Cisco Adaptive Security Appliance Software Version 9.4(4)16

All phone services on Remote Access VPN are working as expected. When hairpin NAT is enabled for the Remote Access VPN subnet, SIP inspection starts replacing the SIP header with the firewall’s external IP. This causes phone calls for clients on the remote access VPN to start failing. Hairpin NAT has two components; enabling outside to outside NAT and enabling traffic between two hosts on the same interface (same-security-traffic permit intra-interface). This issue only starts when the NAT is enabled.

Assumption: The phone system, and all of it’s components, are located on inside of the network and do not require Internet access for any services.

1. Packet capture on the client BEFORE the NAT rule is added.

      Request-URI: sip:d055bbb6-89aa-eb4f-d938-aaaa9ac99bb3@192.168.10.25:50521;transport=tcp

2. Add Object NAT

object network VPN_192.168.10.0
nat (outside,outside) dynamic interface

3. Packet capture on the client AFTER the NAT rule is added.

      Request-URI: sip:d055bbb6-89aa-eb4f-d938-aaaa9ac99bb3@12.12.12.12:50521;transport=tcp

The fix is just to disable SIP inspection but why this happens only after hairpin NAT is enabled, I can’t explain.

policy-map global_policy
class inspection_default
no inspect sip