SIP Station with Cisco ASA firewall


(United States) #1

Greetings,
I am trying to determine requirements to configure our Cisco ASA for success with our future PBXAct60 (192.168.115.30) and SIP Station trunking. The Sangoma Wiki and other docs are all over the place concerning support access, SIP/RTP access, and SIP Station access. I would appreciate a sanity review of my current understanding of the internal/external network paths below. (All of our auto provisioning nodes are on our internal network).

Any constructive comments and references to authorative documents welcomed.

Best Regards,
Bob Confino - Volunteer Tech Team - New Life Bible Fellowship Church

?Sangoma Support access requirements?

*Port forward traffic (NAT) from Sangoma support to the VoIP PBX

Remote console access (ssh) for Sangoma Support
object network on-PBXAct-tcp-22
host 192.168.115.30
nat (inside2,outside) static interface service tcp 22 22

Remote OpenVPN access for Sangoma Support
object network on-PBXAct-udp-1194
host 192.168.115.30
nat (inside2,outside) static interface service udp 1194 1194

Remote OpenVPN access for Sangoma Support
object network on-PBXAct-tcp-1194
host 192.168.115.30
nat (inside2,outside) static interface service tcp 1194 1194

?Sangoma SIP traffic requirements?

*Port forward traffic (NAT) from the telephony ISP to the VoIP PBX

SIP traffic from Sangoma SIP Station Service (Telephony ISP) (SIP Trunking)
object network on-PBXAct-udp-5060
host 192.168.115.30
nat (inside2,outside) static interface service udp 5060 5060

SIP traffic from Sangoma SIP Station Service (Telephony ISP) (SIP Trunking)
object network on-PBXAct-udp-5061
host 192.168.115.30
nat (inside2,outside) static interface service udp 5061 5061

*ACLs for support traffic and SIP Station traffic
<Note:must remove ‘any’ from ACEs with ITSP IP address>
access-list outside_in permit tcp any host 192.168.115.30 eq 22 (enable/disable as needed)
access-list outside_in permit tcp any host 192.168.115.30 eq 1194 (enable/disable as needed)
access-list outside_in permit udp any host 192.168.115.30 eq 1194 (enable/disable as needed)
<Note:must remove ‘any’ from ACEs with ITSP IP address>
access-list outside_in permit udp any host 192.168.115.30 eq 5060
access-list outside_in permit udp any host 192.168.115.30 eq 5061

?Sangoma RTP traffic requirements?

**Port forward range of ports for RTP traffic from telephony ISP to the VoIP PBX

object network on-PBXAct60
host 192.168.115.30

object service os-udp-RTP-Ports-Range
service udp destination range 10000 11000

nat (inside2,outside) static interface service os-udp-RTP-Ports-Range os-udp-RTP-Ports-Range

**ACLs for RTP traffic
access-list outside_in extended permit udp any host 192.168.115.30 range 10000 11000
<must remove ‘any’ from above ACL with ITSP IP address>

Sangoma Node List
trunk1.freepbx.com 192.159.66.3
trunk2.freepbx.com 162.253.134.142
trunktrial1.freepbx.com 162.253.134.135
trunktrial2.freepbx.com 192.159.66.4
push2.schmoozecom.com 199.102.239.11


(Dave Burgess) #2

Increasing the range on this enhances security, since it makes the port range harder to guess and connect to. The standard range is 10000-20000 and I’d recommend sticking with that in all of your connection strings.


(United States) #3

Dave, Thanks for looking this over. I will increase the RTP port range to 10000-20000.
Do I have the Sangoma remote support access requirements correct at ssh (tcp22) and OpenVPN (1194,tcp,udp)?

Thanks again,
Bob Confino


(Dave Burgess) #4

I wouldn’t build any of these into my config, but I would print them out and stick them on the wall by my control console. You almost never need those ports - honestly, we do more support within the community than any of our corporate overloads’ minions… :slight_smile:


(system) closed #5

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.