topic Re: asa916 Non-Interface PAT with Port Forwarding Problem in Network Security

asa916 Non-Interface PAT with Port Forwarding Problem

Dean Romanelli — Fri, 21 Feb 2020 14:46:04 GMT

Hi Guys,

I have an ASA 5505, 3 internal PBX servers, and one dedicated available public IP that is NOT the IP of the outside interface.

host 172.16.142.5
host 172.16.142.6
host 172.16.142.7
host 138.xxx.xx.154

I need all of the internal PBX servers to NAT to the public IP shown above (138.xxx.xx.154), be reachable from the outside, and depending on what ports are being used to connect to them from the outside, port forward to one of the three internal PBX servers in the following logic:

If inbound traffic from internet has destination port of 138.xxx.xx.154 @ TCP 35300, 15560 or UDP 15560, port-forward to PBX server 172.16.142.5

If inbound traffic from internet has destination port of 138.xxx.xx.154 @ UDP range 16000-16511, port-forward to PBX server 172.16.142.6

If inbound traffic from internet has destination port of 138.xxx.xx.154 @ UDP range 16512-17023, port-forward to PBX server 172.16.142.7

I have configured this the way I see it working, but it is not. My config is attached. What am I doing wrong?

Re: asa916 Non-Interface PAT with Port Forwarding Problem

Flavio Miranda — Thu, 16 Nov 2017 23:20:24 GMT

Hi @Dean Romanelli

Do you have sip inspection on your firewall?

Did you applied those ACL to a interface?

Does your ISP has the network 139.x.x.x.x on theirs routing table?

-If I helped you somehow, please, rate it as useful.-

Re: asa916 Non-Interface PAT with Port Forwarding Problem

Dean Romanelli — Fri, 17 Nov 2017 16:19:02 GMT

Hi Flavio,

Thanks for replying. I do not have SIP inspection configured as it has caused problems for us in the past. Below are the inspections I have configured presently:

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect pptp
inspect icmp error
inspect icmp
inspect ipsec-pass-thru
inspect tftp
policy-map type inspect ftp FTP-strict
parameters
mask-banner
mask-syst-reply
!
service-policy global_policy global

The ACL's are applied in the following:

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ

The public IP address that I need to NAT those 3 PBX servers to is just an available address on my ISP's /29 that they gave me, so there is automatically a route because the outside interface of my ASA has another IP on that same subnet.

Are the NAT statements correct?

Re: asa916 Non-Interface PAT with Port Forwarding Problem

Flavio Miranda — Sat, 18 Nov 2017 01:24:49 GMT

NAT looks ok in terms of syntax. However, your approach looks not good. I'd recommend you to take a look in Opensips, which is a SIP load balancing.

Voice and NAT historically is very complicate and try to avoid it is always the best solution. If impossible, at least try to make it simple.

Hope that helps.

-If I helped you somehow, please, rate it as useful.-