Hello,
I'm wondering is there any way to get this working over NAT on asa 5525-x (asa941-smp-k8.bin)?
Inspect UDP SIP is on, I see it trying to reach ISP server and it even does successfully, ISP sends the reply (200 OK) back and it never gets there. No matter what I do, I get 408 in monitoring. If I turn inspect off, situation changes vice versa: I see my trunks are UP, ISP says he gets 408. Show sip on asa gives a bunch of:
call-id [email protected]
CSeq: OPTIONS
From: sip:172.16.63.207;0677691546696435_local.146780781 3015_8945_8944
To: sip:10.155.1.219;SDtf7u099-ytisyszs
state Call init, timeout 0:03:00 idle 0:01:30
Transaction State Timeout Idle
Cseq 2 OPTIONS Transaction Proceeding0:03:00 0:01:30
I tried static NATing, dynamic PAT, one-to-one - same result. I can't configure it without NAT cause ISP is accepting SIP traffic only from a /30 address he gave me, so I have to NAT source to this address to reach their gateway, I can't straight put this inside my network for obvious reasons.
I've read a lot and it seems the problem is SIP incapsulating reg interface IP inside user data in the protocol and ASA has problem analising the payload dynamically in certain cases, seems I've got that one case
(
I've also tried to use adaptations to rewrite sip:172.16.63.207 to .206, I was told that could help, but no success, can't get those adaptation to work properly. I'm reading ahead this now, but wondering if there is a better way of accomplishing this.
I understand SBC will solve my problem but the goal now is to present a working environment WITHOUT SBC, there are reasons for this...
If anyone can direct me to how solve this without SBC, SIP proxiing, asterisk's-in-the-middle etc. - that would be totally GREAT.
Thank You very much in advance.
I'm wondering is there any way to get this working over NAT on asa 5525-x (asa941-smp-k8.bin)?
Inspect UDP SIP is on, I see it trying to reach ISP server and it even does successfully, ISP sends the reply (200 OK) back and it never gets there. No matter what I do, I get 408 in monitoring. If I turn inspect off, situation changes vice versa: I see my trunks are UP, ISP says he gets 408. Show sip on asa gives a bunch of:
call-id [email protected]
CSeq: OPTIONS
From: sip:172.16.63.207;0677691546696435_local.146780781 3015_8945_8944
To: sip:10.155.1.219;SDtf7u099-ytisyszs
state Call init, timeout 0:03:00 idle 0:01:30
Transaction State Timeout Idle
Cseq 2 OPTIONS Transaction Proceeding0:03:00 0:01:30
I tried static NATing, dynamic PAT, one-to-one - same result. I can't configure it without NAT cause ISP is accepting SIP traffic only from a /30 address he gave me, so I have to NAT source to this address to reach their gateway, I can't straight put this inside my network for obvious reasons.
I've read a lot and it seems the problem is SIP incapsulating reg interface IP inside user data in the protocol and ASA has problem analising the payload dynamically in certain cases, seems I've got that one case
(I've also tried to use adaptations to rewrite sip:172.16.63.207 to .206, I was told that could help, but no success, can't get those adaptation to work properly. I'm reading ahead this now, but wondering if there is a better way of accomplishing this.
I understand SBC will solve my problem but the goal now is to present a working environment WITHOUT SBC, there are reasons for this...
If anyone can direct me to how solve this without SBC, SIP proxiing, asterisk's-in-the-middle etc. - that would be totally GREAT.
Thank You very much in advance.
Comment