Solved: I was afraid of what you are

mloraditch · ‎08-10-2016

I had to create a rather complex series of NATs on an ASA for a PBX that has 2 IPs (one for RTP and one for Control) but must appear to the ITSP on the internet as one public IP. The client now wants to route some of this traffic via some ISRs where we have ZBF firewalls setup.

I have pasted the sections of relevant ASA code (8.3+ NAT version). Will this actually translate to IOS/IOS-XE (have a mix of G2s and 4Ks)? If so how? I've done plenty of 1-1 NATs and some port NAT'ing, but am unsure of the final masking NAT and making it all work together.

Thanks in advance for any assistance! The 1.1.1 ips would be internal and the 2.2.2 would be external.

object service SIPRangeUDP
 service udp source range sip 5090 
object service SIPRangeTCP
 service tcp source range sip 5090
object service RTPRange
 service udp source range 10020 10531

object network SITENAMEPBX1SIPUDP
 host 1.1.1.235
object network SITENAMEPBX1SIPUDPOut
 host 2.2.2.187
object network SITENAMEPBX1SIPTCP
 host 1.1.1.235
object network SITENAMEPBX1SIPTCPOut
 host 2.2.2.187
object network SITENAMEPBX1RTP
 host 1.1.1.236
object network SITENAMEPBX1RTPOut
 host 2.2.2.187
object network SITENAMEPBXMask
 host 2.2.2.187
object network SITENAMEPBXMask1
 host 1.1.1.235
object network SITENAMEPBXMask2
 host 1.1.1.236

object-group network SITENAMEPBXMasking
 network-object object SITENAMEPBXMask1
 network-object object SITENAMEPBXMask2

nat (inside,outside) source static SITENAMEPBX1SIPUDP SITENAMEPBX1SIPUDPOut service SIPRangeUDP SIPRangeUDP
nat (inside,outside) source static SITENAMEPBX1SIPTCP SITENAMEPBX1SIPTCPOut service SIPRangeTCP SIPRangeTCP
nat (inside,outside) source static SITENAMEPBX1RTP SITENAMEPBX1RTPOut service RTPRange RTPRange
nat (inside,outside) source dynamic SITENAMEPBXMasking SITENAMEPBXMask

Francesco Molino · ‎08-10-2016

Hi

The NAT on router isn't working the same way as ASA.

On your design, you need to do port forwarding on UDP range ports. You don't have a lot of solutions. There is only 1 I know, it's using ACL and route-map like:

access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531

!

route-map FORWARD-2 permit 10
match ip address 101
!

ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2

The issue is that you need also to forward other ports with same public address but different private address. At this point, the router won't allow you to do the configuration.

To accomplish what you're trying to do with IOS, you have 2 solutions:

- do NAT port per port (even for range). It will take too long as you have a lot of ports

- Use 2 public IP: 1 for 1.1.1.235 and 1 for 1.1.1.236

Just in case you will use 2 public IP address, the config would look like: (Control it before pasting on your environment, I've done it quickly through my iPhone):

object-group SITENAMEPBX1SIPUDP
host 1.1.1.235
!
object-group SITENAMEPBX1SIPTCP
host 1.1.1.235
!
object-group SITENAMEPBX1RTP
host 1.1.1.236
!
object-group SITENAMEPBXMask1
host 1.1.1.235
!
object-group SITENAMEPBXMask2
host 1.1.1.236
!
object-group SITENAMEPBXMasking
group-object SITENAMEPBXMask1
group-object SITENAMEPBXMask2
!
ip access-list extended NAT
permit ip object-group SITENAMEPBXMask1 any
!
ip access-list extended NAT2
permit ip object-group SITENAMEPBXMask2 any
!
access-list 100 permit udp object-group SITENAMEPBX1SIPUDP eq 5090 any eq 5090
access-list 100 permit tcp object-group SITENAMEPBX1SIPTCP eq 5090 any eq 5090
access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531
!
route-map FORWARD-1 permit 10
match ip address 100
!
route-map FORWARD-2 permit 10
match ip address 101
!
ip nat pool NATPOOL 2.2.2.187 2.2.2.187 netmask 255.255.255.0
ip nat pool NATPOOL2 2.2.2.188 2.2.2.188 netmask 255.255.255.0
ip nat inside source list NAT pool NATPOOL2 overload
ip nat inside source list NAT2 pool NATPOOL overload
ip nat inside source static 1.1.1.235 2.2.2.188 route-map FORWARD-1
ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-10-2016

Hi

The NAT on router isn't working the same way as ASA.

On your design, you need to do port forwarding on UDP range ports. You don't have a lot of solutions. There is only 1 I know, it's using ACL and route-map like:

access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531

!

route-map FORWARD-2 permit 10
match ip address 101
!

ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2

The issue is that you need also to forward other ports with same public address but different private address. At this point, the router won't allow you to do the configuration.

To accomplish what you're trying to do with IOS, you have 2 solutions:

- do NAT port per port (even for range). It will take too long as you have a lot of ports

- Use 2 public IP: 1 for 1.1.1.235 and 1 for 1.1.1.236

Just in case you will use 2 public IP address, the config would look like: (Control it before pasting on your environment, I've done it quickly through my iPhone):

object-group SITENAMEPBX1SIPUDP
host 1.1.1.235
!
object-group SITENAMEPBX1SIPTCP
host 1.1.1.235
!
object-group SITENAMEPBX1RTP
host 1.1.1.236
!
object-group SITENAMEPBXMask1
host 1.1.1.235
!
object-group SITENAMEPBXMask2
host 1.1.1.236
!
object-group SITENAMEPBXMasking
group-object SITENAMEPBXMask1
group-object SITENAMEPBXMask2
!
ip access-list extended NAT
permit ip object-group SITENAMEPBXMask1 any
!
ip access-list extended NAT2
permit ip object-group SITENAMEPBXMask2 any
!
access-list 100 permit udp object-group SITENAMEPBX1SIPUDP eq 5090 any eq 5090
access-list 100 permit tcp object-group SITENAMEPBX1SIPTCP eq 5090 any eq 5090
access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531
!
route-map FORWARD-1 permit 10
match ip address 100
!
route-map FORWARD-2 permit 10
match ip address 101
!
ip nat pool NATPOOL 2.2.2.187 2.2.2.187 netmask 255.255.255.0
ip nat pool NATPOOL2 2.2.2.188 2.2.2.188 netmask 255.255.255.0
ip nat inside source list NAT pool NATPOOL2 overload
ip nat inside source list NAT2 pool NATPOOL overload
ip nat inside source static 1.1.1.235 2.2.2.188 route-map FORWARD-1
ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mloraditch · ‎08-10-2016

I was afraid of what you are saying. We are not port by port natting, 500+ lines of NAT would be impossible to manage.

Well, we recommended against the PBX design they have, now I have even more justification for that.

Francesco Molino · ‎08-10-2016

Yes you're right. As I said manual port by port will be a nightmare. The solution with router would be 2 public address.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Convert ASA NAT to IOS/IOS-XE NAT Config