03-23-2011 08:08 AM - edited 03-11-2019 01:11 PM
Hi,
I wonder whether you can help me, I need add following to our firewall configuration ( we are changing watchguard firewall to cisco and it was necessary to be configured this way )
1) I need to create 1-1 NAT for our voip system and video conferencing unit and to do it as bellow
VOIP-SIP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 5060
VC-SIP : from any_external to 217.207.96.120 on port tcp/udp 5060
VC-Video : from any_external to 217.207.96.120 on port tcp/udp 60000 to 64999
VOIP-RTP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 10000 - 20000
2) I need to eneble to pass PPTP traffic from outside to inside and vice versa
many thanks
Patrick
current config:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
names
name 10.10.1.19 barracuda
name 192.168.1.2 ctxdmz
name 10.10.1.39 ftp1
name 10.10.1.38 ftp2
name 10.10.1.37 ftp3
name 10.10.1.192 mailsvr
name 217.207.96.114 outside_114
name 217.207.96.115 outside_115
name 217.207.96.116 outside_116
name 217.207.96.117 outside_117
name 217.207.96.118 outside_118
name 217.207.96.119 outside_119
name 217.207.96.120 outside_120
name 10.10.1.8 transfer_server
name 10.10.1.10 backupsvr
name 10.10.1.4 citrixsvr1
name 85.90.225.100 voip_sip
name 10.10.1.9 minimac1
name 82.111.186.146 sdt_rdp
name 217.207.96.121 outside_121
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Vlan12
nameif outside
security-level 0
ip address outside_114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group network obj_any
object-group service rdp tcp
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object host mailsvr
network-object host transfer_server
network-object host minimac1
object-group network DM_INLINE_NETWORK_2
network-object host mailsvr
network-object host barracuda
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service session_reliability tcp
port-object eq 2598
object-group service vc tcp-udp
port-object range 60000 64999
object-group service voip tcp-udp
port-object range 10000 20000
access-list outside_access_in extended permit tcp host sdt_rdp any object-group rdp
access-list outside_access_in extended permit tcp any host ctxdmz eq https
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in extended permit tcp any host mailsvr eq smtp
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit object-group TCPUDP any any eq sip
access-list outside_access_in extended permit object-group TCPUDP any any object-group vc
access-list outside_access_in extended permit object-group TCPUDP any any object-group voip
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip 10.10.1.0 255.255.255.0 host ctxdmz
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 object-group session_reliability
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.10.1.0 255.255.255.0 eq domain
pager lines 24
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface https ctxdmz https netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface www mailsvr www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 backupsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp ftp1 ftp netmask 255.255.255.255
static (inside,outside) tcp outside_115 ftp ftp2 ftp netmask 255.255.255.255
static (inside,outside) tcp outside_117 ftp ftp3 ftp netmask 255.255.255.255
static (inside,outside) tcp outside_119 www minimac1 www netmask 255.255.255.255
static (inside,outside) tcp outside_115 www transfer_server www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 mailsvr pop3 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica citrixsvr1 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
: end
Solved! Go to Solution.
03-24-2011 11:20 PM
For the voice part, here is what needs to be configured:
static (inside,outside) 217.207.96.120 10.10.1.89 netmask 255.255.255.255
static (inside,outside) 217.207.96.121 10.10.1.3 netmask 255.255.255.255
For ACL, is your SIP procotol using the default ports for its RTP and Video connections? If they are, then all you need to allow is SIP signalling, ie: port 5060 because "inspect sip" is already enabled and it will inspect SIP signalling and open pin hole for the RTP and Video connections.
Here is "inspect sip" description for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1724082
For PPTP, you would need to enable "inspect pptp", and here is the command for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656
Hope this helps.
03-23-2011 05:45 PM
You have left out very important information
1) Please advise what is the inside ip address that you want the NAT from, for both 217.207.96.121 and 217.207.96.120.
2) Please advise what is the PPTP server ip address as well as what you would like to NAT it to.
03-24-2011 06:25 AM
Hi,
sorry, the details are as follow.
1) 217.207.96.120 to 10.10.1.89
217.207.96.121 to 10.10.1.3
2) the pptp has no internal server, what I try to achieve is ti enable 3rd party user who come with their laptops to our network and try to connect to their companies with pptp vpn connection.
thanks
Patrick
03-24-2011 11:20 PM
For the voice part, here is what needs to be configured:
static (inside,outside) 217.207.96.120 10.10.1.89 netmask 255.255.255.255
static (inside,outside) 217.207.96.121 10.10.1.3 netmask 255.255.255.255
For ACL, is your SIP procotol using the default ports for its RTP and Video connections? If they are, then all you need to allow is SIP signalling, ie: port 5060 because "inspect sip" is already enabled and it will inspect SIP signalling and open pin hole for the RTP and Video connections.
Here is "inspect sip" description for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1724082
For PPTP, you would need to enable "inspect pptp", and here is the command for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656
Hope this helps.
03-25-2011 04:02 AM
hi,
thanks, i will test it next weekend and will get back to you.
I am sure that it is going to work.
thanks
Patrick
03-30-2011 07:01 AM
Hi,
just to let you know that the SIP filtering must be turned off to work correctly with our phone system, otherwise all worked well as planned.
I have also upgraded the version of asa to 6.3, but with this I lost small functionality. Would you be able to advise me on following points?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: