Cisco ASA

Hi,
I am trying to get voip working on my asa5505 and below is an error message I see on the firewall logs when I attempt to make the connection from an app on my Android phone to the phone system:

Deny TCP (no connection) from external_ip/54032 to outside_int_ip/8444 flags RST on interface outside.

Anyone seen this error before?

Cheers
minniejpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James HIT DirectorCommented:
If you are NAT'ing a public IP to your VOIP server you will need to create an ACL allowing that traffic otherwise the firewall will deny the packet. Can you show a sanitized copy of your config?
0
minniejpAuthor Commented:
0
minniejpAuthor Commented:
Hey Spartan,

See attached
Cheers
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

minniejpAuthor Commented:
Hi Spartan,

Have you had a chance to take a look?

Cheers
0
minniejpAuthor Commented:
any ideas?
0
arnoldCommented:
You are seemingly using the same One-X-Portal as both an object for the IP.
A group-object.

That makes reading the configuration..........

I do not see a QoS on your ASA.
nor that you are adding h323, sip to your inspect global policy

you should consider adding Quality of Service for VOIP traffic to prioritize it over everything else coming and leaving your network.

EE post that refers you to Cisco links.

http://www.experts-exchange.com/Networking/Telecommunications/IP_Telephony/VoIP/Q_24719953.html

you can limit your data rate outside the VOIP/Voice traffic.
0
minniejpAuthor Commented:
Would QoS not being available cause the app to show "Voip only partially connected"? I have added h323 and sip and i am still getting this error
0
arnoldCommented:
You are missing the inspect directive in the global policy.

inspect h323 h225
 inspect h323 ras


Here is an example using asa version 7
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82446-enable-voip-config.html
0
minniejpAuthor Commented:
Do you know what ports need to be forwarded to allow an Avaya app to work?
0
arnoldCommented:
You need to check with how your VoIP provider is, sip trunks, etc.
A QoS will make sure if there is saturation if the connection, the packets dropped will not be the VoIP ones.

Avaya app to work with what?

You are providing limited information and limited detail on what your issue.

I understand you provide only information you think is needed to resolve/answer your question, but just providing an error and the firewall config .........
0
minniejpAuthor Commented:
I upgraded the firmware on the firewall and that worked as expected.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
minniejpAuthor Commented:
Upgrade of firewall resolved the problem
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.