topic Hi, Notice that the in Network Security

Cisco ASA, skipping real source port number with PAT.

EvaldasOu — Tue, 12 Mar 2019 04:29:36 GMT

Hi Experts,

Cisco ASA configuration guide says:

"PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. "

Is it possible to skip this ? I do not want to use real source port number. The issue is, when I have a PAT entry with real source port (port 5060), - SIP session doesn't work. With all the other ports numbers,- everything works.

It seems you are using

turbo_engine26 — Sun, 20 Jul 2014 23:21:45 GMT

It seems you are using dynamic PAT for SIP. Consider using static PAT instead.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cups/8_0/english/integration_notes/Federation/Federation/ASAConfig_chapter.html

Thanks for your response

EvaldasOu — Sun, 27 Jul 2014 09:55:58 GMT

Thanks for your response.

Sorry, but are you referring to configure 100 PAT rules for 100 VoIP phones?

Is there are command to specify port range for PAT without using native 5060 port?

Hi,Can you try like the below

nkarthikeyan — Sun, 27 Jul 2014 13:19:52 GMT

Hi,

Can you try like the below for your scenario?

object network test
subnet 10.0.0.0 255.255.255.0
object service testing
service tcp source range 1100 1200

nat (in,out) source dynamic test interface service testing testing

Regards

Karthik

Hi, I tried this:object

EvaldasOu — Sun, 27 Jul 2014 13:45:22 GMT

Hi,

I tried this:

object service SIP_TEST
service udp source eq sip destination range 6000 65535

nat (VoIP,outside) source dynamic VoIP interface service SIP_TEST SIP_TEST

but it looks like it doesn't work at all...

Hi, Notice that the

Jouni Forss — Mon, 28 Jul 2014 07:18:05 GMT

Hi,

Notice that the configuration you try does not modify the real source port at all.

Since you are using the same "object" for the real/mapped service then the configuration above matches traffic where the connections destination is "any" and the destination is "udp 6000 65535" and only when the source is "udp sip" and in that event it keeps the exact same "udp sip" source port as you are using the same "object".

I am not sure if its a software or configuration related issue but I have not gotten this to work reliably on my ASA. I might have to try some other software level.

I guess you would want to match the SIP source port in the Dynamic PAT and avoid using the SIP port as the mapped port?. With that in mind I was thinking something like this

object service UDP-SIP
service udp source eq sip

object service UDP-SIP-MAPPED
service udp source range 30000 31000

nat (VoiP,outside) source dynamic <source network object> interface service UDP-SIP UDP-SIP-MAPPED

Though it seems the above configuration seems to be bypassed by the ASA completely and it seems to use the identical source port as the mapped port even though it matches the configuration.

If I were to change the above configuration from "dynamic" to "static" then the configuration matches but it uses only the first mapped "source" port of "30000". I guess it would only use a different mapped port if you used multiple real source ports also instead of the current single source port "sip".

nat (VoiP,outside) source static <source network object> interface service UDP-SIP UDP-SIP-MAPPED unidirectional

Example from my own ASA.

DYNAMIC

- Matches the configuration but doesnt map the port at all

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic LAN-NETWORK interface service SIP SIP-MAPPED
Additional Information:
Dynamic translate 10.0.0.123/5060 to <my pat ip>/5060

STATIC

- Matches the configuration and maps the source port but only uses the first mapped port from the range

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static LAN-NETWORK interface service SIP SIP-MAPPED unidirectional
Additional Information:
Static translate 10.0.0.123/5060 to <my pat ip>/30000

I am not really sure if this configuration is reliable at all but its the only thing I can think of at the moment.

Hope this helps 🙂

- Jouni

Thanks for your help Jouni

EvaldasOu — Mon, 28 Jul 2014 12:24:16 GMT

Thanks for your help Jouni!

Yes, you are correct about the problem. To be more clear the situation looks like this.Phones uses SIP, xlate output:

ASA1# sh xlate | i VoIP
UDP PAT from VoIP:10.0.20.1/5060 to outside:10.10.10.40/36197 flags ri idle 20:25:11 timeout 0:00:30
UDP PAT from VoIP:10.0.20.2/5060 to outside:10.10.10.40/28564 flags ri idle 20:25:11 timeout 0:00:30
UDP PAT from VoIP:10.0.20.3/5060 to outside:10.10.10.40/15617 flags ri idle 20:25:11 timeout 0:00:30

The problem happens with a phone, which gets this translation:

ASA1# sh xlate | i 40/5060
UDP PAT from VoIP:10.0.20.10/5060 to outside:10.10.10.40/5060 flags ri idle 20:25:11 timeout 0:00:30

This phone can't do anything, but nothing is blocked here. I'm not sure why the problem exists, so thought it's possible to skip this translation.

Everything is okay with other apps, real source port PAT mapping works well...

I'm running ASA5512X with ASA 9.2(1) software.

Thanks a lot for your time!