topic The mistake that stands out in Network Security

NAT Port Forwarding with multiple public IP Addresses

Amjad Shakeel — Tue, 12 Mar 2019 08:54:14 GMT

I am new to the Cisco ASA. We have a Cisco ASA 5510 and I am trying to open some NAT ports for a phone system server. I cannot figure out where I am going wrong.

I have a phone server whose inside IP Address is 10.2.50.170. The public IP Address on the external Interface given to me from my ISP is 185.67.116.17/28. I have been given a block of 16 addresses from my ISP.

I wish to do the following:

Open ports udp/5060 and udp/9000-9500 to port forward to the phone server. I want the phone server to only be accessible using public IP Address 185.67.116.18 which is one of the addresses given to me by my ISP from the block of 16.

I have added following CLI commands but cannot get the port forwarding to work:

object network Outside_to_Inside_Phone_System

host 10.2.50.170
nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit tcp any host 10.2.50.70 eq 5060
access-group inbound in interface outside

object service Phone_RTP_Ports
service udp destination range 9000 9500
exit
nat (inside,outside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Range Phone_RTP_Range
access-list inbound extended permit udp any object Outside_to_Inside_Phone_System range 9000 9500
access-group Phone_TO_INSIDE in interface External

Any help would be really appreciated.

Kind Regards

Amjad

The mistake that stands out

Marius Gunnerud — Wed, 08 Feb 2017 19:36:16 GMT

The mistake that stands out is the ACL for port UDP 5060.

nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit tcp any host 10.2.50.70 eq 5060

in the NAT you are matching UDP while in the ACL you are matching TCP

Please remember to select a correct answer and rate helpful posts

TO add to that, the second

Ajay Saini — Wed, 08 Feb 2017 19:48:36 GMT

TO add to that, the second NAT seems to be incorrect as well(IMO):

nat (inside,outside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Range Phone_RTP_Range

This needs to be like below (order matters):

nat (outside,inside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Range Phone_RTP_Range

also, the interface name is confusing. Is 'outside' the interface name or is it 'external' because access-list is applied on interface named External . Just correct that access-list, apply on correct interface and it should work.

If you still face issues, please post output of NAT and access-list.

Sorry I have re added re

Amjad Shakeel — Wed, 08 Feb 2017 20:52:08 GMT

Sorry I have re added re added the commands but still not working:

object network Outside_to_Inside_Phone_System

host 10.2.50.170
nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit udp any host 10.2.50.70 eq 5060
access-group inbound in interface outside

object service Phone_RTP_Ports
service udp destination range 9000 9500
exit
nat (inside,outside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Ports Phone_RTP_Ports
access-list inbound extended permit udp any object Outside_to_Inside_Phone_System range 9000 9500
access-group inbound in interface outside

Not sure where I am going wrong.

Thanks for the help so far.

you have not corrected the

Ajay Saini — Wed, 08 Feb 2017 20:55:30 GMT

you have not corrected the NAT statement as I suggested. It needs to be outside,inside) because of the way you have defined the other parameters.

Can you please change it and see if that helps. If not, please attach packet-tracer outputs and also syslogs when attempting the traffic.

This is the statement you

Marius Gunnerud — Wed, 08 Feb 2017 21:31:27 GMT

This is the statement you should change to the following NAT statement if you decide to keep the parameters the way they are.

nat (outside,inside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Ports Phone_RTP_Ports

Personally I prefer to try to keep all my NAT statements source from the inside to outside, as follows:

nat (inside,outside) source static Outside_to_Inside_Phone_System interface destination static any any service Phone_RTP_Ports Phone_RTP_Ports

Please remember to select a correct answer and rate helpful posts

Thanks I managed to get the

Amjad Shakeel — Thu, 09 Feb 2017 19:15:38 GMT

Thanks I managed to get the single port forwarding working with the following:

object network Outside_to_Inside_Phone_System

host 10.2.50.170
nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit udp any host 10.2.50.170 eq 5060
access-group inbound in interface outside

For the range of ports I have done the following, but it does not seem to work:

object network Phone_SERVER
host 10.2.50.70
exit

object network Phone_outsideIP
185.67.116.21
exit

object service Phone_RTP_Range
service udp destination range 9000 9500

nat (outside,inside) source static any any destination static Phone_outsideIP Phone_SERVER service Phone_RTP_Range Phone_RTP_Range

access-list inbound extended permit udp any object Phone_SERVER range 9000 9500

Any help appreciated.