This guide details the necessary changes for Cisco ASA firewalls

Weave phones work well with Cisco ASA firewalls. There are several important settings to verify that the ASA is configured correctly:

  1. The ASA is NOT inspecting for SIP, RTSP, IP-options, or DNS
  2. The ASA is receiving an internet routable (public) IP address on its WAN interface.
  3. Traffic can flow freely to and from Weave's servers

 Follow the guide below to configure the ASA to allow Weave traffic to flow correctly.

  1. Login to the ASA via ssh or telnet and execute the following commands:
    • Enter: sho conf (this will list the current ASA config 
    • In the config, look for a section labeled "policy-map global-policy"
      • In this section, look for an indented sub-section entitled "class inspection-default," or "class global-class"
        • In this subsection, look for lines reading "inspect [object]" (example: "inspect sip")
          We will need to disable a few protocols that the ASA may be inspecting. In order to disable these protocols, enter the following into your ASA
          • Enter: conf t (to enter configuration terminal mode)
          • Enter: policy-map global-policy (this line may differ. It should copied EXACTLY from your configuration)
          • Enter: class inspection-default (again, this line may differ and should be copied EXACTLY from your configuration)
          • Enter: no inspect sip
          • Enter: no inspect rtsp
          • Enter: no inspect ip-options
          • Enter: no inspect dns (your configuration may differ and should be copied for this line - example: no inspect dns preset_dns_map)
          • Enter: exit (to exit the class config section)
          • Enter: exit (to exit the policy-map config section)
          • Enter: no threat-detection basic-threat
          • Enter: wr mem
          • Enter: exit (to exit configuration mode)
             
  2. In order to ensure that no additional firewalls will be interfering with phone traffic, it is necessary to verify that the ASA firewall is receiving an internet routable (public) IP address on its WAN interface.
  3. In its default configuration, the ASA will allow traffic to flow freely to and from Weave's servers. If outbound traffic on the network is being restricted, you will need to approve Weave's domain and ip blocks in the ASA configuration.