• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7002
  • Last Modified:

Microsoft Lync 2010 With ASA 5510

Hello Experts,

I have a problem with lync 2010 I can't make voice or video call with external user after a lot troubleshooting I fond the problem with ASA after open the require ports on ASA so if any have clue which best configuration to make lync working with the external users.

FYI : I have two interfaces only on ASA internal and external

sorry guys for my bad english

Thanks
0
Anees_Atef
Asked:
Anees_Atef
  • 12
  • 10
  • 2
1 Solution
 
MikeKaneCommented:
When you deploy an Lync Edge Server, you need to have ports 5061 and 443 allowed into the edge server.    

These are the default ports, so if you changed the defaults, the ASA opened ports must match.  
0
 
Anees_AtefAuthor Commented:
yes I know, I didn't change them, and this ports already opened on ASA
0
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

Did you enabled SIP inspection?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Anees_AtefAuthor Commented:
I found on the internet some forms says I have to disable SIP inspection

so I used this command:

(no inspect sip)

but still voice and video not working
0
 
Istvan KalmarHead of IT Security Division Commented:
what shows the log?
0
 
MikeKaneCommented:
Lets eliminate the ASA from the picture.  With lync, there can be many other issues in the Lync world that can prevent connections.  

Hop on that host, open a browser, go to www.canyouseeme.org.  From here you can test the connectivity on those 2 ports.   LEt us know what it finds.   If connections are successful, then the ASA has nothing to do with it and we need to concentrate on the LYNC services.

IF the tests fail, then you can do a SHOW LOGGING on the asa and look for dropped packets.  Post the log here so we can look.

 
0
 
Anees_AtefAuthor Commented:
Kindly Find the attach for the LOG and the conf :
Drexel-ASA# sh conf
: Saved
: Written by enable_15 at 22:49:40.047 EEST Fri Oct 28 2011
!
ASA Version 8.4(1) 
!
hostname Drexel-ASA
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 62.240.124.165 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!             
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
object network Inside-Net 
 subnet 10.0.0.0 255.255.255.0
object network FTP-Private 
 host 10.0.0.16
object network FTP-Real 
 host 62.240.124.163
 description FTP-Real     
object network Inside-ISA 
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.96_27 
 subnet 10.0.0.96 255.255.255.224
object network Barracuda 
 host 10.0.0.8
object service Mail-Scan 
 service tcp source eq 8000 
object network FTP-NAT 
 host 10.0.0.16
object network Test-Nat 
 host 10.10.10.100
object network NAT-1 
 host 10.10.10.100
object service HTTP 
 service tcp source eq www 
object service HTTPS 
 service tcp source eq https 
object network Mail-Redirect 
 host 10.0.0.13
object service SMTP 
 service tcp source eq smtp 
object network Mail-Real 
 host 62.240.124.162
 description Mail-Real     
object service IMAP-4 
 service tcp source eq imap4 
object network ISA-Server 
 host 10.0.0.2
object service ISAKMP 
 service udp source eq isakmp 
object network ISA-Real 
 host 62.240.124.162
 description ISA-Real     
object service PPTP 
 service tcp source eq pptp 
object network MS-LYNC-Real 
 host 62.240.124.164
object network MS-Lync-Private 
 host 10.0.0.3
object service Port_5061 
 service tcp destination eq 5061 
object network MS-Lync-NAT 
 host 10.0.0.3
object network Test 
 host 10.0.0.29
object service RTP-TCP 
 service tcp destination range 50000 59999 
object service RTP-UDP 
 service udp destination range 50000 59999 
object service STUN 
 service udp destination eq 3478 
object-group service FTP tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object object Inside-ISA
 network-object object Inside-Net
object-group service DM_INLINE_TCP_1 tcp
 port-object eq smtp
 port-object eq 8000
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq imap4
object-group service DM_INLINE_TCP_3 tcp
 port-object eq https
 port-object eq pptp
object-group service DM_INLINE_SERVICE_1
 service-object object Port_5061 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object object RTP-TCP 
object-group service DM_INLINE_SERVICE_2
 service-object object RTP-UDP 
 service-object object STUN 
access-list outside_access_in extended permit ip any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object MS-Lync-Private 
access-list outside_access_in extended permit gre any object ISA-Real 
access-list outside_access_in extended permit gre any object ISA-Server 
access-list outside_access_in extended permit tcp any object FTP-Private object-group FTP 
access-list outside_access_in extended permit tcp any object Mail-Redirect object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit ip any object Test 
access-list outside_access_in extended permit tcp any object Barracuda object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit udp any object ISA-Server eq isakmp 
access-list outside_access_in extended permit tcp any object ISA-Server object-group DM_INLINE_TCP_3 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq h323 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 2000 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq 5061 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 5061 
access-list Inside-access standard permit 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
logging mail emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPN-Pool 10.0.0.101-10.0.0.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
nat (inside,outside) source static Barracuda Mail-Real service any SMTP
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTP
nat (inside,outside) source static Barracuda Mail-Real service any Mail-Scan
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTPS
nat (inside,outside) source static Mail-Redirect Mail-Real service any IMAP-4
nat (inside,outside) source static ISA-Server ISA-Real
!
object network FTP-NAT
 nat (inside,outside) static FTP-Real dns
object network Test
 nat (inside,outside) static 62.240.124.167
!
nat (inside,outside) after-auto source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.0.0.96_27 NETWORK_OBJ_10.0.0.96_27
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.124.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Drx-LDAP protocol ldap
aaa-server Drx-LDAP (inside) host 192.168.1.12
 timeout 5
 server-type auto-detect
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.22 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.0.22 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Drexel-VPN internal
group-policy Drexel-VPN attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-tunnel-protocol ikev1 
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Inside-access
 default-domain value drexelegypt.lcl
 vpn-group-policy Drexel-VPN
 service-type remote-access
 vpn-group-policy Drexel-VPN
 vpn-group-policy Drexel-VPN
tunnel-group Drexel-VPN type remote-access
tunnel-group Drexel-VPN general-attributes
 address-pool VPN-Pool
 default-group-policy Drexel-VPN
tunnel-group Drexel-VPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.13
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Drexel-ASA#

Open in new window

Conf.jpg
LOG-1.jpg
LOG-2.jpg
0
 
Anees_AtefAuthor Commented:
any update Experts ?
0
 
MikeKaneCommented:
Those log snippits are only showing the buildup and teardowns for traffic to the host on high numbered ports.      Your conf.jpg image shows the hit count on the outside acl on line 1 with 820 hits matching that ACE.        So, to me, looks like the ASA is allowing the traffic in.

Did you try the canyouseeme.org site to verify the ports are open?
0
 
Anees_AtefAuthor Commented:
yes I'm trying to use it but I have a problem I cant select my real IP address ,,, this site select automatic from my real IP pool
0
 
MikeKaneCommented:
If you are getting an incorrent IP, then you might have a bad static Nat.     Do a SHOW XLATE on the asa to see current Nat.      Also you could post a sanitized configuration for me to see
0
 
Anees_AtefAuthor Commented:
I get it ,,, I will open this site from EDGE and feedback you
0
 
Anees_AtefAuthor Commented:
443 Open

5061 Close

50000 Close

any advice
0
 
MikeKaneCommented:

The edge servers would need 5061 open so it looks like either the ass is blocking or your host is not listening on that port.   Ifyou post a sanitized configuration of the ass I can look there.    You can list out your hosts ports with netstat -a
0
 
Anees_AtefAuthor Commented:
Sorry for delay

Kindly find the netstat result
PS C:\Users\Administrator> netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:135            Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:445            Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:3389           Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:4443           Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:47001          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49152          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49153          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49154          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49155          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49157          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49158          Drx-EDG-01:0           LISTENING
  TCP    0.0.0.0:49168          Drx-EDG-01:0           LISTENING
  TCP    172.16.16.10:139       Drx-EDG-01:0           LISTENING
  TCP    172.16.16.11:443       Drx-EDG-01:0           LISTENING
  TCP    172.16.16.11:5061      Drx-EDG-01:0           LISTENING
  TCP    172.16.16.12:443       Drx-EDG-01:0           LISTENING
  TCP    172.16.16.13:443       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:139        Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:443        Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:3389       Drx-Host:55412         ESTABLISHED
  TCP    192.168.1.9:5061       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:5061       Drx-Lync-01:55325      ESTABLISHED
  TCP    192.168.1.9:5062       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:5062       Drx-Lync-01:55324      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-EDG-01:0           LISTENING
  TCP    192.168.1.9:8057       Drx-Lync-01:63678      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63679      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63680      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63681      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63691      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63692      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63693      ESTABLISHED
  TCP    192.168.1.9:8057       Drx-Lync-01:63694      ESTABLISHED
  TCP    192.168.1.9:49204      Drx-Lync-01:5061       ESTABLISHED
  TCP    [::]:80                Drx-EDG-01:0           LISTENING
  TCP    [::]:135               Drx-EDG-01:0           LISTENING
  TCP    [::]:445               Drx-EDG-01:0           LISTENING
  TCP    [::]:3389              Drx-EDG-01:0           LISTENING
  TCP    [::]:4443              Drx-EDG-01:0           LISTENING
  TCP    [::]:47001             Drx-EDG-01:0           LISTENING
  TCP    [::]:49152             Drx-EDG-01:0           LISTENING
  TCP    [::]:49153             Drx-EDG-01:0           LISTENING
  TCP    [::]:49154             Drx-EDG-01:0           LISTENING
  TCP    [::]:49155             Drx-EDG-01:0           LISTENING
  TCP    [::]:49157             Drx-EDG-01:0           LISTENING
  TCP    [::]:49158             Drx-EDG-01:0           LISTENING
  TCP    [::]:49168             Drx-EDG-01:0           LISTENING
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1434           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    127.0.0.1:49912        *:*
  UDP    127.0.0.1:52948        *:*
  UDP    127.0.0.1:56413        *:*
  UDP    172.16.16.10:137       *:*
  UDP    172.16.16.10:138       *:*
  UDP    172.16.16.13:3478      *:*
  UDP    172.16.16.13:50018     *:*
  UDP    172.16.16.13:50030     *:*
  UDP    172.16.16.13:50040     *:*
  UDP    172.16.16.13:50042     *:*
  UDP    172.16.16.13:50043     *:*
  UDP    172.16.16.13:50061     *:*
  UDP    172.16.16.13:50075     *:*
  UDP    172.16.16.13:50154     *:*
  UDP    172.16.16.13:50157     *:*
  UDP    172.16.16.13:50170     *:*
  UDP    172.16.16.13:50174     *:*
  UDP    172.16.16.13:50182     *:*
  UDP    172.16.16.13:50186     *:*
  UDP    172.16.16.13:50205     *:*
  UDP    172.16.16.13:50248     *:*
  UDP    172.16.16.13:50274     *:*
  UDP    172.16.16.13:50281     *:*
  UDP    172.16.16.13:50390     *:*
  UDP    172.16.16.13:50454     *:*
  UDP    172.16.16.13:50498     *:*
  UDP    172.16.16.13:50541     *:*
  UDP    172.16.16.13:50544     *:*
  UDP    172.16.16.13:50545     *:*
  UDP    172.16.16.13:50551     *:*
  UDP    172.16.16.13:50579     *:*
  UDP    172.16.16.13:50591     *:*
  UDP    172.16.16.13:50643     *:*
  UDP    172.16.16.13:50647     *:*
  UDP    172.16.16.13:50654     *:*
  UDP    172.16.16.13:50676     *:*
  UDP    172.16.16.13:50714     *:*
  UDP    172.16.16.13:50748     *:*
  UDP    172.16.16.13:50760     *:*
  UDP    172.16.16.13:50782     *:*
  UDP    172.16.16.13:50785     *:*
  UDP    172.16.16.13:50790     *:*
  UDP    172.16.16.13:50800     *:*
  UDP    172.16.16.13:50809     *:*
  UDP    172.16.16.13:50826     *:*
  UDP    172.16.16.13:50844     *:*
  UDP    172.16.16.13:50852     *:*
  UDP    172.16.16.13:50865     *:*
  UDP    172.16.16.13:50872     *:*
  UDP    172.16.16.13:50897     *:*
  UDP    172.16.16.13:50907     *:*
  UDP    172.16.16.13:50913     *:*
  UDP    172.16.16.13:50924     *:*
  UDP    172.16.16.13:50955     *:*
  UDP    172.16.16.13:50960     *:*
  UDP    172.16.16.13:50998     *:*
  UDP    172.16.16.13:51002     *:*
  UDP    172.16.16.13:51025     *:*
  UDP    172.16.16.13:51037     *:*
  UDP    172.16.16.13:51048     *:*
  UDP    172.16.16.13:51076     *:*
  UDP    172.16.16.13:51081     *:*
  UDP    172.16.16.13:51085     *:*
  UDP    172.16.16.13:51087     *:*
  UDP    172.16.16.13:51088     *:*
  UDP    172.16.16.13:51089     *:*
  UDP    172.16.16.13:51090     *:*
  UDP    172.16.16.13:51104     *:*
  UDP    172.16.16.13:51127     *:*
  UDP    172.16.16.13:51163     *:*
  UDP    172.16.16.13:51191     *:*
  UDP    172.16.16.13:51199     *:*
  UDP    172.16.16.13:51223     *:*
  UDP    172.16.16.13:51234     *:*
  UDP    172.16.16.13:51237     *:*
  UDP    172.16.16.13:51296     *:*
  UDP    172.16.16.13:51298     *:*
  UDP    172.16.16.13:51315     *:*
  UDP    172.16.16.13:51321     *:*
  UDP    172.16.16.13:51322     *:*
  UDP    172.16.16.13:51357     *:*
  UDP    172.16.16.13:51366     *:*
  UDP    172.16.16.13:51384     *:*
  UDP    172.16.16.13:51386     *:*
  UDP    172.16.16.13:51408     *:*
  UDP    172.16.16.13:51418     *:*
  UDP    172.16.16.13:51423     *:*
  UDP    172.16.16.13:51447     *:*
  UDP    172.16.16.13:51452     *:*
  UDP    172.16.16.13:51456     *:*
  UDP    172.16.16.13:51538     *:*
  UDP    172.16.16.13:51539     *:*
  UDP    172.16.16.13:51562     *:*
  UDP    172.16.16.13:51568     *:*
  UDP    172.16.16.13:51593     *:*
  UDP    172.16.16.13:51616     *:*
  UDP    172.16.16.13:51648     *:*
  UDP    172.16.16.13:51695     *:*
  UDP    172.16.16.13:51701     *:*
  UDP    172.16.16.13:51716     *:*
  UDP    172.16.16.13:51755     *:*
  UDP    172.16.16.13:51767     *:*
  UDP    172.16.16.13:51781     *:*
  UDP    172.16.16.13:51824     *:*
  UDP    172.16.16.13:51825     *:*
  UDP    172.16.16.13:51832     *:*
  UDP    172.16.16.13:51839     *:*
  UDP    172.16.16.13:51849     *:*
  UDP    172.16.16.13:51857     *:*
  UDP    172.16.16.13:51885     *:*
  UDP    172.16.16.13:51892     *:*
  UDP    172.16.16.13:51903     *:*
  UDP    172.16.16.13:51959     *:*
  UDP    172.16.16.13:51967     *:*
  UDP    172.16.16.13:52038     *:*
  UDP    172.16.16.13:52048     *:*
  UDP    172.16.16.13:52117     *:*
  UDP    172.16.16.13:52132     *:*
  UDP    172.16.16.13:52138     *:*
  UDP    172.16.16.13:52155     *:*
  UDP    172.16.16.13:52176     *:*
  UDP    172.16.16.13:52200     *:*
  UDP    172.16.16.13:52215     *:*
  UDP    172.16.16.13:52217     *:*
  UDP    172.16.16.13:52276     *:*
  UDP    172.16.16.13:52300     *:*
  UDP    172.16.16.13:52320     *:*
  UDP    172.16.16.13:52341     *:*
  UDP    172.16.16.13:52353     *:*
  UDP    172.16.16.13:52363     *:*
  UDP    172.16.16.13:52409     *:*
  UDP    172.16.16.13:52453     *:*
  UDP    172.16.16.13:52480     *:*
  UDP    172.16.16.13:52501     *:*
  UDP    172.16.16.13:52503     *:*
  UDP    172.16.16.13:52506     *:*
  UDP    172.16.16.13:52542     *:*
  UDP    172.16.16.13:52554     *:*
  UDP    172.16.16.13:52555     *:*
  UDP    172.16.16.13:52561     *:*
  UDP    172.16.16.13:52583     *:*
  UDP    172.16.16.13:52614     *:*
  UDP    172.16.16.13:52617     *:*
  UDP    172.16.16.13:52632     *:*
  UDP    172.16.16.13:52688     *:*
  UDP    172.16.16.13:52721     *:*
  UDP    172.16.16.13:52735     *:*
  UDP    172.16.16.13:52736     *:*
  UDP    172.16.16.13:52739     *:*
  UDP    172.16.16.13:52740     *:*
  UDP    172.16.16.13:52780     *:*
  UDP    172.16.16.13:52790     *:*
  UDP    172.16.16.13:52810     *:*
  UDP    172.16.16.13:52823     *:*
  UDP    172.16.16.13:52886     *:*
  UDP    172.16.16.13:52915     *:*
  UDP    172.16.16.13:52961     *:*
  UDP    172.16.16.13:52985     *:*
  UDP    172.16.16.13:53016     *:*
  UDP    172.16.16.13:53020     *:*
  UDP    172.16.16.13:53066     *:*
  UDP    172.16.16.13:53082     *:*
  UDP    172.16.16.13:53091     *:*
  UDP    172.16.16.13:53093     *:*
  UDP    172.16.16.13:53096     *:*
  UDP    172.16.16.13:53107     *:*
  UDP    172.16.16.13:53117     *:*
  UDP    172.16.16.13:53121     *:*
  UDP    172.16.16.13:53158     *:*
  UDP    172.16.16.13:53183     *:*
  UDP    172.16.16.13:53223     *:*
  UDP    172.16.16.13:53239     *:*
  UDP    172.16.16.13:53243     *:*
  UDP    172.16.16.13:53244     *:*
  UDP    172.16.16.13:53245     *:*
  UDP    172.16.16.13:53256     *:*
  UDP    172.16.16.13:53257     *:*
  UDP    172.16.16.13:53266     *:*
  UDP    172.16.16.13:53290     *:*
  UDP    172.16.16.13:53294     *:*
  UDP    172.16.16.13:53378     *:*
  UDP    172.16.16.13:53412     *:*
  UDP    172.16.16.13:53424     *:*
  UDP    172.16.16.13:53431     *:*
  UDP    172.16.16.13:53475     *:*
  UDP    172.16.16.13:53479     *:*
  UDP    172.16.16.13:53480     *:*
  UDP    172.16.16.13:53506     *:*
  UDP    172.16.16.13:53517     *:*
  UDP    172.16.16.13:53540     *:*
  UDP    172.16.16.13:53566     *:*
  UDP    172.16.16.13:53572     *:*
  UDP    172.16.16.13:53623     *:*
  UDP    172.16.16.13:53629     *:*
  UDP    172.16.16.13:53666     *:*
  UDP    172.16.16.13:53675     *:*
  UDP    172.16.16.13:53715     *:*
  UDP    172.16.16.13:53724     *:*
  UDP    172.16.16.13:53749     *:*
  UDP    172.16.16.13:53756     *:*
  UDP    172.16.16.13:53758     *:*
  UDP    172.16.16.13:53759     *:*
  UDP    172.16.16.13:53764     *:*
  UDP    172.16.16.13:53831     *:*
  UDP    172.16.16.13:53859     *:*
  UDP    172.16.16.13:53864     *:*
  UDP    172.16.16.13:53882     *:*
  UDP    172.16.16.13:53910     *:*
  UDP    172.16.16.13:53923     *:*
  UDP    172.16.16.13:53941     *:*
  UDP    172.16.16.13:53970     *:*
  UDP    172.16.16.13:53972     *:*
  UDP    172.16.16.13:53977     *:*
  UDP    172.16.16.13:53994     *:*
  UDP    172.16.16.13:54127     *:*
  UDP    172.16.16.13:54130     *:*
  UDP    172.16.16.13:54138     *:*
  UDP    172.16.16.13:54152     *:*
  UDP    172.16.16.13:54177     *:*
  UDP    172.16.16.13:54180     *:*
  UDP    172.16.16.13:54192     *:*
  UDP    172.16.16.13:54204     *:*
  UDP    172.16.16.13:54213     *:*
  UDP    172.16.16.13:54252     *:*
  UDP    172.16.16.13:54301     *:*
  UDP    172.16.16.13:54309     *:*
  UDP    172.16.16.13:54313     *:*
  UDP    172.16.16.13:54342     *:*
  UDP    172.16.16.13:54353     *:*
  UDP    172.16.16.13:54362     *:*
  UDP    172.16.16.13:54406     *:*
  UDP    172.16.16.13:54499     *:*
  UDP    172.16.16.13:54505     *:*
  UDP    172.16.16.13:54516     *:*
  UDP    172.16.16.13:54564     *:*
  UDP    172.16.16.13:54569     *:*
  UDP    172.16.16.13:54655     *:*
  UDP    172.16.16.13:54657     *:*
  UDP    172.16.16.13:54659     *:*
  UDP    172.16.16.13:54682     *:*
  UDP    172.16.16.13:54686     *:*
  UDP    172.16.16.13:54691     *:*
  UDP    172.16.16.13:54700     *:*
  UDP    172.16.16.13:54713     *:*
  UDP    172.16.16.13:54719     *:*
  UDP    172.16.16.13:54756     *:*
  UDP    172.16.16.13:54770     *:*
  UDP    172.16.16.13:54811     *:*
  UDP    172.16.16.13:54821     *:*
  UDP    172.16.16.13:54822     *:*
  UDP    172.16.16.13:54834     *:*
  UDP    172.16.16.13:54839     *:*
  UDP    172.16.16.13:54879     *:*
  UDP    172.16.16.13:54906     *:*
  UDP    172.16.16.13:54913     *:*
  UDP    172.16.16.13:54922     *:*
  UDP    172.16.16.13:54935     *:*
  UDP    172.16.16.13:54954     *:*
  UDP    172.16.16.13:54958     *:*
  UDP    172.16.16.13:55018     *:*
  UDP    172.16.16.13:55022     *:*
  UDP    172.16.16.13:55023     *:*
  UDP    172.16.16.13:55052     *:*
  UDP    172.16.16.13:55080     *:*
  UDP    172.16.16.13:55108     *:*
  UDP    172.16.16.13:55142     *:*
  UDP    172.16.16.13:55146     *:*
  UDP    172.16.16.13:55149     *:*
  UDP    172.16.16.13:55182     *:*
  UDP    172.16.16.13:55253     *:*
  UDP    172.16.16.13:55254     *:*
  UDP    172.16.16.13:55255     *:*
  UDP    172.16.16.13:55310     *:*
  UDP    172.16.16.13:55311     *:*
  UDP    172.16.16.13:55345     *:*
  UDP    172.16.16.13:55373     *:*
  UDP    172.16.16.13:55479     *:*
  UDP    172.16.16.13:55622     *:*
  UDP    172.16.16.13:55632     *:*
  UDP    172.16.16.13:55635     *:*
  UDP    172.16.16.13:55636     *:*
  UDP    172.16.16.13:55646     *:*
  UDP    172.16.16.13:55649     *:*
  UDP    172.16.16.13:55655     *:*
  UDP    172.16.16.13:55660     *:*
  UDP    172.16.16.13:55675     *:*
  UDP    172.16.16.13:55696     *:*
  UDP    172.16.16.13:55740     *:*
  UDP    172.16.16.13:55748     *:*
  UDP    172.16.16.13:55760     *:*
  UDP    172.16.16.13:55767     *:*
  UDP    172.16.16.13:55778     *:*
  UDP    172.16.16.13:55806     *:*
  UDP    172.16.16.13:55815     *:*
  UDP    172.16.16.13:55872     *:*
  UDP    172.16.16.13:55885     *:*
  UDP    172.16.16.13:55889     *:*
  UDP    172.16.16.13:55920     *:*
  UDP    172.16.16.13:55930     *:*
  UDP    172.16.16.13:55932     *:*
  UDP    172.16.16.13:55951     *:*
  UDP    172.16.16.13:55959     *:*
  UDP    172.16.16.13:55960     *:*
  UDP    172.16.16.13:55981     *:*
  UDP    172.16.16.13:55985     *:*
  UDP    172.16.16.13:55986     *:*
  UDP    172.16.16.13:56005     *:*
  UDP    172.16.16.13:56006     *:*
  UDP    172.16.16.13:56009     *:*
  UDP    172.16.16.13:56051     *:*
  UDP    172.16.16.13:56082     *:*
  UDP    172.16.16.13:56106     *:*
  UDP    172.16.16.13:56122     *:*
  UDP    172.16.16.13:56138     *:*
  UDP    172.16.16.13:56144     *:*
  UDP    172.16.16.13:56157     *:*
  UDP    172.16.16.13:56169     *:*
  UDP    172.16.16.13:56210     *:*
  UDP    172.16.16.13:56238     *:*
  UDP    172.16.16.13:56251     *:*
  UDP    172.16.16.13:56261     *:*
  UDP    172.16.16.13:56291     *:*
  UDP    172.16.16.13:56293     *:*
  UDP    172.16.16.13:56305     *:*
  UDP    172.16.16.13:56306     *:*
  UDP    172.16.16.13:56317     *:*
  UDP    172.16.16.13:56337     *:*
  UDP    172.16.16.13:56358     *:*
  UDP    172.16.16.13:56366     *:*
  UDP    172.16.16.13:56436     *:*
  UDP    172.16.16.13:56467     *:*
  UDP    172.16.16.13:56594     *:*
  UDP    172.16.16.13:56627     *:*
  UDP    172.16.16.13:56651     *:*
  UDP    172.16.16.13:56689     *:*
  UDP    172.16.16.13:56721     *:*
  UDP    172.16.16.13:56752     *:*
  UDP    172.16.16.13:56775     *:*
  UDP    172.16.16.13:56803     *:*
  UDP    172.16.16.13:56820     *:*
  UDP    172.16.16.13:56847     *:*
  UDP    172.16.16.13:56855     *:*
  UDP    172.16.16.13:56877     *:*
  UDP    172.16.16.13:56884     *:*
  UDP    172.16.16.13:56899     *:*
  UDP    172.16.16.13:56919     *:*
  UDP    172.16.16.13:56980     *:*
  UDP    172.16.16.13:56982     *:*
  UDP    172.16.16.13:56985     *:*
  UDP    172.16.16.13:56986     *:*
  UDP    172.16.16.13:56988     *:*
  UDP    172.16.16.13:56991     *:*
  UDP    172.16.16.13:57005     *:*
  UDP    172.16.16.13:57030     *:*
  UDP    172.16.16.13:57031     *:*
  UDP    172.16.16.13:57124     *:*
  UDP    172.16.16.13:57143     *:*
  UDP    172.16.16.13:57166     *:*
  UDP    172.16.16.13:57208     *:*
  UDP    172.16.16.13:57213     *:*
  UDP    172.16.16.13:57232     *:*
  UDP    172.16.16.13:57332     *:*
  UDP    172.16.16.13:57345     *:*
  UDP    172.16.16.13:57363     *:*
  UDP    172.16.16.13:57380     *:*
  UDP    172.16.16.13:57388     *:*
  UDP    172.16.16.13:57400     *:*
  UDP    172.16.16.13:57441     *:*
  UDP    172.16.16.13:57442     *:*
  UDP    172.16.16.13:57449     *:*
  UDP    172.16.16.13:57481     *:*
  UDP    172.16.16.13:57499     *:*
  UDP    172.16.16.13:57502     *:*
  UDP    172.16.16.13:57517     *:*
  UDP    172.16.16.13:57525     *:*
  UDP    172.16.16.13:57527     *:*
  UDP    172.16.16.13:57544     *:*
  UDP    172.16.16.13:57548     *:*
  UDP    172.16.16.13:57549     *:*
  UDP    172.16.16.13:57570     *:*
  UDP    172.16.16.13:57581     *:*
  UDP    172.16.16.13:57587     *:*
  UDP    172.16.16.13:57589     *:*
  UDP    172.16.16.13:57612     *:*
  UDP    172.16.16.13:57614     *:*
  UDP    172.16.16.13:57625     *:*
  UDP    172.16.16.13:57642     *:*
  UDP    172.16.16.13:57673     *:*
  UDP    172.16.16.13:57685     *:*
  UDP    172.16.16.13:57727     *:*
  UDP    172.16.16.13:57789     *:*
  UDP    172.16.16.13:57805     *:*
  UDP    172.16.16.13:57845     *:*
  UDP    172.16.16.13:57870     *:*
  UDP    172.16.16.13:57871     *:*
  UDP    172.16.16.13:57919     *:*
  UDP    172.16.16.13:57925     *:*
  UDP    172.16.16.13:57938     *:*
  UDP    172.16.16.13:57960     *:*
  UDP    172.16.16.13:57966     *:*
  UDP    172.16.16.13:57970     *:*
  UDP    172.16.16.13:57992     *:*
  UDP    172.16.16.13:58009     *:*
  UDP    172.16.16.13:58017     *:*
  UDP    172.16.16.13:58024     *:*
  UDP    172.16.16.13:58062     *:*
  UDP    172.16.16.13:58065     *:*
  UDP    172.16.16.13:58126     *:*
  UDP    172.16.16.13:58153     *:*
  UDP    172.16.16.13:58155     *:*
  UDP    172.16.16.13:58174     *:*
  UDP    172.16.16.13:58178     *:*
  UDP    172.16.16.13:58200     *:*
  UDP    172.16.16.13:58211     *:*
  UDP    172.16.16.13:58220     *:*
  UDP    172.16.16.13:58226     *:*
  UDP    172.16.16.13:58230     *:*
  UDP    172.16.16.13:58245     *:*
  UDP    172.16.16.13:58274     *:*
  UDP    172.16.16.13:58277     *:*
  UDP    172.16.16.13:58297     *:*
  UDP    172.16.16.13:58338     *:*
  UDP    172.16.16.13:58360     *:*
  UDP    172.16.16.13:58417     *:*
  UDP    172.16.16.13:58434     *:*
  UDP    172.16.16.13:58436     *:*
  UDP    172.16.16.13:58437     *:*
  UDP    172.16.16.13:58460     *:*
  UDP    172.16.16.13:58467     *:*
  UDP    172.16.16.13:58470     *:*
  UDP    172.16.16.13:58471     *:*
  UDP    172.16.16.13:58483     *:*
  UDP    172.16.16.13:58492     *:*
  UDP    172.16.16.13:58513     *:*
  UDP    172.16.16.13:58514     *:*
  UDP    172.16.16.13:58543     *:*
  UDP    172.16.16.13:58547     *:*
  UDP    172.16.16.13:58553     *:*
  UDP    172.16.16.13:58569     *:*
  UDP    172.16.16.13:58576     *:*
  UDP    172.16.16.13:58582     *:*
  UDP    172.16.16.13:58613     *:*
  UDP    172.16.16.13:58702     *:*
  UDP    172.16.16.13:58715     *:*
  UDP    172.16.16.13:58728     *:*
  UDP    172.16.16.13:58747     *:*
  UDP    172.16.16.13:58748     *:*
  UDP    172.16.16.13:58770     *:*
  UDP    172.16.16.13:58817     *:*
  UDP    172.16.16.13:58826     *:*
  UDP    172.16.16.13:58873     *:*
  UDP    172.16.16.13:58888     *:*
  UDP    172.16.16.13:58889     *:*
  UDP    172.16.16.13:58893     *:*
  UDP    172.16.16.13:58928     *:*
  UDP    172.16.16.13:58965     *:*
  UDP    172.16.16.13:58996     *:*
  UDP    172.16.16.13:59011     *:*
  UDP    172.16.16.13:59020     *:*
  UDP    172.16.16.13:59101     *:*
  UDP    172.16.16.13:59120     *:*
  UDP    172.16.16.13:59121     *:*
  UDP    172.16.16.13:59132     *:*
  UDP    172.16.16.13:59144     *:*
  UDP    172.16.16.13:59178     *:*
  UDP    172.16.16.13:59192     *:*
  UDP    172.16.16.13:59206     *:*
  UDP    172.16.16.13:59207     *:*
  UDP    172.16.16.13:59230     *:*
  UDP    172.16.16.13:59244     *:*
  UDP    172.16.16.13:59267     *:*
  UDP    172.16.16.13:59272     *:*
  UDP    172.16.16.13:59293     *:*
  UDP    172.16.16.13:59308     *:*
  UDP    172.16.16.13:59342     *:*
  UDP    172.16.16.13:59368     *:*
  UDP    172.16.16.13:59375     *:*
  UDP    172.16.16.13:59387     *:*
  UDP    172.16.16.13:59400     *:*
  UDP    172.16.16.13:59427     *:*
  UDP    172.16.16.13:59428     *:*
  UDP    172.16.16.13:59439     *:*
  UDP    172.16.16.13:59476     *:*
  UDP    172.16.16.13:59496     *:*
  UDP    172.16.16.13:59497     *:*
  UDP    172.16.16.13:59596     *:*
  UDP    172.16.16.13:59677     *:*
  UDP    172.16.16.13:59680     *:*
  UDP    172.16.16.13:59691     *:*
  UDP    172.16.16.13:59692     *:*
  UDP    172.16.16.13:59709     *:*
  UDP    172.16.16.13:59744     *:*
  UDP    172.16.16.13:59748     *:*
  UDP    172.16.16.13:59754     *:*
  UDP    172.16.16.13:59794     *:*
  UDP    172.16.16.13:59800     *:*
  UDP    172.16.16.13:59813     *:*
  UDP    172.16.16.13:59815     *:*
  UDP    172.16.16.13:59816     *:*
  UDP    172.16.16.13:59829     *:*
  UDP    172.16.16.13:59848     *:*
  UDP    172.16.16.13:59865     *:*
  UDP    172.16.16.13:59882     *:*
  UDP    172.16.16.13:59957     *:*
  UDP    172.16.16.13:59974     *:*
  UDP    172.16.16.13:59999     *:*
  UDP    192.168.1.9:137        *:*
  UDP    192.168.1.9:138        *:*
  UDP    192.168.1.9:3478       *:*
  UDP    [::]:500               *:*
  UDP    [::]:1434              *:*
  UDP    [::]:4500              *:*
PS C:\Users\Administrator>

Open in new window

0
 
MikeKaneCommented:
So the server seems to be listening on 5061.   Now we just need to have a look at the ASA.     CAn you post a sanitized config?  
0
 
Anees_AtefAuthor Commented:
OK this my ASA Config
Drexel-ASA# sh conf
: Saved
: Written by enable_15 at 22:49:40.047 EEST Fri Oct 28 2011
!
ASA Version 8.4(1) 
!
hostname Drexel-ASA
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 62.240.124.165 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!             
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
object network Inside-Net 
 subnet 10.0.0.0 255.255.255.0
object network FTP-Private 
 host 10.0.0.16
object network FTP-Real 
 host 62.240.124.163
 description FTP-Real     
object network Inside-ISA 
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.96_27 
 subnet 10.0.0.96 255.255.255.224
object network Barracuda 
 host 10.0.0.8
object service Mail-Scan 
 service tcp source eq 8000 
object network FTP-NAT 
 host 10.0.0.16
object network Test-Nat 
 host 10.10.10.100
object network NAT-1 
 host 10.10.10.100
object service HTTP 
 service tcp source eq www 
object service HTTPS 
 service tcp source eq https 
object network Mail-Redirect 
 host 10.0.0.13
object service SMTP 
 service tcp source eq smtp 
object network Mail-Real 
 host 62.240.124.162
 description Mail-Real     
object service IMAP-4 
 service tcp source eq imap4 
object network ISA-Server 
 host 10.0.0.2
object service ISAKMP 
 service udp source eq isakmp 
object network ISA-Real 
 host 62.240.124.162
 description ISA-Real     
object service PPTP 
 service tcp source eq pptp 
object network MS-LYNC-Real 
 host 62.240.124.164
object network MS-Lync-Private 
 host 10.0.0.3
object service Port_5061 
 service tcp destination eq 5061 
object network MS-Lync-NAT 
 host 10.0.0.3
object network Test 
 host 10.0.0.29
object service RTP-TCP 
 service tcp destination range 50000 59999 
object service RTP-UDP 
 service udp destination range 50000 59999 
object service STUN 
 service udp destination eq 3478 
object-group service FTP tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object object Inside-ISA
 network-object object Inside-Net
object-group service DM_INLINE_TCP_1 tcp
 port-object eq smtp
 port-object eq 8000
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq imap4
object-group service DM_INLINE_TCP_3 tcp
 port-object eq https
 port-object eq pptp
object-group service DM_INLINE_SERVICE_1
 service-object object Port_5061 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object object RTP-TCP 
object-group service DM_INLINE_SERVICE_2
 service-object object RTP-UDP 
 service-object object STUN 
access-list outside_access_in extended permit ip any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object MS-Lync-Private 
access-list outside_access_in extended permit gre any object ISA-Real 
access-list outside_access_in extended permit gre any object ISA-Server 
access-list outside_access_in extended permit tcp any object FTP-Private object-group FTP 
access-list outside_access_in extended permit tcp any object Mail-Redirect object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit ip any object Test 
access-list outside_access_in extended permit tcp any object Barracuda object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit udp any object ISA-Server eq isakmp 
access-list outside_access_in extended permit tcp any object ISA-Server object-group DM_INLINE_TCP_3 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq sip 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq h323 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 2000 
access-list outside_access_in extended permit udp any host 62.240.124.164 eq 5061 
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 5061 
access-list Inside-access standard permit 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
logging mail emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPN-Pool 10.0.0.101-10.0.0.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
nat (inside,outside) source static Barracuda Mail-Real service any SMTP
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTP
nat (inside,outside) source static Barracuda Mail-Real service any Mail-Scan
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTPS
nat (inside,outside) source static Mail-Redirect Mail-Real service any IMAP-4
nat (inside,outside) source static ISA-Server ISA-Real
!
object network FTP-NAT
 nat (inside,outside) static FTP-Real dns
object network Test
 nat (inside,outside) static 62.240.124.167
!
nat (inside,outside) after-auto source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.0.0.96_27 NETWORK_OBJ_10.0.0.96_27
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.124.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Drx-LDAP protocol ldap
aaa-server Drx-LDAP (inside) host 192.168.1.12
 timeout 5
 server-type auto-detect
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.22 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.0.22 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Drexel-VPN internal
group-policy Drexel-VPN attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-tunnel-protocol ikev1 
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Inside-access
 default-domain value drexelegypt.lcl
 vpn-group-policy Drexel-VPN
 service-type remote-access
 vpn-group-policy Drexel-VPN
 vpn-group-policy Drexel-VPN
tunnel-group Drexel-VPN type remote-access
tunnel-group Drexel-VPN general-attributes
 address-pool VPN-Pool
 default-group-policy Drexel-VPN
tunnel-group Drexel-VPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.13
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Drexel-ASA#

Open in new window

0
 
MikeKaneCommented:
This seems to be your NAT to the Lync Server (I am assuming the labels are right, correct me if I am mistaken).
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real

MS LYNC Real is set to be
object network MS-LYNC-Real
 host 62.240.124.164



So lets have you try the "textbook" way of assigning a static NAT in post 8.3 code.    Take a backup of the code before we start changing.  
no nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real

object network MS-Lync-Private
 nat (inside, outside) static MS-LYNC-Real



After this, do a "CLEAR XLATE" on the ASA to remove all current NAT.   Give it a few seconds then do a 'SHOW XLATE' to display the NATs and the 10.0.0.3 should have a static NAT to 62.240.124.164 address.  

Then from that server, go to canyouseeme.org and make sure you have the correct IP.   Then try testing the ports again.  
0
 
Anees_AtefAuthor Commented:
you right,

MS LYNC Real is set to be
object network MS-LYNC-Real
 host 62.240.124.164
--------------------------------------------------------------------------------

So sorry
After this steps, I can see the correct IP but still can't open ports


0
 
MikeKaneCommented:
That should be it since you already have the ACL configured with:

object service Port_5061
 service tcp destination eq 5061


object-group service DM_INLINE_SERVICE_1
service-object object Port_5061
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object object RTP-TCP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private



If this is failing, open up the ASDM and look at the home page as it scrolls syslog messages.   From the edge server hit canyouseeme.org and test port 5061 again.   If the ASA is blocking anything, an error will show in the log.
0
 
Anees_AtefAuthor Commented:
Sorry if this issue takes long time but after add last conf from you I found something on monitoring on TMG 2010

I think this my problem

kindly find the attach
TMG-2010.jpg
TMG-2010-FP.jpg
0
 
MikeKaneCommented:
I see the error.   I've never used Forefront before.   But it seems to me, from looking at those images, that you just need to edit the ALLOW Rule #2 To include TCP 5061 along with the HTTPS, STUNin, and STUNout.  


0
 
Anees_AtefAuthor Commented:
I did it without any help still blocking but I found some articles TMG not allow SIPS protocols


if you can't help on this I will give you my acceptance because your efforts
0
 
MikeKaneCommented:
I can't really help with Forefront....     Not my forte.      

However some quick searching leads me to beleive that TMG has a VOIP Filter that allows SIP because there is reporting on the SIP stats.  
http://technet.microsoft.com/en-us/library/ff849747.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 10
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now