Solved

Problem registering SIP phone from outside the network

Posted on 2016-08-09
14
72 Views
Last Modified: 2016-10-04
We moved our Asterisk server version 1.4.31 from one network to another.  When my phones are on the new LAN, they register to the server just as I would expect.  When I try to connect from outside the network, the phones will not register.  I am using x-lite to test my connectivity.
The firewall in the new LAN is a Cisco 5505 and these are the settings are as follows.  I believe this to be a firewall issue because everything was working perfectly in the old LAN.

Firewall settings

object-group service VoIP_SIP udp
 description All ports pertaining to VoIP using SIP
 port-object eq sip
 port-object range 10000 20000
 port-object eq 4569

access-list outside_acl remark Web access to VoIP server to provide XML services to phones outside the LAN
access-list outside_acl extended permit tcp any host (public IP Address) eq www
access-list outside_acl remark VoIP SIP Mapping for SIP-based phones
access-list outside_acl extended permit udp any host (public IP Address) eq sip
access-list outside_acl remark VoIP TFTP Server for phone configurations.
access-list outside_acl extended permit udp any host (public IP Address) eq tftp
access-list outside_acl remark VoIP media port mapping.
access-list outside_acl extended permit udp any host (public IP Address) object-group VoIP_SIP


static (outsideif,insideif) 10.1.30.20 (public IP Address) netmask 255.255.255.255
static (insideif,outsideif) (public IP Address) 10.1.30.20 netmask 255.255.255.255

route outsideif 0.0.0.0 0.0.0.0 (public IP Address) 1


policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect pptp
  inspect sip

Open in new window

0
Comment
Question by:morther
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41750042
SIP is normally port 5060 and up, I don't see that?
Did you have a firewall in the old setup?  If so, do you have a copy of that config?
0
 

Author Comment

by:morther
ID: 41750470
we are using IAX2 traffic over the default port (4569).
The settings above are the same as my previous firewall.
Port 5060 in not configured in any of my other sites, only port 4569.
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41750544
sorry, not familiar with IAX2
Aren't your NAT statements the wrong way round? ASA is normally source first, then destination
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41750545
By which I mean the outsideif  NAT lists the legal IP frst, then actual
Insideif nAT lists actual first, then legal NAT
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41750549
0
 

Author Comment

by:morther
ID: 41750704
you can see when I create this static route in asdm how it shows from the command line.  If I change this then nothing works, including phone registration from inside the network.  When I change it back then I can register phone from inside but still nothing outside.
asdm.JPG
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41750724
What is the voiceif network? Is this where the internal phones sit?
0
 

Author Comment

by:morther
ID: 41750742
voiceif is a different phone system.  Those phone reside on the 10.1.35.x network.
0
 

Author Comment

by:morther
ID: 41750768
My phones are registering from inside the network without issue.  It is from outside the network that is the problem.
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41752693
This is a silly question, but what license do you have on the ASA 5505? I seem to recall you have to have the SEC-PLUS license to use 3 interfaces, and escape the license restrictions.
0
 

Author Comment

by:morther
ID: 41752728
Hi Gareth.  We must have an open license on this FW because we have been using 4 of the 7 ports for years.  Way before my time, hahaha.
0
 

Author Comment

by:morther
ID: 41763079
Garith, do you think it would help if I changed the public IP Address to something different?  The one I am using seems to be routing to 0.0.0.0
0
 
LVL 5

Accepted Solution

by:
Gareth Tomlinson CISSP earned 500 total points
ID: 41763138
The route to 0.0.0.0 is the default route for the firewall, i.e. the internet.
Can I clarify - you have 2 different phone systems in your network?>
0
 

Author Closing Comment

by:morther
ID: 41828574
Thank you for you help Gareth, you were super helpful
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Client lost connection to AP controlled by Cisco WLC2504 3 62
VLAN Question 7 43
Listening device 21 75
ASA 5506 Port Forward 4 41
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question