Configure Cisco ASA 5505 to work with 3CX

Discussion in '3CX Phone System - General' started by ckh, Mar 16, 2012.

Thread Status:
Not open for further replies.
  1. ckh

    ckh

    Joined:
    Mar 16, 2012
    Messages:
    2
    Likes Received:
    0
    Hi everyone,

    I am having trouble configuring our ASA 5505, to allow communication with the 3CX server.
    We have tried numerous things, but the 3CX firewall checker keeps throwing errors about PORT TRANSLATION:

    Have anyone succesfully configured an ASA 5505, and would be willing to share the relevant parts of their running config?

    Thank you in advance :)
     
  2. millsey

    millsey New Member

    Joined:
    Dec 21, 2011
    Messages:
    190
    Likes Received:
    0
    Yes we are going via an ASA 5505. Is this to allow the 3CX to use a SIP trunk? Or for remote access/remote extensions?

    Millsey
     
  3. ckh

    ckh

    Joined:
    Mar 16, 2012
    Messages:
    2
    Likes Received:
    0
    Hi Millsey.

    Yes, 3CX is to connect to a sip trunk (provider).
    Also, i'd' like the ASA 5505 to allow phones to be placed outside the company network (i.e. tunnel).
     
  4. millsey

    millsey New Member

    Joined:
    Dec 21, 2011
    Messages:
    190
    Likes Received:
    0
    First thing to check (whilst I look fo the export command) is that your SIP trunk provider is not delivering you the audio streams on a differnet port (edit: I meant: on a different IP ADDRESS). We had to allowthe whole /24 range of the SIP provider since they send the SIP signalling on one IP address and the RTP packets from a different IP address.

    We have static NAT set for translating the packets between the internal and external IP addresses. We also have the default Service Policy Rules for SIP which by default translates the VIA header to be the external address (probably why we need static NAT).

    WHo is your SIP trunk provider out of interest? We are on NODE4 (UK)

    Back in a bit.

    Millsey
     
  5. millsey

    millsey New Member

    Joined:
    Dec 21, 2011
    Messages:
    190
    Likes Received:
    0
    I have had to butcher this a bit to ensure our public data is removed;



    : Saved
    :
    ASA Version 8.4(2)
    !
    hostname ciscoasa
    enable password XXXXXXXX encrypted
    passwd XXXXXXXX encrypted
    names
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 89.0.1.254 255.255.0.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address A.A.A.A 255.255.255.224
    !
    ftp mode passive
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network i89.0.3.1-chatterbox
    host 89.0.3.1
    object network oA.A.A.A-chatterbox
    host 86.188.246.34
    object network oNODE4SIP
    subnet B.B.B.0 255.255.255.0
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_1
    network-object object i89.0.3.1-chatterbox
    network-object object oA.A.A.A-chatterbox
    object-group network DM_INLINE_NETWORK_2
    network-object host SIP.SIP.SIP.SIP
    network-object object oNODE4SIP
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended permit ip object i89.0.3.1-chatterbox any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static i89.0.3.1-chatterbox oA.A.A.A-chatterbox
    !
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 (ourdefaultgateway) 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 89.0.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    dhcpd auto_config outside
    !
    dhcpd address 89.0.2.2-89.0.2.33 inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect sip
    inspect skinny
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:XXXXXXXXXX:
    : end
    no asdm history enable
     
  6. Nick@Troosters

    Joined:
    Nov 12, 2012
    Messages:
    22
    Likes Received:
    0
    Hello,

    I have a ASA 5505 and the Phone is working, BUT when I run the firewall checker I still get :

    Testing SIP Port 5060 using STUN server: stun0.weepee.org:3478
    Resolving STUN server stun0.weepee.org ... Resolved to: [91.208.12.88]
    [Test1] Reachability test ... Resolved Public IP: 91.183.197.109:64385
    STUN server stun0.weepee.org has second address 91.208.12.90:3479
    [Test2] One on One Port Forwarding ... FAILED.
    No response received or port mapping is closed. Firewall check failed. This configuration is not supported

    And I get this on all ports ??

    SIP inspection is turned off. In ACCESS rules I have source : any , destination outside (adn even the ip of the 3cx server), service : 5060 (and on for 5090, 5062 , 9000-9049) tcp and udp. in nat rules I have source :ip of the 3cxserver, service : 5062 ; 5060 5090 ) interface : outside, address : outside.

    Can anyone help me out why it is not working ?
     
  7. millsey

    millsey New Member

    Joined:
    Dec 21, 2011
    Messages:
    190
    Likes Received:
    0
    Hi

    Currently I also get firewall test failure but not with that error. Because I have SIP inspect on, the firewall test is likely to fail.

    You say that you have the access and NAT rules in place, but they sound like they are outgoing only. You need to have a rule to translate the address back from the outside address to the inside - note that on the ASA, software version 8.3 and above allow you to specify that a NAT rules is both ways, otherwise you will need a seperate rule translating inbound packets.

    For the access rules you need a rule saying traffic arriving at the inside interface going to (either anywhere or your provider's SIP address) is allowed, and if your SIP inspect is off, you need to allow the ports back in from the outside interface.

    Not sure if I am wasting our time saying that!

    Millsey
     
  8. Nick@Troosters

    Joined:
    Nov 12, 2012
    Messages:
    22
    Likes Received:
    0
    Hi,

    so I should leave the SIP inspect enabled as was ?

    and just make sure traffic from weepee to my 3cxserver is open ?

    You don't happen to have the correct commandline codes with you now , do you ?
     
  9. millsey

    millsey New Member

    Joined:
    Dec 21, 2011
    Messages:
    190
    Likes Received:
    0
    Sorry I don't, I am at home.

    I allowed all IP traffic arriving on the outside interface from our SIP provider's IP range in, to the outside address of our 3CX. I also allowed all IP traffic arriving on the inside interface from the 3CX, to the SIP provider's IP range. Then I had a nat rule to translate BOTH WAYS between the 3CX internal and outside IP addresses. I have the SIP inspect turned on because our particular provider does not like the 3CX writes its SIP "VIA" header to be the INTERNAL address. The SIP inspect will rewrite all the internal addresses in the SIP packet to be the External address, which fixes it working for that particluar provider. There was quite some discussion about sending the internal IP in the VIA header.

    Good luck,
    Millsey
     
  10. jpillow

    jpillow Well-Known Member

    Joined:
    Jun 20, 2011
    Messages:
    1,342
    Likes Received:
    0
    You may want to disable SIP ALG.NAT translation is no good in the world of VoIP.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Cisco routers and Cisco ASA are probably the only devices implementing correctly SIP ALG.

    3CX generally recommends switching off SIP ALG functionality, which I also recommend for most of the NAT devices, simply they are not doing it correctly (there is a Cisco CLI command to disable SIP ALG, if you want to do this, check Cisco manual).

    The case with ASA 5505 or 8xx or other routers is different, you may rely on Cisco's SIP ALG for correctly handling NAT for SIP/SDP packets. Normally you should configure in 3CX server a static public IP and disable STUN. Firewall checker should pass (at least we have several installations where this is working) and one interesting installation with 2 WAN and 1 LAN interfaces of ASA 5505 (reverse usage of ASA Ethernet ports). This setup is especially valuable for configurations, where you have providers insisting on their IP addresses for SIP/SDP packets, and the 3CX server and IP phones reside in local network (note there are providers where you can't use standard NAT, as it is not manipulating the SIP/SDP packets, in such cases you either need second LAN interface or correctly implemented SIP ALG).

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Could you please specify the name of VoIP provider?

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. millsey

    millsey New Member

    Joined:
    Dec 21, 2011
    Messages:
    190
    Likes Received:
    0
    Hi

    The provider us Node4 in the UK. If we dial out without SIP inspect., we get forbidden on the phones. The log in 3cx says the same.

    Node4 do not require us to use their ip addresses but they do require us to state the static ip address we will use. They also send rtp packets on a different address to their sip gateway but that is fine as long as we know to allow data from their other ip address.

    We have been running ok for 12 months but recently have had stuttering audio which appears to be a fault upstream from them.

    I would prefer to run without SIP Inspect as per advice. But it does not work at all without it because they don't like the local address in the via header.
     
  14. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    My opinion you simply have to turn off STUN in 3CX, specify your static public IP into network settings, use your internal address into SIP/SDP setting for the provider. This is the correct setting for using SIP ALG.

    Otherwise you need to disable the SIP ALG in ASA.

    In all cases you still need to have ports forwarded to internal address of the 3CX.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. jpillow

    jpillow Well-Known Member

    Joined:
    Jun 20, 2011
    Messages:
    1,342
    Likes Received:
    0
    I'd do both disable SIP ALG, and stun server. we mainly use Cisco SA5xxx, and RVXXX series routers by default we always do both as a rule of thumb.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. black6

    Joined:
    Nov 26, 2012
    Messages:
    9
    Likes Received:
    0
    Hi,

    We have configured many Cisco ASAs and Pix to work successfully with VoIP systems, but they can be tricky. Firstly, we would like to clarify what is your actual problem? There are numerous discussions here about firewall checker etc, but we need to know what problems you are having with your 5505 specifically, for example one way audio? no SIP registration to ITSP? Remote SIP phone registration problems? When replying could you let us know if you are using public IP address and are you running any VPNs into your ASA, particularly if you are hairpining out again.

    If you could share this information with us we will try to help you further.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.