDP    172.16.16.13:59101     *:*
  UDP    172.16.16.13:59120     *:*
  UDP    172.16.16.13:59121     *:*
  UDP    172.16.16.13:59132     *:*
  UDP    172.16.16.13:59144     *:*
  UDP    172.16.16.13:59178     *:*
  UDP    172.16.16.13:59192     *:*
  UDP    172.16.16.13:59206     *:*
  UDP    172.16.16.13:59207     *:*
  UDP    172.16.16.13:59230     *:*
  UDP    172.16.16.13:59244     *:*
  UDP    172.16.16.13:59267     *:*
  UDP    172.16.16.13:59272     *:*
  UDP    172.16.16.13:59293     *:*
  UDP    172.16.16.13:59308     *:*
  UDP    172.16.16.13:59342     *:*
  UDP    172.16.16.13:59368     *:*
  UDP    172.16.16.13:59375     *:*
  UDP    172.16.16.13:59387     *:*
  UDP    172.16.16.13:59400     *:*
  UDP    172.16.16.13:59427     *:*
  UDP    172.16.16.13:59428     *:*
  UDP    172.16.16.13:59439     *:*
  UDP    172.16.16.13:59476     *:*
  UDP    172.16.16.13:59496     *:*
  UDP    172.16.16.13:59497     *:*
  UDP    172.16.16.13:59596     *:*
  UDP    172.16.16.13:59677     *:*
  UDP    172.16.16.13:59680     *:*
  UDP    172.16.16.13:59691     *:*
  UDP    172.16.16.13:59692     *:*
  UDP    172.16.16.13:59709     *:*
  UDP    172.16.16.13:59744     *:*
  UDP    172.16.16.13:59748     *:*
  UDP    172.16.16.13:59754     *:*
  UDP    172.16.16.13:59794     *:*
  UDP    172.16.16.13:59800     *:*
  UDP    172.16.16.13:59813     *:*
  UDP    172.16.16.13:59815     *:*
  UDP    172.16.16.13:59816     *:*
  UDP    172.16.16.13:59829     *:*
  UDP    172.16.16.13:59848     *:*
  UDP    172.16.16.13:59865     *:*
  UDP    172.16.16.13:59882     *:*
  UDP    172.16.16.13:59957     *:*
  UDP    172.16.16.13:59974     *:*
  UDP    172.16.16.13:59999     *:*
  UDP    192.168.1.9:137        *:*
  UDP    192.168.1.9:138        *:*
  UDP    192.168.1.9:3478       *:*
  UDP    [::]:500               *:*
  UDP    [::]:1434              *:*
  UDP    [::]:4500              *:*
PS C:\Users\Administrator>

Open in new window

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37072621
So the server seems to be listening on 5061.   Now we just need to have a look at the ASA.     CAn you post a sanitized config?  
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37072639
OK this my ASA Config
Drexel-ASA# sh conf
: Saved
: Written by enable_15 at 22:49:40.047 EEST Fri Oct 28 2011
!
ASA Version 8.4(1) 
!
hostname Drexel-ASA
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 62.240.124.165 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!             
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
object network Inside-Net 
 subnet 10.0.0.0 255.255.255.0
object network FTP-Private 
 host 10.0.0.16
object network FTP-Real 
 host 62.240.124.163
 description FTP-Real     
object network Inside-ISA 
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.96_27 
 subnet 10.0.0.96 255.255.255.224
object network Barracuda 
 host 10.0.0.8
object service Mail-Scan 
 service tcp source eq 8000 
object network FTP-NAT 
 host 10.0.0.16
object network Test-Nat 
 host 10.10.10.100
object network NAT-1 
 host 10.10.10.100
object service HTTP 
 service tcp source eq www 
object service HTTPS 
 service tcp source eq https 
object network Mail-Redirect 
 host 10.0.0.13
object service SMTP 
 service tcp source eq smtp 
object network Mail-Real 
 host 62.240.124.162
 description Mail-Real     
object service IMAP-4 
 service tcp source eq imap4 
object network ISA-Server 
 host 10.0.0.2
object service ISAKMP 
 service udp source eq isakmp 
object network ISA-Real 
 host 62.240.124.162
 description ISA-Real     
object service PPTP 
 service tcp source eq pptp 
object network MS-LYNC-Real 
 host 62.240.124.164
object network MS-Lync-Private 
 host 10.0.0.3
object service Port_5061 
 service tcp destination eq 5061 
object network MS-Lync-NAT 
 host 10.0.0.3
object network Test 
 host 10.0.0.29
object service RTP-TCP 
 service tcp destination range 50000 59999 
object service RTP-UDP 
 service udp destination range 50000 59999 
object service STUN 
 service udp destination eq 3478 
object-group service FTP tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object object Inside-ISA
 network-object object Inside-Net
object-group service DM_INLINE_TCP_1 tcp
 port-object eq smtp
 port-object eq 8000
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq imap4
object-group service DM_INLINE_TCP_3 tcp
 port-object eq https
 port-object eq pptp
object-group service DM_INLINE_SERVICE_1
 service-object object Port_5061 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object object RTP-TCP 
object-group service DM_INLINE_SERVICE_2
 service-object object RTP-UDP 
 service-object object STUN 
access-list outside_access_in extended permit ip any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object MS-Lync-Private 
access-list outside_access_in extended permit gre any object ISA-Real 
access-list outside_access_in extended permit gre any object ISA-Server 
access-list outside_access_in extended permit tcp any object FTP-Private object-group FTP 
access-list outside_access_in extended permit tcp any object Mail-Redirect object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit ip any object Test 
access-list outside_access_in extended permit tcp any object Barracuda object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit udp any object ISA-Server eq isakmp 
access-list outside_access_in extended permit tcp any object ISA-Server object-group DM_INLINE_TCP_3 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq h323 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 2000 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq 5061 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 5061 
access-list Inside-access standard permit 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
logging mail emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPN-Pool 10.0.0.101-10.0.0.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
nat (inside,outside) source static Barracuda Mail-Real service any SMTP
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTP
nat (inside,outside) source static Barracuda Mail-Real service any Mail-Scan
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTPS
nat (inside,outside) source static Mail-Redirect Mail-Real service any IMAP-4
nat (inside,outside) source static ISA-Server ISA-Real
!
object network FTP-NAT
 nat (inside,outside) static FTP-Real dns
object network Test
 nat (inside,outside) static 62.240.124.167
!
nat (inside,outside) after-auto source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.0.0.96_27 NETWORK_OBJ_10.0.0.96_27
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.124.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Drx-LDAP protocol ldap
aaa-server Drx-LDAP (inside) host 192.168.1.12
 timeout 5
 server-type auto-detect
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.22 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.0.22 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Drexel-VPN internal
group-policy Drexel-VPN attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-tunnel-protocol ikev1 
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Inside-access
 default-domain value drexelegypt.lcl
 vpn-group-policy Drexel-VPN
 service-type remote-access
 vpn-group-policy Drexel-VPN
 vpn-group-policy Drexel-VPN
tunnel-group Drexel-VPN type remote-access
tunnel-group Drexel-VPN general-attributes
 address-pool VPN-Pool
 default-group-policy Drexel-VPN
tunnel-group Drexel-VPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.13
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Drexel-ASA#

Open in new window

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37076286
This seems to be your NAT to the Lync Server (I am assuming the labels are right, correct me if I am mistaken).
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real

MS LYNC Real is set to be
object network MS-LYNC-Real
 host 62.240.124.164



So lets have you try the "textbook" way of assigning a static NAT in post 8.3 code.    Take a backup of the code before we start changing.  
no nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real

object network MS-Lync-Private
 nat (inside, outside) static MS-LYNC-Real



After this, do a "CLEAR XLATE" on the ASA to remove all current NAT.   Give it a few seconds then do a 'SHOW XLATE' to display the NATs and the 10.0.0.3 should have a static NAT to 62.240.124.164 address.  

Then from that server, go to canyouseeme.org and make sure you have the correct IP.   Then try testing the ports again.  
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37078689
you right,

MS LYNC Real is set to be
object network MS-LYNC-Real
 host 62.240.124.164
--------------------------------------------------------------------------------

So sorry
After this steps, I can see the correct IP but still can't open ports


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 37079726
That should be it since you already have the ACL configured with:

object service Port_5061
 service tcp destination eq 5061


object-group service DM_INLINE_SERVICE_1
service-object object Port_5061
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object object RTP-TCP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private



If this is failing, open up the ASDM and look at the home page as it scrolls syslog messages.   From the edge server hit canyouseeme.org and test port 5061 again.   If the ASA is blocking anything, an error will show in the log.
0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37082726
Sorry if this issue takes long time but after add last conf from you I found something on monitoring on TMG 2010

I think this my problem

kindly find the attach
TMG-2010.jpg
TMG-2010-FP.jpg
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37084807
I see the error.   I've never used Forefront before.   But it seems to me, from looking at those images, that you just need to edit the ALLOW Rule #2 To include TCP 5061 along with the HTTPS, STUNin, and STUNout.  


0
 
LVL 2

Author Comment

by:Anees_Atef
ID: 37085059
I did it without any help still blocking but I found some articles TMG not allow SIPS protocols


if you can't help on this I will give you my acceptance because your efforts
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37085170
I can't really help with Forefront....     Not my forte.      

However some quick searching leads me to beleive that TMG has a VOIP Filter that allows SIP because there is reporting on the SIP stats.  
http://technet.microsoft.com/en-us/library/ff849747.aspx
0

Featured Post

The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question