topic Re: ASA 5505 Port Forward Range in Network Security

ASA 5505 Port Forward Range

Scott Pickles — Mon, 11 Mar 2019 16:57:43 GMT

I have spent the last few days trying to get my VoIP box exposed to the internet using a static public IP and port forwarding. However, most of the posts I have read thus far only deal with forwarding one or two ports, usually a single IP on the outside, and mostly just traffic from outside to inside. In my scenario, I need to statically NAT traffic from the VoIP box inside at 192.168.9.9 to a public IP on the outside on the same subnet as the ASA outside interface (66.x.x.0 / 24) where .2 is the ASA, .3 is the VoIP server. I have created my static NAT, object-group for services and ACLs. I can connect to my outbound VoIP proxy (ITSP) and make a call, but I get no audio. The Allworx uses udp ports 15000-15511 for RTP, and this is exactly what I'm forwarding as a range. My config is posted below. Do I need a static NAT in both directions? Should I use a nat (inside) and global (outside) for outbound and static NAT for the return? Is port forwarding a range even possible? I have tried many different variations of my config to no avail. One other burning question is this:

Deny udp src inside:Allworx_Inside/15376 dst outside:199.173.81.34/50222 by access-group "inside_access_in" [0x0, 0x0]

Viewing the log during the setup the ASA indicates that my RTP traffic is denied by the inbound ACL on the inside interface. Is this still required if I'm using a static NAT and allowing that traffic to the outside interface? I thought that by using static NAT you're creating the bit pipe or hole through the firewall, and all that was necessary was an ACL permitting traffic to the pipe entry, and that it would then reach the inside device without the need for an ACL on the inside interface. What is more, the ASA wants me to permit traffic inbound to the inside interface when the source is inside and the destination is outside. Why on earth would I need an inbound ACL on the inside interface for traffic that needs to leave the inside interface?

: Saved
:
ASA Version 8.2(1)
!
hostname asa5505
domain-name vpnsystems.vpn
enable password 5Guh/zkcc.rD2nN1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.9.9 Allworx_Inside description Allworx Inside
name 66.x.x.3 Allworx_Outside description Allworx Outside
name 66.x.x.2 ASA5505_Outside description ASA5505 Outside

interface Vlan1
description Trust - 192.168.0.18/30
nameif inside
security-level 100
ip address 192.168.0.18 255.255.255.252
!
interface Vlan2
description Untrust - 66.x.x.2/24
nameif outside
security-level 0
ip address ASA5505_Outside 255.255.255.0
!
interface Ethernet0/0
description Untrust - 66.x.x.2/24
switchport access vlan 2
!
interface Ethernet0/1
description Trust - 192.168.0.18/30
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Allworx_TCP tcp
port-object eq 8081
port-object eq 8080
object-group service Allworx_UDP udp
port-object range 15000 15511
port-object eq 2088
port-object eq sip
access-list outside_access_in extended permit icmp any host Allworx_Outside
access-list outside_access_in extended permit udp any host Allworx_Outside object-group Allworx_UDP
access-list outside_access_in extended permit tcp any host Allworx_Outside object-group Allworx_TCP
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) Allworx_Outside Allworx_Inside netmask 255.255.255.255
access-group outside_access_in in interface outside
!
router eigrp 100
no auto-summary
eigrp router-id 192.168.0.18
eigrp stub connected
network 192.168.0.16 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 ASA5505_Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 60
http server session-timeout 60
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.236.56.250 source outside prefer
webvpn
username Administrator password QbzTukvNpIQksWih encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:41cebbde244c4496766306905d39002a
: end

Re: ASA 5505 Port Forward Range

Kureli Sankar — Thu, 14 Jan 2010 03:34:23 GMT

I do not see this access-list inside_access_in in the config. If this is SIP then, I don't see sip inspection either.

conf t

policy-map global_policy
class inspection_default

inspect sip

Give it a shot once done. You are correct there is no need for acl to be applied on the higher security interface by default high to low traffic is allowed on the ASA.

-KS

Re: ASA 5505 Port Forward Range

Scott Pickles — Thu, 14 Jan 2010 03:49:01 GMT

Sorry about the ACL inside_access_in. I removed it from the config b/c I didn't think I needed it. As for sip inspection, Allworx support told me I had to remove it in order for their product to work. The Allworx uses sip to register to the ITSP and that works. Call setup is fine. It's the RTP audio that doesn't work. I also didn't understand the need for the inside_access_in ACL governing traffic from and inside host to an outside host, that should be implicitly allowed. Look again closely at the log entry I posted. The ASA is blocking udp traffic coming into the inside interface, but states that the source is an inside host destined for an outside host. That is totally backwards and makes no sense to me. If the ASA is complaining about inbound traffic to the inside interface, I would expect the source to be outside, destination inside.

Re: ASA 5505 Port Forward Range

Kureli Sankar — Thu, 14 Jan 2010 04:07:36 GMT

inspection does two things.

1. fixes up address in the packets -

2. opens pin holes to allow flow on a diff. source port

Now, there was an acl applied on the inside interface and you do not have sip inspection enabled. There was no acl allowing the flow and there was no inspection to automatically allow the traffic from inside to outside.

With no acl applied on the inside interface now, try the flow again and see if it works.

I don't see anything wrong in the syslog. The ACL is blocking the voice traffic going from inside to outside - due the fact acl wasn't allowing because inspection wasn't there to automatically allow the flow when the acl wasn't specifically allowing.

The rule if you remove inspection then you need allow permission via access-list.

-KS

Re: ASA 5505 Port Forward Range

Scott Pickles — Thu, 14 Jan 2010 05:03:59 GMT

Ok, so the reason why the ACL is necessary is because it is the RETURN traffic in a flow?

I thought there was no need to permit with an ACL traffic flowing from a high to low zone? Is that only for traffic initiated by the inside interface?

The issue isn't with SIP (udp 5060), it's with the RTP traffic (udp 15000-15511). I need to NAT the traffic on the way out from 192.168.9.9 to 66.x.x.3 and on the way back in (66.x.x.3 to 192.168.9.9). Will the static command take care of this bi-directional flow? Or do I need a nat (inside) / global (outside) pairing for traffic leaving the firewall, and the static for return traffic? Should the port-object range work for this? Or will this not work without being able to inspect the RTP traffic?

-Scott