We help IT Professionals succeed at work.

Cisco ASA 9.8(4)12 blocking outbound sip calls

jyoung1974
jyoung1974 asked
on
Medium Priority
96 Views
Last Modified: 2020-02-15
I have been trying to get a Grandstream HT814 to communicate with Sonetel. It works fine when connected directly to the DSL line, but as soon as I put it behind the firewall it stops. It cannot make calls, when receiving a call it will ring, but with no sound.

I have tried with the SIP inspection on and off (in the config below it is disabled)

Cisco Config:

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)12
!

names
no mac-address auto

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute
 no pim
 no igmp
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address xxxxx
 no pim
 no igmp
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name xxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any host xxx
access-list inside_access_in extended permit ip any any

access-list global_mpc extended permit ip host xxx any inactive

pager lines 24
logging enable
logging asdm debugging

mtu outside 1500
mtu inside 1500
mtu Proxy 1500

arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384

nat (any,outside) source dynamic any interface

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

class-map Sonetel
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect sip Sonetel
 parameters
  max-forwards-validation action drop log
policy-map global_policy
 class Sonetel
  inspect sip Sonetel
  set connection advanced-options tcp-state-bypass
 class inspection_default
  inspect ip-options
!
service-policy global_policy global

Grandstream Config 1Grandstream Config 2Grandstream Config 3Grandstream Config 4Grandstream Config 5
[embed=file 1443137][embed=file 1443138][embed=file 1443139][embed=file 1443140][embed=file 1443141]

Open in new window

Capture6.JPG
Capture7.JPG
Capture8.JPG
Capture9.JPG
Capture10.JPG
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Hi,
I'm just guessing, but it looks that you are using NAT. Probably you need to specify "use NAT IP" address on HT814 (last picture)
https://www.n2net.net/agent-blog/sip-nat
Hope this helps you.

Author

Commented:
thanks but it didn't help, I think it has something to do with NAT as well, but doesn't seem to want to work. I have also tried a different IOS on the firewall with no success. Below are outgoing and incoming call logs  Outgoing callIn coming call

Author

Commented:
I also tried putting the LTE router in both Bridge and router mode, but it does not seem to affect it at all. It is currently in bridge mode with a public IP address assigned to the external interface of the firewall.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You have to use qos to prioritize dip, VoIP traffic.

You gave to disable sip inspection while also disabling sip-alg
Any delay in processing of packets will cause issues.
Provide a reserved bandwidth for dip/VoIP.

Author

Commented:
do you have an example? I have not messed around with QOS on an ASA very much
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:

Author

Commented:
Thanks, I will be back on that site on saturday and will try then.

Author

Commented:
I added the following, but it didn't help. My policies look like the following:

class-map inspection_default
 match default-inspection-traffic
class-map voip-inside-class
 description voip traffic
 match dscp ef
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ip-options
policy-map voip-inside-policy
 description voip on inside interface
 class voip-inside-class
  priority
!
service-policy global_policy global
I had to attach it to the inside interface, then the policy started working (and so did the phones)

service-policy voip-inside-policy interface inside