topic Re: Problem with NAT with video call on ASA5510 in Network Security

Problem with NAT with video call on ASA5510

kpoon — Mon, 11 Mar 2019 19:56:28 GMT

Hello all,

We have a video system at 10.4.86.199 trying to call another system at 172.30.1.102.

The System at 10.4.86.199 receive the video image and sound, but at 172.30.1.102 doesn't after the call is established.

10.4.86.199 actaully contacts 10.40.86.102 which NAT to 172.30.1.102, it cannot contact 172.30.1.102 directly. It is done by design.

I've tried to packettrace and it points to problem with NAT but I can't pinpoint it. Any help would be appreciated.

please see attached config.

Thank you in advance.

Re: Problem with NAT with video call on ASA5510

Federico Coto Fajardo — Thu, 24 Feb 2011 23:02:10 GMT

Hi,

If I understand correctly 10.4.86.199 should reach 10.40.86.102 to be able to get the service from 172.30.1.102

172.30.1.102 NATs to 10.40.86.102

In order to allow 10.4.86.199 to reach 10.40.86.102 you need a static NAT (which you have):
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.

and also ACL:

access-list Endo-40_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list Endo-40_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

Should be permitting this traffic (all ports required to make this work).

Normally if Packet-Tracer reports a problem (a NAT problem in this case), should show you which NAT rule is causing
the conflict.
Can you include that information?

Federico.

Re: Problem with NAT with video call on ASA5510

kpoon — Thu, 24 Feb 2011 23:39:42 GMT

Hi Ferderico,

here's the result:

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 172.30.1.102 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.30.1.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Entrust-40_access_in in interface E-40
access-list Entrust-40_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-out-acl out interface inside
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object 10.4.86.0 255.255.255.0
network-object 10.40.86.0 255.255.255.0
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.255
nat-control
match ip inside host 172.30.1.102 E-40 any
static translation to 10.40.86.102
translate_hits = 15, untranslate_hits = 36
Additional Information:

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Problem with NAT with video call on ASA5510

Federico Coto Fajardo — Fri, 25 Feb 2011 00:03:14 GMT

The test is incorrect.

You're attempting to reach 172.30.1.102 on port 80 from 10.4.86.199

From 10.4.86.199 you should reach 10.40.86.102 (and the ASA will statically NAT it to 172.30.1.102

Do the following test:

packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80

Federico.

Re: Problem with NAT with video call on ASA5510

kpoon — Fri, 25 Feb 2011 01:47:41 GMT

Everything seems ok....

any exempt rule I'm missing? everything else works except the video on one end...

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.86.0 255.255.255.0 E-40

Phase: 5
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group E-40_access_out out interface E-40
access-list E-40_access_out extended permit ip any any
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56854583, packet dispatched to next module

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: E-40
output-status: up
output-line-status: up
Action: allow

Re: Problem with NAT with video call on ASA5510

Federico Coto Fajardo — Fri, 25 Feb 2011 02:04:41 GMT

Everything seems fine for the test you made on destination port 80:

packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80

But are there any other ports needed? What kind of video/traffic/protocol you're using?

Maybe, we need to open other port besides 80?

Federico.

Re: Problem with NAT with video call on ASA5510

kpoon — Fri, 25 Feb 2011 03:23:17 GMT

I thought the ACLs are allowing everything already.

access-list Endo-40_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list Endo-40_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

I've also tested the ports necessary such as SIP, H323, etc. Is there anything in the conf might have prevented any kind of traffic going to 172.30.1.102? any NAT exempt needed or anything that could overlap any NAT or ACL?

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 SIP

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.86.0 255.255.255.0 E-40

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group E-40_access_out out interface E-40
access-list E-40_access_out extended permit ip any any
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56882019, packet dispatched to next module

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: E-40
output-status: up
output-line-status: up
Action: allow

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 H323

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.86.0 255.255.255.0 E-40

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group E-40_access_out out interface E-40
access-list E-40_access_out extended permit ip any any
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56882069, packet dispatched to next module

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: E-40
output-status: up
output-line-status: up
Action: allow

Re: Problem with NAT with video call on ASA5510

Federico Coto Fajardo — Fri, 25 Feb 2011 04:06:41 GMT

The access-lists seem to be permitting the entire IP stack to that IP, so you should be good.

Now, I think that we can look at the logs to see what's happening with that traffic.
I see there's a syslog server configured (or you can check the logs directly on the ASA).

sh log | i 10.40.86.102
sh log | i 172.30.1.102

Federico.

Re: Problem with NAT with video call on ASA5510

Kent Heide — Fri, 25 Feb 2011 05:29:51 GMT

Have you turned on inspect for h.323? It uses a certain port for control traffic and dynamic ports (if not configured otherwise) for data.

Also open 1720/1721 in your acls!

Sent from Cisco Technical Support iPhone App

Re: Problem with NAT with video call on ASA5510

kpoon — Fri, 25 Feb 2011 15:36:47 GMT

Hi gentlemen,

I've turned on inspect for h.323, added another ACL on top of the one for all IP traffic and the followings, now it seems to work fine but I will do more testing and followup.

object-group service DM_INLINE_SERVICE_1
service-object udp eq 1719

service-object tcp eq 1721

service-object tcp eq h323

service-object tcp eq sip

* orginally only had service-object ip

      policy-map E-40-policy
        class E-40-class
          inspect h323 h225

inspect h323 ras

inspect sip

access-list inside_nat0_outbound_1 line 1 extended permit ip 172.30.1.0 255.255.255.0 10.40.86.0 255.255.255.0

Re: Problem with NAT with video call on ASA5510

kpoon — Fri, 25 Feb 2011 17:08:08 GMT

I've found that only H323 calls work, SIP don't...

Any idea would be appreciated.

Re: Problem with NAT with video call on ASA5510

Federico Coto Fajardo — Fri, 25 Feb 2011 17:26:29 GMT

Just want to know....

Have you tried with SIP inspection disabled?

no inspect sip

Federico.

Re: Problem with NAT with video call on ASA5510

kpoon — Fri, 25 Feb 2011 20:30:54 GMT

I THOUGHT I solved the problem by putting inspect sip on the E-40 interface instead of the global.

service-policy E-40-policy interface E-40

      policy-map E-40-policy
        class E-40-class
          inspect sip

Re: Problem with NAT with video call on ASA5510

kpoon — Sat, 26 Feb 2011 16:26:09 GMT

actually, negative..... it actually broke all other traffic such as http, https, etc to/from 10.4.86.xx to/from/172.30.1.xx.

Any other suggestion?

I've also tried inspect sip on global without success...

Re: Problem with NAT with video call on ASA5510

kpoon — Mon, 28 Feb 2011 18:13:36 GMT

tried with no inspect sip and it still doesn't work...

Re: Problem with NAT with video call on ASA5510

lusandi — Thu, 14 Jul 2011 16:27:08 GMT

Hello,

Can you enable the sip inspection and provide the following outputs:

debug sip

debug sip ha

show logg

Regards,

Luis Sandi

.:|:.:|:.

P.S Please mark this question as answered if it has been resolved. Do rate helpful posts.

Re: Problem with NAT with video call on ASA5510

Sudeep Khuraijam — Mon, 18 Jul 2011 22:26:57 GMT

Couple of things:

You may need a Nat entry - Static preferably for

10.4.86.199 otherwise the media connection address goes unNATed.

Traffic from the 172 address takes the source static NAT defined hence gets to your endpoint. Having said that it seems either the symptoms described is reversed.

However as seen in your packet tracer you need Destination NAT for

10.4.86.102 when you try to use that address to translate to a 172 endpoint. Otherwise

it is not translated. ( as you see in your tracer, the packet isnt getting anywhere)

You do need global SIP inspect.

Unclear on the complete picture and symptoms but those may be some pointers to chase.