ASA Version 8.4(4)1
!
hostname ciscoasa
enable password xxxxx encrypted
passwd xxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 103
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp
!
interface Vlan103
nameif inside
security-level 100
ip address 192.xx.xx.xx 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server xx.xx.xx.250
name-server xx.xx.xx.250
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network obj_sip
host 192.xx.xx.200
!
object service objg_sip_tcp2_4050
service tcp source eq 4050
object service objg_sip_tcp2_4054
service tcp source eq 4054
!
object service objg_sip_udp2_4003
service udp source range 4003 4005
object service objg_sip_udp2_5060
service udp source eq sip
object service objg_sip_udp2_9000
service udp source range 9000 19000
!
object-group service objg_sip_tcp tcp
port-object eq 4050
port-object eq 4054
!
object-group service objg_sip_udp udp
port-object range 4003 4005
port-object eq sip
port-object range 9000 19000
!
access-list i-to-o extended permit tcp 192.xx.xx.0 255.255.255.0 any
access-list i-to-o extended permit icmp 192.xx.xx.0 255.255.255.0 any
access-list i-to-o extended permit udp 192.xx.xx.0 255.255.255.0 any
!
access-list o-to-i extended permit tcp any object obj_sip object-group objg_sip_tcp
access-list o-to-i extended permit udp any object obj_sip object-group objg_sip_udp
!
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4050 objg_sip_tcp2_4050
nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4054 objg_sip_tcp2_4054
nat (inside,outside) source static obj_sip interface service objg_sip_udp2_4003 objg_sip_udp2_4003
!
object network obj_any
nat (inside,outside) dynamic interface
!
access-group o-to-i in interface outside
access-group i-to-o in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
!
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.xx.xx.xx 255.255.255.255 inside
telnet timeout 30
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username igor password xxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ec0d658a23cfaa327a78ca2847a57c07
: end

Ошибка: "NAT unable to reserve ports" для этих строк
nat (inside,outside) source static obj_sip interface service objg_sip_udp2_5060 objg_sip_udp2_5060
и
nat (inside,outside) source static obj_sip interface service objg_sip_udp2_9000 objg_sip_udp2_900
Но почему? порты свободны!!!

вообще в версии 8.4 настраивается по другому NAT. А чего вы inspect sip не включили?

inspect sip наоборот убрал, думал он порты резервирует!
но с ним таже беда!