Configure Cisco ASA 5505 to work with 3CX

[ckh]

Hi everyone,

I am having trouble configuring our ASA 5505, to allow communication with the 3CX server.
We have tried numerous things, but the 3CX firewall checker keeps throwing errors about PORT TRANSLATION:

UDP SIP Port is set to 5060. Response received WITH TRANSLATION 7073::5060. Phase 2a check passed with WARNINGS. Some functionality will be LIMITED.

Have anyone succesfully configured an ASA 5505, and would be willing to share the relevant parts of their running config?

Thank you in advance

 

[millsey]

Yes we are going via an ASA 5505. Is this to allow the 3CX to use a SIP trunk? Or for remote access/remote extensions?

Millsey

 

[ckh]

Hi Millsey.

Yes, 3CX is to connect to a sip trunk (provider).
Also, i'd' like the ASA 5505 to allow phones to be placed outside the company network (i.e. tunnel).

 

[millsey]

First thing to check (whilst I look fo the export command) is that your SIP trunk provider is not delivering you the audio streams on a differnet port (edit: I meant: on a different IP ADDRESS). We had to allowthe whole /24 range of the SIP provider since they send the SIP signalling on one IP address and the RTP packets from a different IP address.

We have static NAT set for translating the packets between the internal and external IP addresses. We also have the default Service Policy Rules for SIP which by default translates the VIA header to be the external address (probably why we need static NAT).

WHo is your SIP trunk provider out of interest? We are on NODE4 (UK)

Back in a bit.

Millsey

 

[millsey]

I have had to butcher this a bit to ensure our public data is removed;



: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 89.0.1.254 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.224
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network i89.0.3.1-chatterbox
host 89.0.3.1
object network oA.A.A.A-chatterbox
host 86.188.246.34
object network oNODE4SIP
subnet B.B.B.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object i89.0.3.1-chatterbox
network-object object oA.A.A.A-chatterbox
object-group network DM_INLINE_NETWORK_2
network-object host SIP.SIP.SIP.SIP
network-object object oNODE4SIP
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip object i89.0.3.1-chatterbox any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static i89.0.3.1-chatterbox oA.A.A.A-chatterbox
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 (ourdefaultgateway) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 89.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 89.0.2.2-89.0.2.33 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
inspect skinny
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:XXXXXXXXXX:
: end
no asdm history enable

 

[Nick@Troosters]

Hello,

I have a ASA 5505 and the Phone is working, BUT when I run the firewall checker I still get :

Testing SIP Port 5060 using STUN server: stun0.weepee.org:3478
Resolving STUN server stun0.weepee.org ... Resolved to: [91.208.12.88]
[Test1] Reachability test ... Resolved Public IP: 91.183.197.109:64385
STUN server stun0.weepee.org has second address 91.208.12.90:3479
[Test2] One on One Port Forwarding ... FAILED.
No response received or port mapping is closed. Firewall check failed. This configuration is not supported

And I get this on all ports ??

SIP inspection is turned off. In ACCESS rules I have source : any , destination outside (adn even the ip of the 3cx server), service : 5060 (and on for 5090, 5062 , 9000-9049) tcp and udp. in nat rules I have source :ip of the 3cxserver, service : 5062 ; 5060 5090 ) interface : outside, address : outside.

Can anyone help me out why it is not working ?

 

[millsey]

Hi

Currently I also get firewall test failure but not with that error. Because I have SIP inspect on, the firewall test is likely to fail.

You say that you have the access and NAT rules in place, but they sound like they are outgoing only. You need to have a rule to translate the address back from the outside address to the inside - note that on the ASA, software version 8.3 and above allow you to specify that a NAT rules is both ways, otherwise you will need a seperate rule translating inbound packets.

For the access rules you need a rule saying traffic arriving at the inside interface going to (either anywhere or your provider's SIP address) is allowed, and if your SIP inspect is off, you need to allow the ports back in from the outside interface.

Not sure if I am wasting our time saying that!

Millsey

 

[Nick@Troosters]

Hi,

so I should leave the SIP inspect enabled as was ?

and just make sure traffic from weepee to my 3cxserver is open ?

You don't happen to have the correct commandline codes with you now , do you ?

 

[millsey]

Sorry I don't, I am at home.

I allowed all IP traffic arriving on the outside interface from our SIP provider's IP range in, to the outside address of our 3CX. I also allowed all IP traffic arriving on the inside interface from the 3CX, to the SIP provider's IP range. Then I had a nat rule to translate BOTH WAYS between the 3CX internal and outside IP addresses. I have the SIP inspect turned on because our particular provider does not like the 3CX writes its SIP "VIA" header to be the INTERNAL address. The SIP inspect will rewrite all the internal addresses in the SIP packet to be the External address, which fixes it working for that particluar provider. There was quite some discussion about sending the internal IP in the VIA header.

Good luck,
Millsey

 

[jpillow]

You may want to disable SIP ALG.NAT translation is no good in the world of VoIP.

 

[eagle2]

Cisco routers and Cisco ASA are probably the only devices implementing correctly SIP ALG.

3CX generally recommends switching off SIP ALG functionality, which I also recommend for most of the NAT devices, simply they are not doing it correctly (there is a Cisco CLI command to disable SIP ALG, if you want to do this, check Cisco manual).

The case with ASA 5505 or 8xx or other routers is different, you may rely on Cisco's SIP ALG for correctly handling NAT for SIP/SDP packets. Normally you should configure in 3CX server a static public IP and disable STUN. Firewall checker should pass (at least we have several installations where this is working) and one interesting installation with 2 WAN and 1 LAN interfaces of ASA 5505 (reverse usage of ASA Ethernet ports). This setup is especially valuable for configurations, where you have providers insisting on their IP addresses for SIP/SDP packets, and the 3CX server and IP phones reside in local network (note there are providers where you can't use standard NAT, as it is not manipulating the SIP/SDP packets, in such cases you either need second LAN interface or correctly implemented SIP ALG).

Regards

 

[SY]

....
I have the SIP inspect turned on because our particular provider does not like the 3CX writes its SIP "VIA" header to be the INTERNAL address.
....

Could you please specify the name of VoIP provider?

Thanks

 

[millsey]

Hi

The provider us Node4 in the UK. If we dial out without SIP inspect., we get forbidden on the phones. The log in 3cx says the same.

Node4 do not require us to use their ip addresses but they do require us to state the static ip address we will use. They also send rtp packets on a different address to their sip gateway but that is fine as long as we know to allow data from their other ip address.

We have been running ok for 12 months but recently have had stuttering audio which appears to be a fault upstream from them.

I would prefer to run without SIP Inspect as per advice. But it does not work at all without it because they don't like the local address in the via header.

 

[eagle2]

My opinion you simply have to turn off STUN in 3CX, specify your static public IP into network settings, use your internal address into SIP/SDP setting for the provider. This is the correct setting for using SIP ALG.

Otherwise you need to disable the SIP ALG in ASA.

In all cases you still need to have ports forwarded to internal address of the 3CX.

 

[jpillow]

I'd do both disable SIP ALG, and stun server. we mainly use Cisco SA5xxx, and RVXXX series routers by default we always do both as a rule of thumb.

 

[black6]

Hi,

We have configured many Cisco ASAs and Pix to work successfully with VoIP systems, but they can be tricky. Firstly, we would like to clarify what is your actual problem? There are numerous discussions here about firewall checker etc, but we need to know what problems you are having with your 5505 specifically, for example one way audio? no SIP registration to ITSP? Remote SIP phone registration problems? When replying could you let us know if you are using public IP address and are you running any VPNs into your ASA, particularly if you are hairpining out again.

If you could share this information with us we will try to help you further.