dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
5115
share rss forum feed


Brian797

@sbcglobal.net

[Config] Cisco ACL help for VOIP

I am starting to work from home and my company has given me an IP phone that connects back to them via h.323. I had opened ports on my firewall on the return path for h.323 and the ports they have open on their ASA. The phone connects and I can dial, people hear me but I cant hear them. I have recently changed my ACL to allow the source IP to be the public IP of the phone system but that did not help either. Are there any ports or ideas to get this working?

I have a cisco 3725 router.

HELLFIRE
Premium
join:2009-11-25
kudos:20
Any possibility of getting the configs on both the 3745 and the ASA for review?

Without knowing the configs and further troubleshooting, oneway audio generally
indicates a routing issue. Check for asymmetric routing between you and your
company from both ends.

Regards


Brian797

@sbcglobal.net
Here you go the 3725, The phone works fine when its plugged directly into the dsl modem, makes me think the acl is doing something, or it can't open its random UDP port for traffic.

I removed the passwords and such, could CME be the cause of the issues?


Building configuration...

Current configuration : 33492 bytes
!
! Last configuration change at 23:27:52 CDT Wed Jun 22 2011 by brian
! NVRAM config last updated at 23:31:53 CDT Wed Jun 22 2011 by brian
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HNGATEWAY
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
no logging console
enable secret 5
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.1.60 auth-port 1645 acct-port 1646
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-1 local
aaa authentication login sdm_vpn_xauth_ml_3 group radius
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 group radius local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
no network-clock-participate slot 1
!
crypto pki trustpoint HNSGateway
enrollment terminal
serial-number none
fqdn

ip-address FastEthernet0/1
password 7
subject-name O=HawkNET Solutions, OU=VPN Services, CN=HawkNET Solutions, C=US, ST=MO
revocation-check crl
rsakeypair TP-self-signed-688604220
!
crypto pki trustpoint TP-self-signed-688604220
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-688604220
revocation-check none
rsakeypair TP-self-signed-688604220
!
!
crypto pki certificate chain HNSGateway
crypto pki certificate chain TP-self-signed-688604220

no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool MainPool
import all
network 192.168.1.0 255.255.255.0
domain-name HAWKNET.LOCAL
default-router 192.168.1.1
netbios-name-server 192.168.1.60
dns-server 192.168.1.60 208.67.220.220
option 150 ip 192.168.1.1
!
ip dhcp pool KevinPool
host 192.168.1.102 255.255.255.0
client-identifier 0100.045a.5a71.af
client-name beowulf
!
ip dhcp pool MAINPOOL
option 150 ip 192.168.1.1
!
ip dhcp pool XboxLive
host 192.168.1.52 255.255.255.0
client-identifier 0100.2248.9570.6d
client-name xbox360
dns-server 192.168.1.60 4.4.2.2
default-router 192.168.1.1
!
ip dhcp pool KyleXbox
host 192.168.1.50 255.255.255.0
client-identifier 0100.1dd8.3170.3b
client-name kylex
dns-server 192.168.1.60 4.4.2.2
default-router 192.168.1.1
!
ip dhcp pool phone
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.1.1
!
ip dhcp pool SlingBox
host 192.168.1.237 255.255.255.0
client-identifier 0100.13b6.0352.20
client-name SlingBox
!
ip dhcp pool Vlan2
import all
network 10.0.0.0 255.255.255.0
domain-name PHONE.LOCAL
dns-server 192.168.1.60
default-router 192.168.1.1
netbios-name-server 192.168.1.60
!
ip dhcp pool IPPHONE
host 192.168.1.201 255.255.255.0
hardware-address 0040.5a18.7b4d
!
!
no ip bootp server
ip domain name hawknetsolutions.net
ip name-server 192.168.1.60
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ipv6 unicast-routing
!
appfw policy-name SDM_LOW
application http
port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
!
!
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
sip
registrar server expires max 36000 min 600
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
!
!
!
!
!
!
!
!
!
!
!
voice register global
mode cme
source-address 192.168.1.1 port 5060
max-dn 5
max-pool 5
timezone 8
hold-alert
tftp-path flash:
create profile sync 0292232405075586
!
voice register dn 1
number 104
call-forward b2bua noan 105 timeout 25
name Analog Phones
no-reg
label Analog Phones - 104
!
voice register dn 2
number 66
no-reg
!
voice register pool 1
id mac 0016.B65E.A65D
number 1 dn 1
dtmf-relay rtp-nte sip-notify
voice-class codec 1
username 104 password 104
!
!
voice translation-rule 1
rule 1 /^.*/ /17772339930/
!
voice translation-rule 2
rule 1 /17772339930/ /100/
!
voice translation-rule 3
rule 1 /^777(.*)/ /\1/
rule 2 /\(..........\)/ /1\1/
!
voice translation-rule 4
rule 1 /91+/ /1/
!
voice translation-rule 7
rule 1 /^.*/ /17772339930/
!
!
voice translation-profile Callcentric_in
translate calling 3
translate called 2
!
voice translation-profile Callcentric_out
translate calling 1
!
voice translation-profile LD
translate calling 7
translate called 4
!
!
!
application
service load alarm.tcl
!
service camp-on flash:/IVR/alarm.tcl
paramspace english index 1
paramspace english language en
paramspace english location flash:/IVR/
!
!
!
!
username brian privilege 15 secret 5
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group HNS_VPN
key
wins 192.168.1.60
pool SDM_POOL_2
acl 107
max-users 20
banner ^CBy logging in to this connection you agree to the conditions of this connection. And have authorization to be connected here.
If you have any questions about the policies disconnect and contact the helpdesk.
To change your password visit: »192.168.1.60/changepw ^C
crypto isakmp profile sdm-ike-profile-1
match identity group HNS_VPN
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
!
!
policy-map sdmappfwp2p_SDM_LOW
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
!
!
translation-rule 2
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Secured Inside Zone$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FastEthernet 0/0$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
ipv6 enable
no mop enabled
!
interface FastEthernet0/1
description Internet Zone$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id FastEthernet0/1 hostname HNGTWY
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
ipv6 enable
no mop enabled
!
interface FastEthernet1/0
description $ETH-WAN$
ip address 10.0.0.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
shutdown
duplex auto
speed auto
ipv6 enable
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 192.168.1.200 192.168.1.225
ip local pool SDM_POOL_2 10.10.10.1 10.10.10.25
ip forward-protocol nd
!
ip flow-cache timeout active 1
ip flow-export version 5
ip flow-export destination 192.168.1.60 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip http path flash:
ip nat translation timeout 60
ip nat inside source static tcp 192.168.1.237 5001 interface FastEthernet0/1 5001
ip nat inside source static tcp 192.168.1.66 8443 interface FastEthernet0/1 8443
ip nat inside source static tcp 192.168.1.60 23050 interface FastEthernet0/1 23050
ip nat inside source static tcp 192.168.1.66 25 interface FastEthernet0/1 25
ip nat inside source static udp 192.168.1.50 3074 interface FastEthernet0/1 3074
ip nat inside source static udp 192.168.1.50 88 interface FastEthernet0/1 88
ip nat inside source static tcp 192.168.1.60 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.60 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.201 1720 interface FastEthernet0/1 1720
ip nat inside source static tcp 192.168.1.201 1718 interface FastEthernet0/1 1718
ip nat inside source static tcp 192.168.1.201 1719 interface FastEthernet0/1 1719
ip nat inside source static udp 192.168.1.201 5588 interface FastEthernet0/1 5588
ip nat inside source static udp 192.168.1.201 2048 interface FastEthernet0/1 2048
ip nat inside source static udp 192.168.1.201 60353 interface FastEthernet0/1 60353
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip radius source-interface FastEthernet0/0
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.1.60 eq 1645 host 192.168.1.1
access-list 100 permit udp host 192.168.1.60 eq 1646 host 192.168.1.1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 129.6.15.25
access-list 101 permit udp host 129.6.15.25 eq ntp any eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 99.150.184.201
access-list 101 permit udp host 99.150.184.201 eq ntp any eq ntp
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip any host 192.168.1.1
access-list 103 remark wii
access-list 103 permit tcp host 192.168.1.51 any
access-list 103 remark wii
access-list 103 permit udp host 192.168.1.51 any
access-list 103 permit udp host 192.168.1.60 eq 1645 any
access-list 103 permit udp host 192.168.1.60 eq 1646 any
access-list 103 permit udp host 192.168.1.60 eq 1645 host 192.168.1.1
access-list 103 permit udp host 192.168.1.60 eq 1646 host 192.168.1.1
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark Auto generated by SDM for NTP (123) 1.pool.ntp.org
access-list 104 permit udp host 208.53.158.34 eq ntp any eq ntp
access-list 104 remark Auto generated by SDM for NTP (123) 0.pool.ntp.org
access-list 104 permit udp host 128.113.28.67 eq ntp any eq ntp
access-list 104 remark Phone
access-list 104 permit tcp any host 192.168.1.201
access-list 104 remark Phone
access-list 104 permit udp any host 192.168.1.201
access-list 104 remark Phone
access-list 104 permit tcp any any eq 1720
access-list 104 permit tcp any any eq 1731
access-list 104 permit tcp any any eq 1719
access-list 104 permit tcp any any eq 1718
access-list 104 permit udp any any eq 60353
access-list 104 permit udp any any eq 2048
access-list 104 permit udp any any eq 5588
access-list 104 permit tcp host 66.119.11.181 any
access-list 104 permit udp host 66.119.11.181 any
access-list 104 permit tcp any host 173.30.96.134 eq 443
access-list 104 permit tcp any host 173.30.96.134 eq 1025
access-list 104 permit udp any any eq 23050
access-list 104 remark kev az
access-list 104 permit tcp any any eq 11105
access-list 104 remark VPN
access-list 104 permit gre any any
access-list 104 permit udp any any eq 62446
access-list 104 permit tcp any any eq 62446
access-list 104 remark PPP
access-list 104 permit tcp any any eq 1723
access-list 104 permit tcp any any eq 1025
access-list 104 remark DNS
access-list 104 permit tcp any eq domain any
access-list 104 permit ip host 10.10.10.1 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.2 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.3 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.4 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.5 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.6 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.7 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.8 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.9 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.10 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.11 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.12 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.13 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.14 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.15 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.16 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.17 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.18 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.19 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.20 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.21 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.22 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.23 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.24 192.168.1.0 0.0.0.255
access-list 104 permit ip host 10.10.10.25 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.201 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.202 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.203 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.204 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.205 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.206 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.207 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.208 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.209 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.210 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.211 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.212 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.213 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.214 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.215 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.216 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.217 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.218 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.219 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.220 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.221 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.222 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.223 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.224 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.225 192.168.1.0 0.0.0.255
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 remark wii
access-list 104 permit tcp any any eq 29920
access-list 104 remark wii
access-list 104 permit tcp any any eq 29901
access-list 104 remark Wii
access-list 104 permit tcp any any eq 28910
access-list 104 remark Wii
access-list 104 permit tcp any any eq 29900
access-list 104 remark Xbox Live
access-list 104 permit udp any any eq 88
access-list 104 remark Xbox Live
access-list 104 permit udp any any eq 3074
access-list 104 remark Xbox Live
access-list 104 permit tcp any any eq 3074
access-list 104 remark sling
access-list 104 permit tcp any any eq 5001
access-list 104 remark HNDC60 - Web 80
access-list 104 permit tcp any any eq www
access-list 104 remark HNDC60 - Web 443
access-list 104 permit tcp any any eq 443
access-list 104 remark HNDC60 - Email 25
access-list 104 permit tcp any any eq smtp
access-list 104 remark SIP Trunk
access-list 104 permit tcp any eq 5060 any
access-list 104 remark SIP Trunk
access-list 104 permit udp any eq 5060 any
access-list 104 remark SIP Trunk
access-list 104 permit tcp any eq 5070 any
access-list 104 remark SIP Trunk
access-list 104 permit udp any eq 5070 any
access-list 104 remark SIP Trunk
access-list 104 permit tcp any eq 5080 any
access-list 104 remark SIP Trunk
access-list 104 permit udp any eq 5080 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any log
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=2
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.1
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.2
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.3
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.4
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.5
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.6
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.7
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.8
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.9
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.10
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.11
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.12
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.13
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.14
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.15
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.16
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.17
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.18
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.19
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.20
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.21
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.22
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.23
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.24
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 10.10.10.25
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.211
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.212
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.213
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.214
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.215
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.216
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.217
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.218
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.219
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.220
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.221
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.222
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.223
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.224
access-list 106 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.225
access-list 106 permit ip 192.168.1.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community public1 RO
snmp-server community hawknet1 RW
snmp-server ifindex persist
snmp-server location Server Rack 1 Row 5
snmp-server contact Brian Hawkins
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 106
!
!
!
tftp-server flash:/CCME/Analog1.raw alias Analog1.raw
tftp-server flash:/CCME/Analog2.raw alias Analog2.raw
tftp-server flash:/CCME/AreYouThere.raw alias AreYouThere.raw
tftp-server flash:/CCME/Bass.raw alias Bass.raw
tftp-server flash:/CCME/CallBack.raw alias CallBack.raw
tftp-server flash:/CCME/Chime.raw alias Chime.raw
tftp-server flash:/CCME/Classic1.raw alias Classic1.raw
tftp-server flash:/CCME/Classic2.raw alias Classic2.raw
tftp-server flash:/CCME/ClockShop.raw alias ClockShop.raw
tftp-server flash:/CCME/DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:/CCME/Drums1.raw alias Drums1.raw
tftp-server flash:/CCME/Drums2.raw alias Drums2.raw
tftp-server flash:/CCME/FilmScore.raw alias FilmScore.raw
tftp-server flash:/CCME/HarpSynth.raw alias HarpSynth.raw
tftp-server flash:/CCME/Jamaica.raw alias Jamaica.raw
tftp-server flash:/CCME/KotoEffect.raw alias KotoEffect.raw
tftp-server flash:/CCME/MusicBox.raw alias MusicBox.raw
tftp-server flash:/CCME/Piano1.raw alias Piano1.raw
tftp-server flash:/CCME/Piano2.raw alias Piano2.raw
tftp-server flash:/CCME/Pop.raw alias Pop.raw
tftp-server flash:/CCME/Pulse1.raw alias Pulse1.raw
tftp-server flash:/CCME/Ring1.raw alias Ring1.raw
tftp-server flash:/CCME/Ring2.raw alias Ring2.raw
tftp-server flash:/CCME/Ring3.raw alias Ring3.raw
tftp-server flash:/CCME/Ring4.raw alias Ring4.raw
tftp-server flash:/CCME/Ring5.raw alias Ring5.raw
tftp-server flash:/CCME/Ring6.raw alias Ring6.raw
tftp-server flash:/CCME/Ring7.raw alias Ring7.raw
tftp-server flash:/CCME/RingList.xml alias RingList.xml
tftp-server flash:/CCME/Sax1.raw alias Sax1.raw
tftp-server flash:/CCME/Sax2.raw alias Sax2.raw
tftp-server flash:/CCME/Vibe.raw alias Vibe.raw
tftp-server flash:phone_image/apps70.8-2-2ES1.sbn alias apps70.8-2-2ES1.sbn
tftp-server flash:phone_image/cnu70.8-2-2ES1.sbn alias cnu70.8-2-2ES1.sbn
tftp-server flash:phone_image/cvm70sccp.8-2-2ES1.sbn alias cvm70sccp.8-2-2ES1.sbn
tftp-server flash:phone_image/dsp70.8-2-2ES1.sbn alias dsp70.8-2-2ES1.sbn
tftp-server flash:phone_image/jar70sccp.8-2-2ES1.sbn alias jar70sccp.8-2-2ES1.sbn
tftp-server flash:phone_image/SCCP70.8-2-2SR1S.loads alias SCCP70.8-2-2SR1S.loads
tftp-server flash:phone_image/term70.default.loads alias term70.default.loads
tftp-server flash:phone_image/term71.default.loads alias term71.default.loads
tftp-server flash:/CCME/CTU24Int.raw alias CTU24Int.raw
tftp-server flash:/CCME/CTU24Ext.raw alias CTU24Ext.raw
tftp-server flash:/CCME/CTU.raw alias CTU.raw
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x212x12/TN-hnslogo.png
tftp-server flash:Desktops/320x212x12/hnslogo.png
radius-server host 192.168.1.60 auth-port 1645 acct-port 1646 key 7
!
control-plane
!
!
!
!
!
!
!
dial-peer voice 66 voip
description Alarm script
service camp-on
destination-pattern 199
session protocol sipv2
session target ipv4:192.168.1.1
incoming called-number 199
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 1 voip
description "Outgoing calls to voip"
translation-profile outgoing Callcentric_out
destination-pattern 1777.......
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
codec g711ulaw
clid network-number 17772339930
no vad
!
dial-peer voice 100 voip
description "Incoming Callcentric"
translation-profile incoming Callcentric_in
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
incoming called-number 17772339930
dtmf-relay rtp-nte
no vad
!
dial-peer voice 911 voip
!
dial-peer voice 200 voip
description "Callcentic NXX Out"
translation-profile outgoing LD
destination-pattern 91[2-9]..[2-9]......
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
no vad
!
!
sip-ua
credentials username password realm callcentric.com
authentication username password 7 realm callcentric.com
no remote-party-id
retry options 2
mwi-server dns:callcentric.com expires 1800 port 5060 transport udp unsolicited
registrar dns:callcentric.com expires 1800
sip-server dns:callcentric.com
!
!
!
telephony-service
video
maximum bit-rate 512
load 7921 CP7921G-1.0.1
load 7971 SCCP70.8-2-2SR1S
load 7970 SCCP70.8-2-2SR1S
max-ephones 10
max-dn 100
ip source-address 192.168.1.1 port 2000
auto assign 1 to 5
service phone backlightIdleTimeout 00:05
service phone displayOnWhenIncomingCall 1
service phone daysBacklightNotActive 1,7
service phone backlightOnTime 09:00
service phone backlightOnDuration 03:00
service phone displayOnDuration 00:05
service phone daysDisplayNotActive 1,7
service phone displayOnTime 09:00
service phone displayIdleTimeout 00:05
service phone videoCapability 1
service phone thumbButton1 PTTH
timeouts interdigit 120
timeouts busy 30
system message HawkNET Solutions
url information »192.168.1.60:82/dialer.aspx
url services »192.168.1.60:82/dialer.aspx
cnf-file perphone
time-zone 8
max-conferences 8 gain -6
moh flash:CCME/music-on-hold.au
web admin system name brian password 9685bph
dn-webedit
time-webedit
transfer-system full-consult
log password 1234
xmltest
create cnf-files version-stamp 7960 Apr 10 2011 17:46:23
!
!
ephone-dn 2
number 101
label Brian Wireless
name Brian Wireless
!
ephone 1
device-security-mode none
video
mac-address 001B.D52D.0DB4
after-hour exempt
username "100" password 1234
paging-dn 99
type 7971
button 1:6 2m2
!
!
!
ephone 2
device-security-mode none
mac-address 001D.A231.ADF2
paging-dn 99
type 7921
button 1:2 2:6
!
!
banner login ^CAuthorized Access Only! If you do not belong here disconnect NOW!!!
This Router and Network is Property of HawkNET Solutions.
For Service Contact support@hawknetsolutions.net before contacting CISCO.
^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
ntp clock-period 17180569
ntp server 208.53.158.34 source FastEthernet0/1
ntp server 128.113.28.67 source FastEthernet0/1 prefer
!
!
end


ladino

join:2001-02-24
USA
kudos:1
reply to Brian797
Can we assume that even without ACL 103 &\or 104 you still have the same problem?

Since you have 1-way audio we know the issue is from the ASA towards your phone. Based on the type of phone you have it 'may' show phone stats showing incoming & outgoing packets. If it does, you should see fewer incoming packets since you cannot hear the remote party.....no incoming RTP stream.


Brian797

@sbcglobal.net
said by ladino:

Can we assume that even without ACL 103 &\or 104 you still have the same problem?

Since you have 1-way audio we know the issue is from the ASA towards your phone. Based on the type of phone you have it 'may' show phone stats showing incoming & outgoing packets. If it does, you should see fewer incoming packets since you cannot hear the remote party.....no incoming RTP stream.

Yes even with the acl and the inspect turned off it does not work.
I can see the translation of the phone:


HNGATEWAY#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
udp 99.122.80.xx:88 192.168.1.50:88 --- ---
udp 99.122.80.xx:3074 192.168.1.50:3074 --- ---
tcp 99.122.80.xx:80 192.168.1.60:80 --- ---
tcp 99.122.80.xx:443 192.168.1.60:443 --- ---
tcp 99.122.80.xx:23050 192.168.1.60:23050 --- ---
tcp 99.122.80.xx:25 192.168.1.66:25 --- ---
tcp 99.122.80.xx:8443 192.168.1.66:8443 --- ---
udp 99.122.80.xx:1026 192.168.1.201:5588 66.119.11x.xx:5588 66.119.11x.xx:5588
udp 99.122.80.xx:8002 192.168.1.201:8002 66.119.11x.xx:2048 66.119.11x.xx:2048


With the IT guy we watched the ASA and saw that my phone and the other IP phone that another employee has the only logs in the firewall trace were on port 8002 and 8003 UDP as well as the 5588.

I opened them in my ACL and no luck. I have seen online that h225 and cisco nat are not friends and I have used the code no ip nat service h225.

The phone system is a Vodavi XTS-IP.


Brian797

@66.119.11.x
Another thing that the Net Admin saw was either my phone or my router was Pinging the public IP, he drops pings at the ASA so there is less of a chance of a DDOS on any public addresses. The other phone did not ping it. Is there any commands I can use to see if some RTP packet is being dropped by the ACLs.

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to Brian797
If you think it's an ACL issue, do a show ip access list to check.

If i have this right, FA0/0 is where the phone is connected, right? So the ACLs applied are


Should be able to do it on ACL 103 and 104 and see if any counters are incrementing. I'd
also do a 'show ip inspect' and see if the RTP stream is hitting the router or not.

Regards


Brian797

@sbcglobal.net
Yeah I am seeing a half open session when I attempt to communicate back. I am not seeing any ACLs blocking anything since nothing is logging to console.

Session 6719FD90 (192.168.1.201:8002)=>(66.119.11x.xxx:2048) udp SIS_OPENING

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to Brian797
I've seen the same thing when NAT is getting "confused"... one side sends a private address and the other sends a public address. In Asterisk, I had to make it ignore NAT -- use the damned address you were given. A few debug's should show if that's the case.

I didn't see anything in your configuration to indicate H.323 inspection. That will most likely be required.

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to Brian797
Time to check on the ASA side -- if you have access to it or not -- and see what it's seeing,
not that I'm ready to point fingers at anyone / thing yet. Nice thing about the ASA is it
does have an inbuilt packet capture tool to see what's going on.

said by Brian797 :

Session 6719FD90 (192.168.1.201:8002)=>(66.119.11x.xxx:2048) udp SIS_OPENING

Question, this you initiating the VOIP traffic to the ASA, or the ASA initiating to you?

Regards


Brian797

@sbcglobal.net
it was me calling the office voice mail system. We noticed a ton of Pings from my ip they are blocking them could that be causing the issue of the phone not opening the port? He was willing to let my ip ping the phone system if it needed it.

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to Brian797
Ping only proves layer 3 connectivity, nothing else. The fact that the ASA drops ICMP by
default doesn't tell you much at this point. If you can work with the ASA guy on this
live, I'd make the call and see if he sees your traffic from your PUB IP coming into the
ASA on UDP port 2048 or not.

Regards