asked on
Cisco ASA 9.8(4)12 blocking outbound sip calls
I have been trying to get a Grandstream HT814 to communicate with Sonetel. It works fine when connected directly to the DSL line, but as soon as I put it behind the firewall it stops. It cannot make calls, when receiving a call it will ring, but with no sound.
I have tried with the SIP inspection on and off (in the config below it is disabled)
Cisco Config:
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)12
!
names
no mac-address auto
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
no pim
no igmp
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address xxxxx
no pim
no igmp
!
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any host xxx
access-list inside_access_in extended permit ip any any
access-list global_mpc extended permit ip host xxx any inactive
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu Proxy 1500
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,outside) source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map Sonetel
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect sip Sonetel
parameters
max-forwards-validation action drop log
policy-map global_policy
class Sonetel
inspect sip Sonetel
set connection advanced-options tcp-state-bypass
class inspection_default
inspect ip-options
!
service-policy global_policy global
![Grandstream Config 1]()
![Grandstream Config 2]()
![Grandstream Config 3]()
![Grandstream Config 4]()
![Grandstream Config 5]()
Capture7.JPG
Capture8.JPG
Capture9.JPG
Capture10.JPG
I have tried with the SIP inspection on and off (in the config below it is disabled)
Cisco Config:
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)12
!
names
no mac-address auto
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
no pim
no igmp
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address xxxxx
no pim
no igmp
!
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any host xxx
access-list inside_access_in extended permit ip any any
access-list global_mpc extended permit ip host xxx any inactive
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu Proxy 1500
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,outside) source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map Sonetel
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect sip Sonetel
parameters
max-forwards-validation action drop log
policy-map global_policy
class Sonetel
inspect sip Sonetel
set connection advanced-options tcp-state-bypass
class inspection_default
inspect ip-options
!
service-policy global_policy global
[embed=file 1443137][embed=file 1443138][embed=file 1443139][embed=file 1443140][embed=file 1443141]
Capture7.JPG
Capture8.JPG
Capture9.JPG
Capture10.JPG
Cisco* sipVoice Over IP
Last Comment
jyoung1974
ASKER
thanks but it didn't help, I think it has something to do with NAT as well, but doesn't seem to want to work. I have also tried a different IOS on the firewall with no success. Below are outgoing and incoming call logs ![Outgoing call]()
![In coming call]()
ASKER
I also tried putting the LTE router in both Bridge and router mode, but it does not seem to affect it at all. It is currently in bridge mode with a public IP address assigned to the external interface of the firewall.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
You have to use qos to prioritize dip, VoIP traffic.
You gave to disable sip inspection while also disabling sip-alg
Any delay in processing of packets will cause issues.
Provide a reserved bandwidth for dip/VoIP.
You gave to disable sip inspection while also disabling sip-alg
Any delay in processing of packets will cause issues.
Provide a reserved bandwidth for dip/VoIP.
ASKER
do you have an example? I have not messed around with QOS on an ASA very much
No inspect sip
Disable sip alg
Re qos https://community.cisco.com/t5/firewalls/prioritize-voip-on-asa/td-p/2513526
Disable sip alg
Re qos https://community.cisco.com/t5/firewalls/prioritize-voip-on-asa/td-p/2513526
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Thanks, I will be back on that site on saturday and will try then.
ASKER
I added the following, but it didn't help. My policies look like the following:
class-map inspection_default
match default-inspection-traffic
class-map voip-inside-class
description voip traffic
match dscp ef
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
policy-map voip-inside-policy
description voip on inside interface
class voip-inside-class
priority
!
service-policy global_policy global
class-map inspection_default
match default-inspection-traffic
class-map voip-inside-class
description voip traffic
match dscp ef
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
policy-map voip-inside-policy
description voip on inside interface
class voip-inside-class
priority
!
service-policy global_policy global
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
I'm just guessing, but it looks that you are using NAT. Probably you need to specify "use NAT IP" address on HT814 (last picture)
https://www.n2net.net/agent-blog/sip-nat
Hope this helps you.