topic ASA 5505 Port forwarding UDP ranges to multiple internal IP addr in Network Security

ASA 5505 Port forwarding UDP ranges to multiple internal IP addresses

AaronCase3 — Tue, 12 Mar 2019 03:39:47 GMT

I'm setting up a 5505 to connect our phone system to SIP trunking. The phone system is the only thing that will be behind the 5505, however there are multiple IP's associated with the phone system and I need to port forward based on specific port ranges. The following is what I want/need to accomplish.

outside udp traffic on UDP5060-5061 and UPD 16384-17383 needs to be delivered to internal IP 192.168.1.26

outside udp traffic on UDP 17384-17639 needs to be delivered to internal IP 192.168.1.28

outside udp traffic on UDP 17640-17895 needs to be delivered to internal IP 192.168.1.27

Other than this i want traffic blocked except what is initiated internally.

I have created object groups for the host objects and for the port ranges. and set nat rules . am I missing anything?

Here is my running config

Any help/confirmation/critical analysis appreciated.

: Saved
:
ASA Version 8.4(6) 
!
hostname wavefc
domain-name center
enable password 8EBQPyIGHYB9jy6X encrypted
passwd 8EBQPyIGHYB9jy6X encrypted
names
name 192.168.1.28 MRMA description Wave MRMA IP
name 192.168.1.27 MRMB description Wave MRMB IP
name 192.168.1.26 vam description WAVE VAM IP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.30 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 108.174.110.110 255.255.255.0 
!
boot system disk0:/asa846-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name center
object network vam
 host 192.168.1.26
 description Created during name migration
object network MRMB_1
 host 192.168.1.27
 description Created during name migration
object network MRMA_1
 host 192.168.1.28
 description MRMB
object service VAM1
 service udp source range sip 5061 destination range sip 5061 
 description VAM Ports
object service VAM2
 service udp source range 16384 17383 destination range 16384 17383 
 description VAM SIP PORTS
object service MRMA
 service udp source range 17384 17639 destination range 17384 17639 
 description MRM A PORTS
object service MRMB
 service udp source range 17640 17895 destination range 17640 17895 
 description MRM B PORTS
object network Dynamic_NAT
 subnet 192.168.1.0 255.255.255.0
object network vamIP
 host 192.168.1.26
object network MRMAIP
 host 192.168.1.28
object network MRMBIP
 host 192.168.1.27
object service vamIP1
 service udp source range 16384 17383 
object service SIP
 service udp source range sip 5061 
object service mrmaUDP
 service udp source range 17384 17639 
object service mrmbUDP
 service udp source range 17640 17895 
object service vam5060
 service udp source range sip 5061 
object-group service VAM_PORTS
 service-object object VAM1 
 service-object object VAM2 
access-list outside_access_in extended permit object-group VAM_PORTS interface outside interface inside 
access-list outside_access_in extended permit object MRMA interface outside interface inside 
access-list outside_access_in extended permit object MRMB interface outside 192.168.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static vamIP interface service vamIP1 vamIP1
nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP
nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP
nat (inside,outside) source static vamIP interface service vam5060 vam5060
access-group outside_access_in in interface outside
route inside 0.0.0.0 255.255.255.255 108.174.110.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.99-192.168.1.100 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username wave password 7dzE8CxoLKj5NbvA encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:c8602fd7e5eca94f54c4ae20296b28bc
: end
asdm image disk0:/asdm-715-100.bin
no asdm history enable

Re: ASA 5505 Port forwarding UDP ranges to multiple internal IP

Jouni Forss — Mon, 03 Feb 2014 22:49:31 GMT

Hi,

The NAT configurations seem fine for the Static PAT (Port Forward) configurations. Notice though that you will probably want to configure Dynamic PAT for any internal host even if you only had the single host behind ASA

You can accomplish that with the following command for example

nat (inside,outside) after-auto source dynamic any interface

Also the ACL seems to be a bit off.

First thing you should confirm is that are the connections truly coming from the same source ports as their destination port will be? If not then I would suggest only using the "destination" port in the "object service". This is since usually the source port of the connection can be random and only the destination port is usually some known port or range of ports.

Also, since we are talking about the new ASA software and its NAT/ACL configuration you wont be allowing the traffic towards the "outside" interface public IP address. You always allow the traffic to the real IP address of the NATed host.

So it would seem to me that you would have to have these configurations for the ACL portion (part of it simply modified from the above configuration)

object service VAM1

service udp destination range sip 5061

description VAM Ports

object service VAM2

service udp destination range 16384 17383

description VAM SIP PORTS

object service MRMA

service udp destination range 17384 17639

description MRM A PORTS

object service MRMB

service udp destination range 17640 17895

description MRM B PORTS

object-group service VAM_PORTS

service-object object VAM1

service-object object VAM2

object network vamIP

host 192.168.1.26

object network MRMAIP

host 192.168.1.28

object network MRMBIP

host 192.168.1.27

access-list outside_access_in remark Allow ports for Phone System

access-list outside_access_in permit object-group VAM_PORTS any object vamIP

access-list outside_access_in permit object MRMA any object MRMAIP

access-list outside_access_in permit object MRMB any object MRMBIP

You can naturally limit the connections from certain source networks/IPs if you want/can.

Let me know how it works out.

Hope this helps

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 03:02:48 GMT

Thanks for the input. I'm a n00b with cisco. It all makes sense in my head but putting it into practicefor the first few times is always an experience. I'll be putting this live tomorrow, I'll let you know how it goes.

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 16:32:49 GMT

OK, I made the changes you suggested. I'll attach my running config. I'm not able to get to the internet from the phone system (its basically a server2003 box) I can ping from the asa successfully, but not from the phone system. I am resolving DNS.

: Saved
:
ASA Version 8.4(6) 
!
hostname wavefc
domain-name center
enable password 8EBQPyIGHYB9jy6X encrypted
passwd 8EBQPyIGHYB9jy6X encrypted
names
name 192.168.1.28 MRMA description Wave MRMA IP
name 192.168.1.27 MRMB description Wave MRMB IP
name 192.168.1.26 vam description WAVE VAM IP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.30 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 108.174.110.110 255.255.255.0 
!
boot system disk0:/asa846-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name center
object network vam
 host 192.168.1.26
 description Created during name migration
object network MRMB_1
 host 192.168.1.27
 description Created during name migration
object network MRMA_1
 host 192.168.1.28
 description MRMB
object service VAM1
 service udp destination range sip 5061 
 description VAM ports
object service VAM2
 service udp destination range 16384 17383 
 description VAM SIP PORTS
object service MRMA
 service udp destination range 17640 17895 
 description MRM A PORTS
object service MRMB
 service udp destination range 17640 17895 
 description MRM B PORTS
object network Dynamic_NAT
 subnet 192.168.1.0 255.255.255.0
object network vamIP
 host 192.168.1.26
object network MRMAIP
 host 192.168.1.27
object network MRMBIP
 host 192.168.1.27
object service vamIP1
 service udp source range 16384 17383 
object service SIP
 service udp source range sip 5061 
object service mrmaUDP
 service udp source range 17384 17639 
object service mrmbUDP
 service udp source range 17640 17895 
object service vam5060
 service udp source range sip 5061 
object-group service VAM_PORTS
 service-object object VAM1 
 service-object object VAM2 
access-list outside_access_in remark Allow ports for phone system
access-list outside_access_in extended permit object-group VAM_PORTS any object vamIP 
access-list outside_access_in extended permit object MRMA any object MRMAIP 
access-list outside_access_in extended permit object MRMB any object MRMBIP 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static vamIP interface service vamIP1 vamIP1
nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP
nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP
nat (inside,outside) source static vamIP interface service vam5060 vam5060
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 108.174.110.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.99-192.168.1.100 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username wave password 7dzE8CxoLKj5NbvA encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:f1c2682304b634248f80c2cbccf90928
: end
asdm image disk0:/asdm-715-100.bin
no asdm history enable

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 16:38:12 GMT

Hi,

Do you mean that you cannot ICMP/PING to the Internet from the server?

I can't see any problem with the ASA configurations for normal TCP/UDP connectivity towards Internet but for ICMP to work you must add these.

policy-map global_policy
 class inspection_default

inspect icmp

inspect icmp error

Let me know if that helps

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 16:55:05 GMT

i've put in a static route for the gateway. . . but when I run the sh route command it doesn't show up there?

wavefc(config)# route outside 0.0.0.0 0.0.0.0 108.174.110.1 1
wavefc(config)# sh rou

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.1.0 255.255.255.0 is directly connected, inside
wavefc(config)#

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 16:56:40 GMT

correct, I can't ping, but I also can't browse to websites, and my SIP trunk isn't connecting. I'll add in the policy map command and test it.

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 16:57:33 GMT

Hi,

That would usually indicate that the interface itself is down.

Have you confirmed that the ASA port Ethernet0/0 is connected to the external network?

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 17:20:34 GMT

e0/0 is physically connected to the external network

I am replacing a sonic wall with this ASA5505

I am moving the cable from the sonic wall wan port to the e0/0 interface on the ASA5505

I am moving the cable from the sonic wall lan0/1 port to the e0/1 interface on the ASA5505

on the sonicwall the settings are

lan IP 192.168.1.30

wan IP 108.174.110.110

gateway 108.174.110.1

the sonic wall is functional.

so on the cisco I set vlan2 to 108.174.110.110 and set e0/0 switchport access vlan 2

and I set vlan 1 ip to 192.168.1.30

and route 0.0.0.0 0.0.0.0 108.174.110.1 1 for the default route/gateway

I can ping my vlan2 ip but I can't ping the gateway IP from the cisco

am I missing the part that lets vlan 1 talk with vlan 2?

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 17:27:28 GMT

Hi,

The configuration itself seems good to me except that the ACL is not attached to the external interface yet

access-group outside_access_in in interface outside

Also, when you look at the routing table of the ASA with the command

show route

You should see both the "outside" interface network there and you should also see the default route.

Can you share the output of the following when the ASA is connected to the network.

show interface Ethernet0/0

show route

show arp

show run interface Vlan2

Notice also that when you are switching 2 different devices with the same public IP address (but different MAC address) your ISP gateway might not always update and therefore traffic might not work. This should not prevent the routes from showing on the ASA but would rather mean that traffic wouldnt flow unless the ISP gateway updated with the new MAC address. You also have the option to configure the SonicWall external interface MAC address on the ASA Vlan2 interface if ARP is part of the problem.

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 17:33:41 GMT

wavefc(config)# sh int e0/0

Interface Ethernet0/0 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 885a.922c.59fc, MTU not set

IP address unassigned

4858 packets input, 1031732 bytes, 0 no buffer

Received 694 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

3972 switch ingress policy drops

26 packets output, 3014 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

wavefc(config)#

wavefc(config)# sh rou

Gateway of last resort is 108.174.110.1 to network 0.0.0.0

C    108.174.110.0 255.255.255.0 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 108.174.110.1, outside
wavefc(config)#

wavefc(config)# sh arp

inside 192.168.1.108 842b.2ba9.7e36 0

inside 192.168.1.23 0021.9b8f.75de 3

inside vam 0060.e055.cd70 206

inside 192.168.1.11 009c.021f.0eac 2782

outside 108.174.110.1 0000.5e00.010a 5171

wavefc(config)#

wavefc(config)# sh run int vlan 2

interface Vlan2

nameif outside

security-level 0

ip address 108.174.110.110 255.255.255.0

wavefc(config)#

Thanks for all the assistance. Here is the info you wanted. I'll get with the ISP about the MAC Address. I was just thinking about that. how would I go about adding in the sonicwall MAC to vlan2?

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 17:38:25 GMT

Hi,

If you can check the SonicWall external interface MAC address then you can configure that MAC address to the ASA Vlan2 interface by using these commands

wavefc(config)# interface Vlan2

wavefc(config-if)# mac-address aaaa.bbbb.cccc

Where the aaaa.bbbb.cccc is naturally the MAC address from the SonicWall

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 17:41:49 GMT

the sonicwall mac comes in a xx:xx:xx:xx:xx:xx format, I've tried entering it in straight but it won't take it. how do I convert?

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 17:43:30 GMT

Hi,

You just write it in part of 4 like I mentioned.

xxxx.xxxx.xxxx

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 17:54:38 GMT

Great. I can now ping (from the ASA) to external internet IP's, as well as the default route IP. But I'm still unable to get to the internet from the host. I've applied the ACL aforementioned.

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 17:58:47 GMT

Hi,

So I imagine that you are trying from a host thats network settings are staticly configured and NOT DHCP?

If you have staticly configured the setting please confirm the IP address/network mask/gateway/DNS server so that they are correct.

If you are testing from a DHCP host then please add some DNS servers to your DHCP configuration on the ASA

dhcpd dns 8.8.8.8

For example or the DNS servers provided by your ISP

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 18:00:52 GMT

Hi,

Actually seems you have not even enabled the DHCP

dhcpd enable inside

That is if you want to enable it even.

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 18:07:42 GMT

Yes it is statically configured.

IP - 192.168.1.26 255.255.255.0

GW - 192.168.1.30

DNS 8.8.8.8

DNS will resolve. . .and

after a third reboot its working like a charm. Thanks a TON for your assistance! You're a lifesaver!

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

Jouni Forss — Tue, 04 Feb 2014 18:10:12 GMT

Great to hear its working now

I was starting to think I was missing something simple

- Jouni

ASA 5505 Port forwarding UDP ranges to multiple internal IP addr

AaronCase3 — Tue, 04 Feb 2014 20:58:20 GMT

Jouni,

I've got one more thing.

I've got some traffice coming in on the internal interface that is from the 192.168.2.0 range. This is coming in over a VPN. I need to send that traffic back via 192.168.1.254 (which is the gatewat controlling the point to point vpn). On my sonicwall I have a route set as follows

source = 192.168.1.0/24 destination=192.168.2.0/24 protocol=any gateway = 192.168.1.254

I'm thinking that on the ASA I need to put in something like

route inside 192.168.2.0 255.255.255.0 192.168.1.254 1

I've got that enterd in but I'm not establishing communication. am I on the right track?