Announcement

Collapse
No announcement yet.

Configure ASA and SIP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure ASA and SIP

    Dear Team,


    I have the following issue,

    We need to configure our Cisco Call manager express (CME) and our Cisco ASA in order to allow connection for Sip clients outside the company.

    Below is the configuration of our ASA and CME:



    ASA config
    -----------
    hostname FW
    domain-name mycompany.net
    enable password iqz6QVfd1vedgoadHbdy encrypted
    names


    dns-guard
    !
    interface Ethernet0/0
    speed 10
    nameif outside
    security-level 0
    ip address 1.1.1.2 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif DMZVoice
    security-level 90
    ip address 192.168.2.1 255.255.255.0


    access-list idm extended permit ip any host 192.168.2.10

    access-list Outside_IN extended permit tcp any host 1.1.1.10
    access-list Outside_IN extended permit udp any host 1.1.1.10
    access-list Outside_IN extended permit ip any host 1.1.1.10

    access-list DMZVoice_access_in extended permit ip host 192.168.2.10 any

    mtu outside 1500
    mtu inside 1500
    mtu DMZVoice 1500

    global (outside) 1 1.1.1.254
    global (DMZVoice) 1 192.168.2.2
    nat (inside) 0 access-list 90
    nat (inside) 1 192.168.0.0 255.255.255.0
    nat (DMZVoice) 1 192.168.2.0 255.255.255.0

    static (DMZVoice,outside) 1.1.1.10 192.168.2.10 netmask 255.255.255.255

    access-group Outside_IN in interface outside
    access-group idm in interface inside
    access-group DMZVoice_access_in in interface DMZVoice

    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect icmp
    inspect mgcp
    inspect sip
    !
    service-policy global_policy global
    Cryptochecksum:1f1eacc9b3e66a8ddc8f3f6fddc699b9
    : end






    CME Config
    ----------


    telephony-service
    no auto-reg-ephone
    fxo hook-flash
    max-ephones 58
    max-dn 300
    ip source-address 192.168.2.10 port 2000
    timeouts interdigit 5
    system message My Company
    url authentication xxxxxxxxxxxxxxxxxxxxx extmob psswrd
    load 7915-24 B015-1-0-3
    load 7916-24 B016-1-0-3
    load 7911 SCCP11.8-5-4S
    load 7942 SCCP42.8-5-4S
    load 7945 SCCP45.8-5-4S
    load 7962 SCCP42.8-5-4S
    load 7965 SCCP45.8-5-4S
    time-zone 26
    date-format dd-mm-yy
    voicemail 800
    max-conferences 8 gain -6
    call-forward pattern .T
    moh music-on-hold.au
    multicast moh 239.1.1.1 port 2000s
    web admin system name cisco secret 5 $1$Sii$wdhL0yfBaVhV%fePYB3FY.LK1
    dn-webedit
    time-webedit
    transfer-system full-consult
    transfer-pattern .T
    secondary-dialtone 9
    create cnf-files version-stamp Jan 01 2002 00:00:00


    interface GigabitEthernet0/0
    description ---- CCME connection to Core switch
    ip address 192.168.2.10 255.255.255.0
    duplex auto
    speed auto
    h323-gateway voip interface
    h323-gateway voip bind srcaddr 192.168.2.10
    !
    interface ISM0/0
    ip unnumbered GigabitEthernet0/0
    !Application: CUE Running on ISM

    ----------------------------------


    We are able to telnet the CME interface 1.1.1.10 on port 5060 from both inside and outside the company .
    The sip client get register successsfuly from the inside but no success when trying from the outside.
    This is a debug from the SIP client:


    ------------------------
    Attemping to connect to 1.1.1.10
    Phone got as local port 57128
    Jabra not connected
    RTP engine ok
    SIP engine ok
    Sending STUN request
    Phone connection failed, PBX not responding
    --------------------------


    I am getting the request on my ASA and below is the debud from the ASA:


    -------------------------


    SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060
    Found port 5060
    Found port 56400
    Via Port 56400
    Found port 33891
    Found port 5060
    Found port 5060
    SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)
    SIP::Found To addr "sip:[email protected]:5060" (27)
    SIP::Found From addr "sip:[email protected]:5060" (27)
    SIP::Found From addr tag "14726e1d" (
    SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)
    SIP::Found CSeq 1 REGISTER
    SIP::Found expires, 120 seconds
    SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00
    SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060
    Found port 5060
    Found port 56400
    Via Port 56400
    Found port 33891
    Found port 5060
    Found port 5060
    SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)
    SIP::Found To addr "sip:[email protected]:5060" (27)
    SIP::Found From addr "sip:[email protected]:5060" (27)
    SIP::Found From addr tag "14726e1d" (
    SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)
    SIP::Found CSeq 1 REGISTER
    SIP::Found expires, 120 seconds
    SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00
    SIP::REGISTER received from outside:80.79.159.89/1690 to DMZVoice:192.168.2.10/5060
    Found port 5060
    Found port 56400
    Via Port 56400
    Found port 33891
    Found port 5060
    Found port 5060
    SIP::Found Via branch "z9hG4bK-d8754z-137e0a134514a94e-1---d8754z-" (43)
    SIP::Found To addr "sip:[email protected]:5060" (27)
    SIP::Found From addr "sip:[email protected]:5060" (27)
    SIP::Found From addr tag "14726e1d" (
    SIP::Found Call-ID NzllMmY2NDRjMzE4ZjA3MDM0MjUwNmVlODAzMTIxNTU. (44)
    SIP::Found CSeq 1 REGISTER
    SIP::Found expires, 120 seconds
    SIP::Updating xlate timeout for 80.79.159.89/33891 to 0:02:00


    ----------------------------------------


    Can someone please advice me what should be done to make this work?

    Is there any config that should be done on the CME (telephony-service)?

    Thanks for the help.
Working...
X