Anees_Atef
asked on
Microsoft Lync 2010 With ASA 5510
Hello Experts,
I have a problem with lync 2010 I can't make voice or video call with external user after a lot troubleshooting I fond the problem with ASA after open the require ports on ASA so if any have clue which best configuration to make lync working with the external users.
FYI : I have two interfaces only on ASA internal and external
sorry guys for my bad english
Thanks
I have a problem with lync 2010 I can't make voice or video call with external user after a lot troubleshooting I fond the problem with ASA after open the require ports on ASA so if any have clue which best configuration to make lync working with the external users.
FYI : I have two interfaces only on ASA internal and external
sorry guys for my bad english
Thanks
ASKER
yes I know, I didn't change them, and this ports already opened on ASA
Hi,
Did you enabled SIP inspection?
Did you enabled SIP inspection?
ASKER
I found on the internet some forms says I have to disable SIP inspection
so I used this command:
(no inspect sip)
but still voice and video not working
so I used this command:
(no inspect sip)
but still voice and video not working
what shows the log?
Lets eliminate the ASA from the picture. With lync, there can be many other issues in the Lync world that can prevent connections.
Hop on that host, open a browser, go to www.canyouseeme.org. From here you can test the connectivity on those 2 ports. LEt us know what it finds. If connections are successful, then the ASA has nothing to do with it and we need to concentrate on the LYNC services.
IF the tests fail, then you can do a SHOW LOGGING on the asa and look for dropped packets. Post the log here so we can look.
Hop on that host, open a browser, go to www.canyouseeme.org. From here you can test the connectivity on those 2 ports. LEt us know what it finds. If connections are successful, then the ASA has nothing to do with it and we need to concentrate on the LYNC services.
IF the tests fail, then you can do a SHOW LOGGING on the asa and look for dropped packets. Post the log here so we can look.
ASKER
Kindly Find the attach for the LOG and the conf :
LOG-1.jpg
LOG-2.jpg
Drexel-ASA# sh conf
: Saved
: Written by enable_15 at 22:49:40.047 EEST Fri Oct 28 2011
!
ASA Version 8.4(1)
!
hostname Drexel-ASA
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 62.240.124.165 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
object network Inside-Net
subnet 10.0.0.0 255.255.255.0
object network FTP-Private
host 10.0.0.16
object network FTP-Real
host 62.240.124.163
description FTP-Real
object network Inside-ISA
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.96_27
subnet 10.0.0.96 255.255.255.224
object network Barracuda
host 10.0.0.8
object service Mail-Scan
service tcp source eq 8000
object network FTP-NAT
host 10.0.0.16
object network Test-Nat
host 10.10.10.100
object network NAT-1
host 10.10.10.100
object service HTTP
service tcp source eq www
object service HTTPS
service tcp source eq https
object network Mail-Redirect
host 10.0.0.13
object service SMTP
service tcp source eq smtp
object network Mail-Real
host 62.240.124.162
description Mail-Real
object service IMAP-4
service tcp source eq imap4
object network ISA-Server
host 10.0.0.2
object service ISAKMP
service udp source eq isakmp
object network ISA-Real
host 62.240.124.162
description ISA-Real
object service PPTP
service tcp source eq pptp
object network MS-LYNC-Real
host 62.240.124.164
object network MS-Lync-Private
host 10.0.0.3
object service Port_5061
service tcp destination eq 5061
object network MS-Lync-NAT
host 10.0.0.3
object network Test
host 10.0.0.29
object service RTP-TCP
service tcp destination range 50000 59999
object service RTP-UDP
service udp destination range 50000 59999
object service STUN
service udp destination eq 3478
object-group service FTP tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object object Inside-ISA
network-object object Inside-Net
object-group service DM_INLINE_TCP_1 tcp
port-object eq smtp
port-object eq 8000
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq imap4
object-group service DM_INLINE_TCP_3 tcp
port-object eq https
port-object eq pptp
object-group service DM_INLINE_SERVICE_1
service-object object Port_5061
service-object tcp destination eq www
service-object tcp destination eq https
service-object object RTP-TCP
object-group service DM_INLINE_SERVICE_2
service-object object RTP-UDP
service-object object STUN
access-list outside_access_in extended permit ip any object MS-Lync-Private
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object MS-Lync-Private
access-list outside_access_in extended permit gre any object ISA-Real
access-list outside_access_in extended permit gre any object ISA-Server
access-list outside_access_in extended permit tcp any object FTP-Private object-group FTP
access-list outside_access_in extended permit tcp any object Mail-Redirect object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip any object Test
access-list outside_access_in extended permit tcp any object Barracuda object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit udp any object ISA-Server eq isakmp
access-list outside_access_in extended permit tcp any object ISA-Server object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq sip
access-list outside_access_in extended permit udp any host 62.240.124.164 eq sip
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq h323
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 2000
access-list outside_access_in extended permit udp any host 62.240.124.164 eq 5061
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 5061
access-list Inside-access standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
logging mail emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPN-Pool 10.0.0.101-10.0.0.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
nat (inside,outside) source static Barracuda Mail-Real service any SMTP
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTP
nat (inside,outside) source static Barracuda Mail-Real service any Mail-Scan
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTPS
nat (inside,outside) source static Mail-Redirect Mail-Real service any IMAP-4
nat (inside,outside) source static ISA-Server ISA-Real
!
object network FTP-NAT
nat (inside,outside) static FTP-Real dns
object network Test
nat (inside,outside) static 62.240.124.167
!
nat (inside,outside) after-auto source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.0.0.96_27 NETWORK_OBJ_10.0.0.96_27
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.124.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Drx-LDAP protocol ldap
aaa-server Drx-LDAP (inside) host 192.168.1.12
timeout 5
server-type auto-detect
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.22 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.0.22 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Drexel-VPN internal
group-policy Drexel-VPN attributes
dns-server value 192.168.1.11 192.168.1.12
vpn-tunnel-protocol ikev1
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside-access
default-domain value drexelegypt.lcl
vpn-group-policy Drexel-VPN
service-type remote-access
vpn-group-policy Drexel-VPN
vpn-group-policy Drexel-VPN
tunnel-group Drexel-VPN type remote-access
tunnel-group Drexel-VPN general-attributes
address-pool VPN-Pool
default-group-policy Drexel-VPN
tunnel-group Drexel-VPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.1.13
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Drexel-ASA#
Conf.jpgLOG-1.jpg
LOG-2.jpg
ASKER
any update Experts ?
Those log snippits are only showing the buildup and teardowns for traffic to the host on high numbered ports. Your conf.jpg image shows the hit count on the outside acl on line 1 with 820 hits matching that ACE. So, to me, looks like the ASA is allowing the traffic in.
Did you try the canyouseeme.org site to verify the ports are open?
Did you try the canyouseeme.org site to verify the ports are open?
ASKER
yes I'm trying to use it but I have a problem I cant select my real IP address ,,, this site select automatic from my real IP pool
If you are getting an incorrent IP, then you might have a bad static Nat. Do a SHOW XLATE on the asa to see current Nat. Also you could post a sanitized configuration for me to see
ASKER
I get it ,,, I will open this site from EDGE and feedback you
ASKER
443 Open
5061 Close
50000 Close
any advice
5061 Close
50000 Close
any advice
The edge servers would need 5061 open so it looks like either the ass is blocking or your host is not listening on that port. Ifyou post a sanitized configuration of the ass I can look there. You can list out your hosts ports with netstat -a
ASKER
Sorry for delay
Kindly find the netstat result
Kindly find the netstat result
PS C:\Users\Administrator> netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:135 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:445 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:3389 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:4443 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:47001 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:49152 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:49153 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:49154 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:49155 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:49157 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:49158 Drx-EDG-01:0 LISTENING
TCP 0.0.0.0:49168 Drx-EDG-01:0 LISTENING
TCP 172.16.16.10:139 Drx-EDG-01:0 LISTENING
TCP 172.16.16.11:443 Drx-EDG-01:0 LISTENING
TCP 172.16.16.11:5061 Drx-EDG-01:0 LISTENING
TCP 172.16.16.12:443 Drx-EDG-01:0 LISTENING
TCP 172.16.16.13:443 Drx-EDG-01:0 LISTENING
TCP 192.168.1.9:139 Drx-EDG-01:0 LISTENING
TCP 192.168.1.9:443 Drx-EDG-01:0 LISTENING
TCP 192.168.1.9:3389 Drx-Host:55412 ESTABLISHED
TCP 192.168.1.9:5061 Drx-EDG-01:0 LISTENING
TCP 192.168.1.9:5061 Drx-Lync-01:55325 ESTABLISHED
TCP 192.168.1.9:5062 Drx-EDG-01:0 LISTENING
TCP 192.168.1.9:5062 Drx-Lync-01:55324 ESTABLISHED
TCP 192.168.1.9:8057 Drx-EDG-01:0 LISTENING
TCP 192.168.1.9:8057 Drx-Lync-01:63678 ESTABLISHED
TCP 192.168.1.9:8057 Drx-Lync-01:63679 ESTABLISHED
TCP 192.168.1.9:8057 Drx-Lync-01:63680 ESTABLISHED
TCP 192.168.1.9:8057 Drx-Lync-01:63681 ESTABLISHED
TCP 192.168.1.9:8057 Drx-Lync-01:63691 ESTABLISHED
TCP 192.168.1.9:8057 Drx-Lync-01:63692 ESTABLISHED
TCP 192.168.1.9:8057 Drx-Lync-01:63693 ESTABLISHED
TCP 192.168.1.9:8057 Drx-Lync-01:63694 ESTABLISHED
TCP 192.168.1.9:49204 Drx-Lync-01:5061 ESTABLISHED
TCP [::]:80 Drx-EDG-01:0 LISTENING
TCP [::]:135 Drx-EDG-01:0 LISTENING
TCP [::]:445 Drx-EDG-01:0 LISTENING
TCP [::]:3389 Drx-EDG-01:0 LISTENING
TCP [::]:4443 Drx-EDG-01:0 LISTENING
TCP [::]:47001 Drx-EDG-01:0 LISTENING
TCP [::]:49152 Drx-EDG-01:0 LISTENING
TCP [::]:49153 Drx-EDG-01:0 LISTENING
TCP [::]:49154 Drx-EDG-01:0 LISTENING
TCP [::]:49155 Drx-EDG-01:0 LISTENING
TCP [::]:49157 Drx-EDG-01:0 LISTENING
TCP [::]:49158 Drx-EDG-01:0 LISTENING
TCP [::]:49168 Drx-EDG-01:0 LISTENING
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1434 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 127.0.0.1:49912 *:*
UDP 127.0.0.1:52948 *:*
UDP 127.0.0.1:56413 *:*
UDP 172.16.16.10:137 *:*
UDP 172.16.16.10:138 *:*
UDP 172.16.16.13:3478 *:*
UDP 172.16.16.13:50018 *:*
UDP 172.16.16.13:50030 *:*
UDP 172.16.16.13:50040 *:*
UDP 172.16.16.13:50042 *:*
UDP 172.16.16.13:50043 *:*
UDP 172.16.16.13:50061 *:*
UDP 172.16.16.13:50075 *:*
UDP 172.16.16.13:50154 *:*
UDP 172.16.16.13:50157 *:*
UDP 172.16.16.13:50170 *:*
UDP 172.16.16.13:50174 *:*
UDP 172.16.16.13:50182 *:*
UDP 172.16.16.13:50186 *:*
UDP 172.16.16.13:50205 *:*
UDP 172.16.16.13:50248 *:*
UDP 172.16.16.13:50274 *:*
UDP 172.16.16.13:50281 *:*
UDP 172.16.16.13:50390 *:*
UDP 172.16.16.13:50454 *:*
UDP 172.16.16.13:50498 *:*
UDP 172.16.16.13:50541 *:*
UDP 172.16.16.13:50544 *:*
UDP 172.16.16.13:50545 *:*
UDP 172.16.16.13:50551 *:*
UDP 172.16.16.13:50579 *:*
UDP 172.16.16.13:50591 *:*
UDP 172.16.16.13:50643 *:*
UDP 172.16.16.13:50647 *:*
UDP 172.16.16.13:50654 *:*
UDP 172.16.16.13:50676 *:*
UDP 172.16.16.13:50714 *:*
UDP 172.16.16.13:50748 *:*
UDP 172.16.16.13:50760 *:*
UDP 172.16.16.13:50782 *:*
UDP 172.16.16.13:50785 *:*
UDP 172.16.16.13:50790 *:*
UDP 172.16.16.13:50800 *:*
UDP 172.16.16.13:50809 *:*
UDP 172.16.16.13:50826 *:*
UDP 172.16.16.13:50844 *:*
UDP 172.16.16.13:50852 *:*
UDP 172.16.16.13:50865 *:*
UDP 172.16.16.13:50872 *:*
UDP 172.16.16.13:50897 *:*
UDP 172.16.16.13:50907 *:*
UDP 172.16.16.13:50913 *:*
UDP 172.16.16.13:50924 *:*
UDP 172.16.16.13:50955 *:*
UDP 172.16.16.13:50960 *:*
UDP 172.16.16.13:50998 *:*
UDP 172.16.16.13:51002 *:*
UDP 172.16.16.13:51025 *:*
UDP 172.16.16.13:51037 *:*
UDP 172.16.16.13:51048 *:*
UDP 172.16.16.13:51076 *:*
UDP 172.16.16.13:51081 *:*
UDP 172.16.16.13:51085 *:*
UDP 172.16.16.13:51087 *:*
UDP 172.16.16.13:51088 *:*
UDP 172.16.16.13:51089 *:*
UDP 172.16.16.13:51090 *:*
UDP 172.16.16.13:51104 *:*
UDP 172.16.16.13:51127 *:*
UDP 172.16.16.13:51163 *:*
UDP 172.16.16.13:51191 *:*
UDP 172.16.16.13:51199 *:*
UDP 172.16.16.13:51223 *:*
UDP 172.16.16.13:51234 *:*
UDP 172.16.16.13:51237 *:*
UDP 172.16.16.13:51296 *:*
UDP 172.16.16.13:51298 *:*
UDP 172.16.16.13:51315 *:*
UDP 172.16.16.13:51321 *:*
UDP 172.16.16.13:51322 *:*
UDP 172.16.16.13:51357 *:*
UDP 172.16.16.13:51366 *:*
UDP 172.16.16.13:51384 *:*
UDP 172.16.16.13:51386 *:*
UDP 172.16.16.13:51408 *:*
UDP 172.16.16.13:51418 *:*
UDP 172.16.16.13:51423 *:*
UDP 172.16.16.13:51447 *:*
UDP 172.16.16.13:51452 *:*
UDP 172.16.16.13:51456 *:*
UDP 172.16.16.13:51538 *:*
UDP 172.16.16.13:51539 *:*
UDP 172.16.16.13:51562 *:*
UDP 172.16.16.13:51568 *:*
UDP 172.16.16.13:51593 *:*
UDP 172.16.16.13:51616 *:*
UDP 172.16.16.13:51648 *:*
UDP 172.16.16.13:51695 *:*
UDP 172.16.16.13:51701 *:*
UDP 172.16.16.13:51716 *:*
UDP 172.16.16.13:51755 *:*
UDP 172.16.16.13:51767 *:*
UDP 172.16.16.13:51781 *:*
UDP 172.16.16.13:51824 *:*
UDP 172.16.16.13:51825 *:*
UDP 172.16.16.13:51832 *:*
UDP 172.16.16.13:51839 *:*
UDP 172.16.16.13:51849 *:*
UDP 172.16.16.13:51857 *:*
UDP 172.16.16.13:51885 *:*
UDP 172.16.16.13:51892 *:*
UDP 172.16.16.13:51903 *:*
UDP 172.16.16.13:51959 *:*
UDP 172.16.16.13:51967 *:*
UDP 172.16.16.13:52038 *:*
UDP 172.16.16.13:52048 *:*
UDP 172.16.16.13:52117 *:*
UDP 172.16.16.13:52132 *:*
UDP 172.16.16.13:52138 *:*
UDP 172.16.16.13:52155 *:*
UDP 172.16.16.13:52176 *:*
UDP 172.16.16.13:52200 *:*
UDP 172.16.16.13:52215 *:*
UDP 172.16.16.13:52217 *:*
UDP 172.16.16.13:52276 *:*
UDP 172.16.16.13:52300 *:*
UDP 172.16.16.13:52320 *:*
UDP 172.16.16.13:52341 *:*
UDP 172.16.16.13:52353 *:*
UDP 172.16.16.13:52363 *:*
UDP 172.16.16.13:52409 *:*
UDP 172.16.16.13:52453 *:*
UDP 172.16.16.13:52480 *:*
UDP 172.16.16.13:52501 *:*
UDP 172.16.16.13:52503 *:*
UDP 172.16.16.13:52506 *:*
UDP 172.16.16.13:52542 *:*
UDP 172.16.16.13:52554 *:*
UDP 172.16.16.13:52555 *:*
UDP 172.16.16.13:52561 *:*
UDP 172.16.16.13:52583 *:*
UDP 172.16.16.13:52614 *:*
UDP 172.16.16.13:52617 *:*
UDP 172.16.16.13:52632 *:*
UDP 172.16.16.13:52688 *:*
UDP 172.16.16.13:52721 *:*
UDP 172.16.16.13:52735 *:*
UDP 172.16.16.13:52736 *:*
UDP 172.16.16.13:52739 *:*
UDP 172.16.16.13:52740 *:*
UDP 172.16.16.13:52780 *:*
UDP 172.16.16.13:52790 *:*
UDP 172.16.16.13:52810 *:*
UDP 172.16.16.13:52823 *:*
UDP 172.16.16.13:52886 *:*
UDP 172.16.16.13:52915 *:*
UDP 172.16.16.13:52961 *:*
UDP 172.16.16.13:52985 *:*
UDP 172.16.16.13:53016 *:*
UDP 172.16.16.13:53020 *:*
UDP 172.16.16.13:53066 *:*
UDP 172.16.16.13:53082 *:*
UDP 172.16.16.13:53091 *:*
UDP 172.16.16.13:53093 *:*
UDP 172.16.16.13:53096 *:*
UDP 172.16.16.13:53107 *:*
UDP 172.16.16.13:53117 *:*
UDP 172.16.16.13:53121 *:*
UDP 172.16.16.13:53158 *:*
UDP 172.16.16.13:53183 *:*
UDP 172.16.16.13:53223 *:*
UDP 172.16.16.13:53239 *:*
UDP 172.16.16.13:53243 *:*
UDP 172.16.16.13:53244 *:*
UDP 172.16.16.13:53245 *:*
UDP 172.16.16.13:53256 *:*
UDP 172.16.16.13:53257 *:*
UDP 172.16.16.13:53266 *:*
UDP 172.16.16.13:53290 *:*
UDP 172.16.16.13:53294 *:*
UDP 172.16.16.13:53378 *:*
UDP 172.16.16.13:53412 *:*
UDP 172.16.16.13:53424 *:*
UDP 172.16.16.13:53431 *:*
UDP 172.16.16.13:53475 *:*
UDP 172.16.16.13:53479 *:*
UDP 172.16.16.13:53480 *:*
UDP 172.16.16.13:53506 *:*
UDP 172.16.16.13:53517 *:*
UDP 172.16.16.13:53540 *:*
UDP 172.16.16.13:53566 *:*
UDP 172.16.16.13:53572 *:*
UDP 172.16.16.13:53623 *:*
UDP 172.16.16.13:53629 *:*
UDP 172.16.16.13:53666 *:*
UDP 172.16.16.13:53675 *:*
UDP 172.16.16.13:53715 *:*
UDP 172.16.16.13:53724 *:*
UDP 172.16.16.13:53749 *:*
UDP 172.16.16.13:53756 *:*
UDP 172.16.16.13:53758 *:*
UDP 172.16.16.13:53759 *:*
UDP 172.16.16.13:53764 *:*
UDP 172.16.16.13:53831 *:*
UDP 172.16.16.13:53859 *:*
UDP 172.16.16.13:53864 *:*
UDP 172.16.16.13:53882 *:*
UDP 172.16.16.13:53910 *:*
UDP 172.16.16.13:53923 *:*
UDP 172.16.16.13:53941 *:*
UDP 172.16.16.13:53970 *:*
UDP 172.16.16.13:53972 *:*
UDP 172.16.16.13:53977 *:*
UDP 172.16.16.13:53994 *:*
UDP 172.16.16.13:54127 *:*
UDP 172.16.16.13:54130 *:*
UDP 172.16.16.13:54138 *:*
UDP 172.16.16.13:54152 *:*
UDP 172.16.16.13:54177 *:*
UDP 172.16.16.13:54180 *:*
UDP 172.16.16.13:54192 *:*
UDP 172.16.16.13:54204 *:*
UDP 172.16.16.13:54213 *:*
UDP 172.16.16.13:54252 *:*
UDP 172.16.16.13:54301 *:*
UDP 172.16.16.13:54309 *:*
UDP 172.16.16.13:54313 *:*
UDP 172.16.16.13:54342 *:*
UDP 172.16.16.13:54353 *:*
UDP 172.16.16.13:54362 *:*
UDP 172.16.16.13:54406 *:*
UDP 172.16.16.13:54499 *:*
UDP 172.16.16.13:54505 *:*
UDP 172.16.16.13:54516 *:*
UDP 172.16.16.13:54564 *:*
UDP 172.16.16.13:54569 *:*
UDP 172.16.16.13:54655 *:*
UDP 172.16.16.13:54657 *:*
UDP 172.16.16.13:54659 *:*
UDP 172.16.16.13:54682 *:*
UDP 172.16.16.13:54686 *:*
UDP 172.16.16.13:54691 *:*
UDP 172.16.16.13:54700 *:*
UDP 172.16.16.13:54713 *:*
UDP 172.16.16.13:54719 *:*
UDP 172.16.16.13:54756 *:*
UDP 172.16.16.13:54770 *:*
UDP 172.16.16.13:54811 *:*
UDP 172.16.16.13:54821 *:*
UDP 172.16.16.13:54822 *:*
UDP 172.16.16.13:54834 *:*
UDP 172.16.16.13:54839 *:*
UDP 172.16.16.13:54879 *:*
UDP 172.16.16.13:54906 *:*
UDP 172.16.16.13:54913 *:*
UDP 172.16.16.13:54922 *:*
UDP 172.16.16.13:54935 *:*
UDP 172.16.16.13:54954 *:*
UDP 172.16.16.13:54958 *:*
UDP 172.16.16.13:55018 *:*
UDP 172.16.16.13:55022 *:*
UDP 172.16.16.13:55023 *:*
UDP 172.16.16.13:55052 *:*
UDP 172.16.16.13:55080 *:*
UDP 172.16.16.13:55108 *:*
UDP 172.16.16.13:55142 *:*
UDP 172.16.16.13:55146 *:*
UDP 172.16.16.13:55149 *:*
UDP 172.16.16.13:55182 *:*
UDP 172.16.16.13:55253 *:*
UDP 172.16.16.13:55254 *:*
UDP 172.16.16.13:55255 *:*
UDP 172.16.16.13:55310 *:*
UDP 172.16.16.13:55311 *:*
UDP 172.16.16.13:55345 *:*
UDP 172.16.16.13:55373 *:*
UDP 172.16.16.13:55479 *:*
UDP 172.16.16.13:55622 *:*
UDP 172.16.16.13:55632 *:*
UDP 172.16.16.13:55635 *:*
UDP 172.16.16.13:55636 *:*
UDP 172.16.16.13:55646 *:*
UDP 172.16.16.13:55649 *:*
UDP 172.16.16.13:55655 *:*
UDP 172.16.16.13:55660 *:*
UDP 172.16.16.13:55675 *:*
UDP 172.16.16.13:55696 *:*
UDP 172.16.16.13:55740 *:*
UDP 172.16.16.13:55748 *:*
UDP 172.16.16.13:55760 *:*
UDP 172.16.16.13:55767 *:*
UDP 172.16.16.13:55778 *:*
UDP 172.16.16.13:55806 *:*
UDP 172.16.16.13:55815 *:*
UDP 172.16.16.13:55872 *:*
UDP 172.16.16.13:55885 *:*
UDP 172.16.16.13:55889 *:*
UDP 172.16.16.13:55920 *:*
UDP 172.16.16.13:55930 *:*
UDP 172.16.16.13:55932 *:*
UDP 172.16.16.13:55951 *:*
UDP 172.16.16.13:55959 *:*
UDP 172.16.16.13:55960 *:*
UDP 172.16.16.13:55981 *:*
UDP 172.16.16.13:55985 *:*
UDP 172.16.16.13:55986 *:*
UDP 172.16.16.13:56005 *:*
UDP 172.16.16.13:56006 *:*
UDP 172.16.16.13:56009 *:*
UDP 172.16.16.13:56051 *:*
UDP 172.16.16.13:56082 *:*
UDP 172.16.16.13:56106 *:*
UDP 172.16.16.13:56122 *:*
UDP 172.16.16.13:56138 *:*
UDP 172.16.16.13:56144 *:*
UDP 172.16.16.13:56157 *:*
UDP 172.16.16.13:56169 *:*
UDP 172.16.16.13:56210 *:*
UDP 172.16.16.13:56238 *:*
UDP 172.16.16.13:56251 *:*
UDP 172.16.16.13:56261 *:*
UDP 172.16.16.13:56291 *:*
UDP 172.16.16.13:56293 *:*
UDP 172.16.16.13:56305 *:*
UDP 172.16.16.13:56306 *:*
UDP 172.16.16.13:56317 *:*
UDP 172.16.16.13:56337 *:*
UDP 172.16.16.13:56358 *:*
UDP 172.16.16.13:56366 *:*
UDP 172.16.16.13:56436 *:*
UDP 172.16.16.13:56467 *:*
UDP 172.16.16.13:56594 *:*
UDP 172.16.16.13:56627 *:*
UDP 172.16.16.13:56651 *:*
UDP 172.16.16.13:56689 *:*
UDP 172.16.16.13:56721 *:*
UDP 172.16.16.13:56752 *:*
UDP 172.16.16.13:56775 *:*
UDP 172.16.16.13:56803 *:*
UDP 172.16.16.13:56820 *:*
UDP 172.16.16.13:56847 *:*
UDP 172.16.16.13:56855 *:*
UDP 172.16.16.13:56877 *:*
UDP 172.16.16.13:56884 *:*
UDP 172.16.16.13:56899 *:*
UDP 172.16.16.13:56919 *:*
UDP 172.16.16.13:56980 *:*
UDP 172.16.16.13:56982 *:*
UDP 172.16.16.13:56985 *:*
UDP 172.16.16.13:56986 *:*
UDP 172.16.16.13:56988 *:*
UDP 172.16.16.13:56991 *:*
UDP 172.16.16.13:57005 *:*
UDP 172.16.16.13:57030 *:*
UDP 172.16.16.13:57031 *:*
UDP 172.16.16.13:57124 *:*
UDP 172.16.16.13:57143 *:*
UDP 172.16.16.13:57166 *:*
UDP 172.16.16.13:57208 *:*
UDP 172.16.16.13:57213 *:*
UDP 172.16.16.13:57232 *:*
UDP 172.16.16.13:57332 *:*
UDP 172.16.16.13:57345 *:*
UDP 172.16.16.13:57363 *:*
UDP 172.16.16.13:57380 *:*
UDP 172.16.16.13:57388 *:*
UDP 172.16.16.13:57400 *:*
UDP 172.16.16.13:57441 *:*
UDP 172.16.16.13:57442 *:*
UDP 172.16.16.13:57449 *:*
UDP 172.16.16.13:57481 *:*
UDP 172.16.16.13:57499 *:*
UDP 172.16.16.13:57502 *:*
UDP 172.16.16.13:57517 *:*
UDP 172.16.16.13:57525 *:*
UDP 172.16.16.13:57527 *:*
UDP 172.16.16.13:57544 *:*
UDP 172.16.16.13:57548 *:*
UDP 172.16.16.13:57549 *:*
UDP 172.16.16.13:57570 *:*
UDP 172.16.16.13:57581 *:*
UDP 172.16.16.13:57587 *:*
UDP 172.16.16.13:57589 *:*
UDP 172.16.16.13:57612 *:*
UDP 172.16.16.13:57614 *:*
UDP 172.16.16.13:57625 *:*
UDP 172.16.16.13:57642 *:*
UDP 172.16.16.13:57673 *:*
UDP 172.16.16.13:57685 *:*
UDP 172.16.16.13:57727 *:*
UDP 172.16.16.13:57789 *:*
UDP 172.16.16.13:57805 *:*
UDP 172.16.16.13:57845 *:*
UDP 172.16.16.13:57870 *:*
UDP 172.16.16.13:57871 *:*
UDP 172.16.16.13:57919 *:*
UDP 172.16.16.13:57925 *:*
UDP 172.16.16.13:57938 *:*
UDP 172.16.16.13:57960 *:*
UDP 172.16.16.13:57966 *:*
UDP 172.16.16.13:57970 *:*
UDP 172.16.16.13:57992 *:*
UDP 172.16.16.13:58009 *:*
UDP 172.16.16.13:58017 *:*
UDP 172.16.16.13:58024 *:*
UDP 172.16.16.13:58062 *:*
UDP 172.16.16.13:58065 *:*
UDP 172.16.16.13:58126 *:*
UDP 172.16.16.13:58153 *:*
UDP 172.16.16.13:58155 *:*
UDP 172.16.16.13:58174 *:*
UDP 172.16.16.13:58178 *:*
UDP 172.16.16.13:58200 *:*
UDP 172.16.16.13:58211 *:*
UDP 172.16.16.13:58220 *:*
UDP 172.16.16.13:58226 *:*
UDP 172.16.16.13:58230 *:*
UDP 172.16.16.13:58245 *:*
UDP 172.16.16.13:58274 *:*
UDP 172.16.16.13:58277 *:*
UDP 172.16.16.13:58297 *:*
UDP 172.16.16.13:58338 *:*
UDP 172.16.16.13:58360 *:*
UDP 172.16.16.13:58417 *:*
UDP 172.16.16.13:58434 *:*
UDP 172.16.16.13:58436 *:*
UDP 172.16.16.13:58437 *:*
UDP 172.16.16.13:58460 *:*
UDP 172.16.16.13:58467 *:*
UDP 172.16.16.13:58470 *:*
UDP 172.16.16.13:58471 *:*
UDP 172.16.16.13:58483 *:*
UDP 172.16.16.13:58492 *:*
UDP 172.16.16.13:58513 *:*
UDP 172.16.16.13:58514 *:*
UDP 172.16.16.13:58543 *:*
UDP 172.16.16.13:58547 *:*
UDP 172.16.16.13:58553 *:*
UDP 172.16.16.13:58569 *:*
UDP 172.16.16.13:58576 *:*
UDP 172.16.16.13:58582 *:*
UDP 172.16.16.13:58613 *:*
UDP 172.16.16.13:58702 *:*
UDP 172.16.16.13:58715 *:*
UDP 172.16.16.13:58728 *:*
UDP 172.16.16.13:58747 *:*
UDP 172.16.16.13:58748 *:*
UDP 172.16.16.13:58770 *:*
UDP 172.16.16.13:58817 *:*
UDP 172.16.16.13:58826 *:*
UDP 172.16.16.13:58873 *:*
UDP 172.16.16.13:58888 *:*
UDP 172.16.16.13:58889 *:*
UDP 172.16.16.13:58893 *:*
UDP 172.16.16.13:58928 *:*
UDP 172.16.16.13:58965 *:*
UDP 172.16.16.13:58996 *:*
UDP 172.16.16.13:59011 *:*
UDP 172.16.16.13:59020 *:*
UDP 172.16.16.13:59101 *:*
UDP 172.16.16.13:59120 *:*
UDP 172.16.16.13:59121 *:*
UDP 172.16.16.13:59132 *:*
UDP 172.16.16.13:59144 *:*
UDP 172.16.16.13:59178 *:*
UDP 172.16.16.13:59192 *:*
UDP 172.16.16.13:59206 *:*
UDP 172.16.16.13:59207 *:*
UDP 172.16.16.13:59230 *:*
UDP 172.16.16.13:59244 *:*
UDP 172.16.16.13:59267 *:*
UDP 172.16.16.13:59272 *:*
UDP 172.16.16.13:59293 *:*
UDP 172.16.16.13:59308 *:*
UDP 172.16.16.13:59342 *:*
UDP 172.16.16.13:59368 *:*
UDP 172.16.16.13:59375 *:*
UDP 172.16.16.13:59387 *:*
UDP 172.16.16.13:59400 *:*
UDP 172.16.16.13:59427 *:*
UDP 172.16.16.13:59428 *:*
UDP 172.16.16.13:59439 *:*
UDP 172.16.16.13:59476 *:*
UDP 172.16.16.13:59496 *:*
UDP 172.16.16.13:59497 *:*
UDP 172.16.16.13:59596 *:*
UDP 172.16.16.13:59677 *:*
UDP 172.16.16.13:59680 *:*
UDP 172.16.16.13:59691 *:*
UDP 172.16.16.13:59692 *:*
UDP 172.16.16.13:59709 *:*
UDP 172.16.16.13:59744 *:*
UDP 172.16.16.13:59748 *:*
UDP 172.16.16.13:59754 *:*
UDP 172.16.16.13:59794 *:*
UDP 172.16.16.13:59800 *:*
UDP 172.16.16.13:59813 *:*
UDP 172.16.16.13:59815 *:*
UDP 172.16.16.13:59816 *:*
UDP 172.16.16.13:59829 *:*
UDP 172.16.16.13:59848 *:*
UDP 172.16.16.13:59865 *:*
UDP 172.16.16.13:59882 *:*
UDP 172.16.16.13:59957 *:*
UDP 172.16.16.13:59974 *:*
UDP 172.16.16.13:59999 *:*
UDP 192.168.1.9:137 *:*
UDP 192.168.1.9:138 *:*
UDP 192.168.1.9:3478 *:*
UDP [::]:500 *:*
UDP [::]:1434 *:*
UDP [::]:4500 *:*
PS C:\Users\Administrator>
So the server seems to be listening on 5061. Now we just need to have a look at the ASA. CAn you post a sanitized config?
ASKER
OK this my ASA Config
Drexel-ASA# sh conf
: Saved
: Written by enable_15 at 22:49:40.047 EEST Fri Oct 28 2011
!
ASA Version 8.4(1)
!
hostname Drexel-ASA
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 62.240.124.165 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
object network Inside-Net
subnet 10.0.0.0 255.255.255.0
object network FTP-Private
host 10.0.0.16
object network FTP-Real
host 62.240.124.163
description FTP-Real
object network Inside-ISA
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.96_27
subnet 10.0.0.96 255.255.255.224
object network Barracuda
host 10.0.0.8
object service Mail-Scan
service tcp source eq 8000
object network FTP-NAT
host 10.0.0.16
object network Test-Nat
host 10.10.10.100
object network NAT-1
host 10.10.10.100
object service HTTP
service tcp source eq www
object service HTTPS
service tcp source eq https
object network Mail-Redirect
host 10.0.0.13
object service SMTP
service tcp source eq smtp
object network Mail-Real
host 62.240.124.162
description Mail-Real
object service IMAP-4
service tcp source eq imap4
object network ISA-Server
host 10.0.0.2
object service ISAKMP
service udp source eq isakmp
object network ISA-Real
host 62.240.124.162
description ISA-Real
object service PPTP
service tcp source eq pptp
object network MS-LYNC-Real
host 62.240.124.164
object network MS-Lync-Private
host 10.0.0.3
object service Port_5061
service tcp destination eq 5061
object network MS-Lync-NAT
host 10.0.0.3
object network Test
host 10.0.0.29
object service RTP-TCP
service tcp destination range 50000 59999
object service RTP-UDP
service udp destination range 50000 59999
object service STUN
service udp destination eq 3478
object-group service FTP tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object object Inside-ISA
network-object object Inside-Net
object-group service DM_INLINE_TCP_1 tcp
port-object eq smtp
port-object eq 8000
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq imap4
object-group service DM_INLINE_TCP_3 tcp
port-object eq https
port-object eq pptp
object-group service DM_INLINE_SERVICE_1
service-object object Port_5061
service-object tcp destination eq www
service-object tcp destination eq https
service-object object RTP-TCP
object-group service DM_INLINE_SERVICE_2
service-object object RTP-UDP
service-object object STUN
access-list outside_access_in extended permit ip any object MS-Lync-Private
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object MS-Lync-Private
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object MS-Lync-Private
access-list outside_access_in extended permit gre any object ISA-Real
access-list outside_access_in extended permit gre any object ISA-Server
access-list outside_access_in extended permit tcp any object FTP-Private object-group FTP
access-list outside_access_in extended permit tcp any object Mail-Redirect object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip any object Test
access-list outside_access_in extended permit tcp any object Barracuda object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit udp any object ISA-Server eq isakmp
access-list outside_access_in extended permit tcp any object ISA-Server object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq sip
access-list outside_access_in extended permit udp any host 62.240.124.164 eq sip
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq h323
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 2000
access-list outside_access_in extended permit udp any host 62.240.124.164 eq 5061
access-list outside_access_in extended permit tcp any host 62.240.124.164 eq 5061
access-list Inside-access standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
logging mail emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPN-Pool 10.0.0.101-10.0.0.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
nat (inside,outside) source static Barracuda Mail-Real service any SMTP
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTP
nat (inside,outside) source static Barracuda Mail-Real service any Mail-Scan
nat (inside,outside) source static Mail-Redirect Mail-Real service any HTTPS
nat (inside,outside) source static Mail-Redirect Mail-Real service any IMAP-4
nat (inside,outside) source static ISA-Server ISA-Real
!
object network FTP-NAT
nat (inside,outside) static FTP-Real dns
object network Test
nat (inside,outside) static 62.240.124.167
!
nat (inside,outside) after-auto source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.0.0.96_27 NETWORK_OBJ_10.0.0.96_27
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.124.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Drx-LDAP protocol ldap
aaa-server Drx-LDAP (inside) host 192.168.1.12
timeout 5
server-type auto-detect
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.22 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.0.22 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Drexel-VPN internal
group-policy Drexel-VPN attributes
dns-server value 192.168.1.11 192.168.1.12
vpn-tunnel-protocol ikev1
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside-access
default-domain value drexelegypt.lcl
vpn-group-policy Drexel-VPN
service-type remote-access
vpn-group-policy Drexel-VPN
vpn-group-policy Drexel-VPN
tunnel-group Drexel-VPN type remote-access
tunnel-group Drexel-VPN general-attributes
address-pool VPN-Pool
default-group-policy Drexel-VPN
tunnel-group Drexel-VPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.1.13
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Drexel-ASA#
This seems to be your NAT to the Lync Server (I am assuming the labels are right, correct me if I am mistaken).
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
MS LYNC Real is set to be
object network MS-LYNC-Real
host 62.240.124.164
So lets have you try the "textbook" way of assigning a static NAT in post 8.3 code. Take a backup of the code before we start changing.
no nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
object network MS-Lync-Private
nat (inside, outside) static MS-LYNC-Real
After this, do a "CLEAR XLATE" on the ASA to remove all current NAT. Give it a few seconds then do a 'SHOW XLATE' to display the NATs and the 10.0.0.3 should have a static NAT to 62.240.124.164 address.
Then from that server, go to canyouseeme.org and make sure you have the correct IP. Then try testing the ports again.
nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
MS LYNC Real is set to be
object network MS-LYNC-Real
host 62.240.124.164
So lets have you try the "textbook" way of assigning a static NAT in post 8.3 code. Take a backup of the code before we start changing.
no nat (inside,outside) source static MS-Lync-Private MS-LYNC-Real
object network MS-Lync-Private
nat (inside, outside) static MS-LYNC-Real
After this, do a "CLEAR XLATE" on the ASA to remove all current NAT. Give it a few seconds then do a 'SHOW XLATE' to display the NATs and the 10.0.0.3 should have a static NAT to 62.240.124.164 address.
Then from that server, go to canyouseeme.org and make sure you have the correct IP. Then try testing the ports again.
ASKER
you right,
MS LYNC Real is set to be
object network MS-LYNC-Real
host 62.240.124.164
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
So sorry
After this steps, I can see the correct IP but still can't open ports
MS LYNC Real is set to be
object network MS-LYNC-Real
host 62.240.124.164
--------------------------
So sorry
After this steps, I can see the correct IP but still can't open ports
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry if this issue takes long time but after add last conf from you I found something on monitoring on TMG 2010
I think this my problem
kindly find the attach
TMG-2010.jpg
TMG-2010-FP.jpg
I think this my problem
kindly find the attach
TMG-2010.jpg
TMG-2010-FP.jpg
I see the error. I've never used Forefront before. But it seems to me, from looking at those images, that you just need to edit the ALLOW Rule #2 To include TCP 5061 along with the HTTPS, STUNin, and STUNout.
ASKER
I did it without any help still blocking but I found some articles TMG not allow SIPS protocols
if you can't help on this I will give you my acceptance because your efforts
if you can't help on this I will give you my acceptance because your efforts
I can't really help with Forefront.... Not my forte.
However some quick searching leads me to beleive that TMG has a VOIP Filter that allows SIP because there is reporting on the SIP stats.
http://technet.microsoft.com/en-us/library/ff849747.aspx
However some quick searching leads me to beleive that TMG has a VOIP Filter that allows SIP because there is reporting on the SIP stats.
http://technet.microsoft.com/en-us/library/ff849747.aspx
These are the default ports, so if you changed the defaults, the ASA opened ports must match.