Mike Orther
asked on
Problem registering SIP phone from outside the network
We moved our Asterisk server version 1.4.31 from one network to another. When my phones are on the new LAN, they register to the server just as I would expect. When I try to connect from outside the network, the phones will not register. I am using x-lite to test my connectivity.
The firewall in the new LAN is a Cisco 5505 and these are the settings are as follows. I believe this to be a firewall issue because everything was working perfectly in the old LAN.
Firewall settings
The firewall in the new LAN is a Cisco 5505 and these are the settings are as follows. I believe this to be a firewall issue because everything was working perfectly in the old LAN.
Firewall settings
object-group service VoIP_SIP udp
description All ports pertaining to VoIP using SIP
port-object eq sip
port-object range 10000 20000
port-object eq 4569
access-list outside_acl remark Web access to VoIP server to provide XML services to phones outside the LAN
access-list outside_acl extended permit tcp any host (public IP Address) eq www
access-list outside_acl remark VoIP SIP Mapping for SIP-based phones
access-list outside_acl extended permit udp any host (public IP Address) eq sip
access-list outside_acl remark VoIP TFTP Server for phone configurations.
access-list outside_acl extended permit udp any host (public IP Address) eq tftp
access-list outside_acl remark VoIP media port mapping.
access-list outside_acl extended permit udp any host (public IP Address) object-group VoIP_SIP
static (outsideif,insideif) 10.1.30.20 (public IP Address) netmask 255.255.255.255
static (insideif,outsideif) (public IP Address) 10.1.30.20 netmask 255.255.255.255
route outsideif 0.0.0.0 0.0.0.0 (public IP Address) 1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
inspect sip
ASKER
we are using IAX2 traffic over the default port (4569).
The settings above are the same as my previous firewall.
Port 5060 in not configured in any of my other sites, only port 4569.
The settings above are the same as my previous firewall.
Port 5060 in not configured in any of my other sites, only port 4569.
sorry, not familiar with IAX2
Aren't your NAT statements the wrong way round? ASA is normally source first, then destination
Aren't your NAT statements the wrong way round? ASA is normally source first, then destination
By which I mean the outsideif NAT lists the legal IP frst, then actual
Insideif nAT lists actual first, then legal NAT
Insideif nAT lists actual first, then legal NAT
ASKER
What is the voiceif network? Is this where the internal phones sit?
ASKER
voiceif is a different phone system. Those phone reside on the 10.1.35.x network.
ASKER
My phones are registering from inside the network without issue. It is from outside the network that is the problem.
This is a silly question, but what license do you have on the ASA 5505? I seem to recall you have to have the SEC-PLUS license to use 3 interfaces, and escape the license restrictions.
ASKER
Hi Gareth. We must have an open license on this FW because we have been using 4 of the 7 ports for years. Way before my time, hahaha.
ASKER
Garith, do you think it would help if I changed the public IP Address to something different? The one I am using seems to be routing to 0.0.0.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for you help Gareth, you were super helpful
Did you have a firewall in the old setup? If so, do you have a copy of that config?