Weave phones work well with Cisco ASA firewalls. There are several important settings to verify that the ASA is configured correctly:

  1. The ASA is not inspecting for SIP, RTSP, IP-options, or DNS
  2. The ASA is receiving an internet routable (public) IP address on its WAN interface
  3. Traffic can flow freely to and from Weave's servers

To configure Cisco ASA firewalls to allow Weave traffic to flow correctly

Login to the ASA via ssh or telnet and execute the following commands:

    1. Enter: sho conf (this will list the current ASA config 
    2. In the config, look for a section labeled policy-map global-policy
    3. Now look for an indented sub-section entitled class inspection-default, or class global-class
    4. In this subsection, look for lines reading inspect [object] (example: inspect sip), We will need to disable a few protocols that the ASA may be inspecting. In order to disable these protocols, enter the following into your ASA
    5. Enter: conf t (to enter configuration terminal mode)
    6. Enter: policy-map global-policy (this line may differ. It should copied exactly from your configuration)
    7. Enter: class inspection-default (again, this line may differ and should be copied exactly from your configuration)
    8. Enter: no inspect sip
    9. Enter: no inspect rtsp
    10. Enter: no inspect ip-options
    11. Enter: no inspect dns (your configuration may differ and should be copied for this line - example: no inspect dns preset_dns_map)
    12. Enter: exit (to exit the class config section)
    13. Enter: exit (to exit the policy-map config section)
    14. Enter: no threat-detection basic-threat
    15. Enter: wr mem
    16. Enter: exit (to exit configuration mode)

In order to ensure that no additional firewalls will be interfering with phone traffic, it is necessary to verify that the ASA firewall is receiving an internet routable (public) IP address on its WAN interface.

In its default configuration, the ASA will allow traffic to flow freely to and from Weave's servers. If outbound traffic on the network is being restricted, you will need to approve Weave's domain and ip blocks in the ASA configuration.

Was this article helpful?
0 out of 0 found this helpful