topic Re: ASA5505 - NAT in Network Security

ASA5505 - NAT

allenelson — Tue, 26 Mar 2019 00:40:30 GMT

This is a somewhat broad question, but i am going post it anyway and see if anyone can comment, as i feel it may relate to an incorrect NAT statement. I have a telephone system sitting behind the ASA, which i've NAT'd inbound and outbound to an internet address.

static (inside,outside) 209.92.46.156 10.0.0.7 netmask 255.255.255.255

nat (inside) 1 10.0.0.7 255.255.255.255

global (outside) 1 209.92.46.156

This is the way I normally do the NAT to make the traffic match the same IP both inbound and outbound. I am now unsure if this is the correct way to go about things. Here is the problem i am running into.

A (remote) telephone boots up, grabs an IP, and registers with the phone system. All is well, except for when a call is made and there is no audio. All of the necessary ports are open (on both ends, here it is a 2800 ISR with the firewall enabled) and for testing purposes an ip any any statement was added. So here is the problem..

The phone registers, and in a capture you can see the local address of the phone communicating with the internet routeable address of the phone system. All is well.. However, once the RTP stream initiates the local telephone is now communicating with the inside address of the phone system and i feel that is the bottleneck.

Does anyone see anything wrong with the NAT config ? I am assuming the media stream should be between each end point and not the system, but im not quite sure if the protocol is proprietary (more than likely is) and may work differently.

Re: ASA5505 - NAT

allenelson — Fri, 11 Jul 2008 17:50:13 GMT

sorry, i forgot to include remarks about the inspection table.

on the ASA, there is an access-list applied to the inside interface with a permit ip any any statement.

Re: ASA5505 - NAT

a.alekseev — Fri, 11 Jul 2008 18:10:28 GMT

use only one variant

(if you need access to the telephone system from outside, STATIC NAT)

static (inside,outside) 209.92.46.156 10.0.0.7 netmask 255.255.255.255

(PAT)

nat (inside) 1 10.0.0.7 255.255.255.255

global (outside) 1 209.92.46.156

could you show the topology?

Re: ASA5505 - NAT

allenelson — Fri, 11 Jul 2008 18:19:31 GMT

when you say use one variant, is that best practice or a fact because .... ?

the reason i ask, i've noticed that if you have a global NAT setup for an entire network but also have a webserver, a static NAT would only provide 1 way translation.

lets say all hosts on the 10.0.0.0/24 subnet use the outside interface for internet access. the outside interface is set to 207.99.0.1. A webserver, 10.0.0.254 is binded to 207.99.0.2 through a static NAT.

I can communicate with the server just fine, however, if i am on the webserver and make a request to go out the internet it will be from the 207.99.0.1 address.

just an FYI, one of the telephone guys called and said he had the IP in the wrong field, so the remote phone is now communicating. but i am still interested in the topic of the 1 way NATing.

Re: ASA5505 - NAT

a.alekseev — Fri, 11 Jul 2008 18:39:04 GMT

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html

Re: ASA5505 - NAT

a.alekseev — Fri, 11 Jul 2008 19:05:13 GMT

I can communicate with the server just fine, however, if i am on the webserver and make a request to go out the internet it will be from the 207.99.0.1 address.

yes, correct

if you also add access-list, you will be able to access the server from the outside (internet)

access-list OUTSIDE-IN permit tcp any host 207.99.0.1 www

but if you want just only have internet aceess from the server, you can use PAT