Panasonic UDP ports:

1719 and 1720

B) 5004 through 5006.

C) 5060.

D) 5061.

E) 8000 through 8034.

F) 16384 through 16482.

1.) Log into the Cisco ASDM

2.) First, we need to ensure a NAT policy exists for a Public IP to NAT to the internal IP of the
VoIP system / server. Click on Configuration at the top, then click on Firewall down on the
bottom menu. Once in the firewall section, highlight NAT Rules

3.) Click on the Add option on the right side to add a new static NAT rule and choose add
new static NAT rule

4.) Original Interface is inside with a source that is the internal IP of the VoIP System. The
translated Interface is the outside interface. Select the Use IP Address option and specify an
available static public IP from your ISP that you have not used in a NAT policy yet. Then click
Ok. Essentially, this tells the ASA to statically (always) translate traffic from inside interface
from the inside IP of the VoIP system destined for the outside Interface to translate to the static
public IP you specified. In turn, the ASA will automatically translate inbound traffic from the
outside static public IP specified from the outside interface to the inside interface destined for the
internal IP specified.

5.) Now that has been done, click the Apply button at the bottom

6.) Now, we need to add port forwarding rules for VoIP traffic. Click on Configuration at the
top again and then click on Firewall down on the bottom menu again. Highlight Access
Rules option.

7.) Click on the Add option on the right side to add a new access rule and choose add new
access rule

8.) Choose Interface Outside because this is going to be a rule that applies to outside traffic
traveling to the inside of the network. Action is to permit. Source is anything out on the Internet
(alternatively, you can create a network object or group with specific IP addresses or ranges).
Destination is going to be the public NATed IP address for the phone system. Service is tcp-
udp/sip (sometimes you may have to create separate rules one for UDP specific and one for
TCP specific SIP. SIP port is 5060 by default)

9.) Repeat step 4 for creating any port forwarding rules you need to have in place based on
open ports the VoIP provider specifies as needing to be open. Once done, external remote users
should be able to configure their VoIP phones to point to the public IP of your phone system and
connect to that phone system to make calls!

10.) Save the running config of the ASA.

BONUS STEPS!

11.) You may notice VoIP traffic isnt fully working in some cases or sometimes, a phone
provider may tell you to disable SIP / ALG options in the firewall so what the heck does that
mean? Well, they are talking about an ASAs default config to inspect SIP packets via its global
policy map. By default, the ASA will inspect SIP packets and deal with them how they want to
before NATing the packets to the right place. This can cause loss of audio, call quality issues,
etc. sometimes if a VoIP system is not meant to have SIP inspection turned on in the firewall. To
disable SIP inspection in the ASA, you need to navigate back to Configuration then Firewall
then highlight Policy Rules.

12.) Once in Policy Rules you highlight the default inspection policy by left clicking on it and
then choose the Edit button at the top. This will open a new window. At the top, click on the
Rul Actions tab. Scroll down until you see SIP option and then UNCHECK the option and
hit Ok then click the Apply button at the bottom. This essentially sends the following
command to the ASA:

policy-map global_policy
class inspection_default
no inspect sip
13.) Thats it! Remote VoIP users on the Internet should be able to configure their VoIP phones
to point to the public IP of your phone system and connect to that phone system to make calls!