topic Configuring PAT for VoIP got a Turn Up today!!! in Network Security

Configuring PAT for VoIP got a Turn Up today!!!

khayes1984 — Tue, 12 Mar 2019 01:16:18 GMT

Good Morning all,

I have a question, I've researched around the internet to find the CLI commands to open ports TCP 5060/5061 and UDP ports 1024 to 65535 to my SIP provider. I'm a voice guy so i'm VERY new to Security and I would like some assistance.

I'm using a ASA 5505, and below is my Show Run:

------------------ show running-config ------------------

: Saved

ASA Version 8.3(2)

hostname ECSASA-5505

domain-name hostedatandvoice.local

enable password <removed>

passwd <removed>

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

interface Ethernet0/0

description COMCAST

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

banner exec EnterCloud Solutions ASA

banner login AAA is enabled, Local access has been restricted to local Administrators and Engineers of ECS, LLC.

banner motd EnterCloud Solutions ASA Applicance. Unauthorized users will be logged and flagged for unauthorized access. IP's are tracked and logged and will be reported to local State and Federal agencies.

banner motd Contact security@hostedatandvoice.com for additional help or support.

banner asdm WELCOME TO ECS ASA 5505 SECURITY APPLICANCE!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name hostedatandvoice.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Internet

subnet 0.0.0.0 0.0.0.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service NTP

service tcp source eq 123 destination eq 123

description Time Clock

object network STATIC-PAT

subnet 192.168.1.0 255.255.255.0

object network VPN-Pool

subnet 190.168.10.0 255.255.255.240

description VPN IP Address

object network SSL-VPN-POOL

description SSL-VPN-POOL

object network SSL-VPN-POOL1

object network SSL-VPN-NET1

subnet 192.168.10.0 255.255.255.240

object network outside_to_inside_VoIP

host 192.168.1.8

object-group network PRIVATE-LAN

network-object 192.168.1.0 255.255.255.0

object-group network SSL-VPN-NETWORKS

description SSL VPN NETWORKS

object-group network VPN-NETWORK

network-object object SSL-VPN-NET1

access-list OUTSIDE-IN extended permit udp any object STATIC-PAT eq ntp

access-list ECSSLVPN remark Allow VPN Access to LAN

access-list ECSSLVPN standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 1000000

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool VPN-Pool 192.168.10.1-192.168.10.12 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static PRIVATE-LAN PRIVATE-LAN destination static VPN-NETWORK VPN-NETWORK

object network STATIC-PAT

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 x.x.x.x1

route inside 192.168.10.0 255.255.255.255 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

email security@hostedatandvoice.com

subject-name CN=ESCASA-5505

ip-address x.x.x.x

keypair ECS-KP

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 59203f51

308202a8 30820211 a0030201 02020459 203f5130 0d06092a 864886f7 0d010105

05003066 31143012 06035504 03130b45 53434153 412d3535 3035314e 301b0609

2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138 35302f06 092a8648

86f70d01 09021622 45534341 53412d35 3530352e 686f7374 65646174 616e6476

6f696365 2e6c6f63 616c301e 170d3133 30333132 31333233 34375a17 0d323330

33313031 33323334 375a3066 31143012 06035504 03130b45 53434153 412d3535

3035314e 301b0609 2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138

35302f06 092a8648 86f70d01 09021622 45534341 53412d35 3530352e 686f7374

65646174 616e6476 6f696365 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01

01010500 03818d00 30818902 818100dd 432f3bbc 24f0329f 81f0faea 27555dd6

972dfcc0 697dd74b 8ebdfe7a b7adb611 a97b3881 baef9373 d6442571 7da6d0b1

f74e9ff9 6602d832 6a092719 2460ecb1 0088a4f0 fbf0c2b0 13586c87 c23d69b2

08525422 f66e735c 46f3b3c8 d3f41c21 5a204fea cd798c7b e15c018a 6f6d344d

de24ac87 12cc69a7 b07023a4 302a0702 03010001 a3633061 300f0603 551d1301

01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23

04183016 80149724 66a81b45 e402da6f f9e47a87 6c01af08 5476301d 0603551d

0e041604 14972466 a81b45e4 02da6ff9 e47a876c 01af0854 76300d06 092a8648

86f70d01 01050500 03818100 517b691a 285b035e 5e4ffaba 02467a5a 45d1d4fd

0e39838d caf77bf1 4cc2f5a6 2fefb926 d0a2fdc4 ebabc75a 28380c06 60df23ee

8be72ddc b3587956 1eb1df89 d7b4293a ad0db500 bf651885 0a44ba2c 4b94f8ce

e27b8242 4abead6b a1af0468 5ed4a8ef 013f2d08 59df2f2e e6afcc21 2df6bbd0

a1f15a01 4ba8960a ec9771bb

quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 4.2.2.2 8.8.1.1

dhcpd domain hostedatandvoice.local

dhcpd address 192.168.1.12-192.168.1.130 inside

dhcpd dns 4.2.2.2 8.8.1.1 interface inside

dhcpd domain hostedatandvoice.com interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 199.249.224.123 source outside prefer

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-3.0.11042-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2

svc enable

group-policy DfltGrpPolicy attributes

dns-server value 4.2.2.2

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ECSSLVPN

default-domain value hostedatandvoice.local

split-dns value hostedatandvoice.com

address-pools value VPN-Pool

webvpn

svc ask enable default webvpn

username khayes password <removed> privilege 15

username mharrell password <removed> privilege 15

username bdillard password <removed> privilege 15

username skonti password <removed> privilege 15

tunnel-group ECSSLVPN type remote-access

tunnel-group ECSSLVPN general-attributes

address-pool VPN-Pool

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:977f2a92875a8c744753124c94adbb09

: end

Configuring PAT for VoIP got a Turn Up today!!!

khayes1984 — Tue, 19 Mar 2013 16:56:59 GMT

Anyone?

Configuring PAT for VoIP got a Turn Up today!!!

julomban — Tue, 19 Mar 2013 17:17:23 GMT

Hey Kenneth,

Please include more details such as where is your SIP provider, what is the traffic flow.

By default, there is an implicit permit from a higher security interface (100) to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface.

From lower to higher you need access list and NAT (which in that case you need ACL opening SIP port and range).

Regards,

Juan Lombana

Please rate helpful posts.

Configuring PAT for VoIP got a Turn Up today!!!

khayes1984 — Tue, 19 Mar 2013 17:20:12 GMT

Traffic Flow as follows:

ITSP->Comcast->ASA 5505->CUBE->CUCM

Configuring PAT for VoIP got a Turn Up today!!!

julomban — Tue, 19 Mar 2013 17:35:06 GMT

Kenneth,

You need to allow inbound traffic through the ASA. For this since you are coming from the Internet (lower to higher) you need a NAT one to one and access list:

object network

host x.x.x.x

nat (inside,outside) static y.y.y.y

access-list outside_access_in permit tcp any host y.y.y.y eq 5060

access-list outside_access_in permit tcp any host y.y.y.y eq 5061

access-list outside_access_in permit tcp any host y.y.y.y range 1024 65535

Replace the x.x.x.x with the CUCM manager IP address and the y.y.y.y with a public IP on your outside interface.

Please be aware that you need a public IP but not your outside interface, it must be another on the same range of the outside.

Regards,

Juan Lombana

Configuring PAT for VoIP got a Turn Up today!!!

khayes1984 — Tue, 19 Mar 2013 17:36:43 GMT

I have one public IP.

Configuring PAT for VoIP got a Turn Up today!!!

khayes1984 — Tue, 19 Mar 2013 17:45:00 GMT

The public IP of the carrier or my static IP?

Configuring PAT for VoIP got a Turn Up today!!!

julomban — Tue, 19 Mar 2013 18:31:24 GMT

Kenneth,

If that's the case you can use a range of port and create a NAT using your outside interface IP.

object network CUCM_Private

host 10.10.10.10

object service Range_1024_65535

service udp source range 1024 65535

object service SIP_range

service tcp source range 5060 5061

nat (inside,outside) source static CUCM_Private interface service Range_1024_65535 Range_1024_65535

nat (inside,outside) source static CUCM_Private interface service SIP_range SIP_range

access-list outside_access_in permit tcp any object CUCM_Private eq 5060

access-list outside_access_in permit tcp any object CUCM_Private eq 5061

access-list outside_access_in permit tcp any object CUCM_Private range 1024 65535

Take in consideration that I am using different IP address, please use the correponding IP's.

Hope it helps,

Juan Lombana

Configuring PAT for VoIP got a Turn Up today!!!

khayes1984 — Tue, 19 Mar 2013 22:17:45 GMT

ERROR: NAT unable to reserve ports.

that's what I got.