Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3516
Views
0
Helpful
5
Replies

1-1 NAT + PPTP configuration - cisco asa 5505

Go to solution
patrifick
Level 1
Level 1

‎03-23-2011 08:08 AM - edited ‎03-11-2019 01:11 PM

Hi,

I wonder whether you can help me, I need add following to our firewall configuration ( we are changing watchguard firewall to cisco and it was necessary to be configured this way )

1) I need to create 1-1 NAT for our voip system and video conferencing unit and to do it as bellow

VOIP-SIP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 5060

VC-SIP : from any_external to 217.207.96.120 on port tcp/udp 5060

VC-Video : from any_external to 217.207.96.120 on port tcp/udp 60000 to 64999

VOIP-RTP :  from 85.90.225.100 to 217.207.96.121 on port tcp/udp 10000 - 20000

2) I need to eneble to pass PPTP traffic from outside to inside and vice versa

many thanks

Patrick

current config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa

names
name 10.10.1.19 barracuda
name 192.168.1.2 ctxdmz
name 10.10.1.39 ftp1
name 10.10.1.38 ftp2
name 10.10.1.37 ftp3
name 10.10.1.192 mailsvr
name 217.207.96.114 outside_114
name 217.207.96.115 outside_115
name 217.207.96.116 outside_116
name 217.207.96.117 outside_117
name 217.207.96.118 outside_118
name 217.207.96.119 outside_119
name 217.207.96.120 outside_120
name 10.10.1.8 transfer_server
name 10.10.1.10 backupsvr
name 10.10.1.4 citrixsvr1
name 85.90.225.100 voip_sip
name 10.10.1.9 minimac1
name 82.111.186.146 sdt_rdp
name 217.207.96.121 outside_121
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Vlan12
nameif outside
security-level 0
ip address outside_114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group network obj_any
object-group service rdp tcp
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object host mailsvr
network-object host transfer_server
network-object host minimac1
object-group network DM_INLINE_NETWORK_2
network-object host mailsvr
network-object host barracuda
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service session_reliability tcp
port-object eq 2598
object-group service vc tcp-udp
port-object range 60000 64999
object-group service voip tcp-udp
port-object range 10000 20000
access-list outside_access_in extended permit tcp host sdt_rdp any object-group rdp
access-list outside_access_in extended permit tcp any host ctxdmz eq https
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in extended permit tcp any host mailsvr eq smtp
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit object-group TCPUDP any any eq sip
access-list outside_access_in extended permit object-group TCPUDP any any object-group vc
access-list outside_access_in extended permit object-group TCPUDP any any object-group voip
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip 10.10.1.0 255.255.255.0 host ctxdmz
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.10.1.0 255.255.255.0 object-group session_reliability
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.10.1.0 255.255.255.0 eq domain
pager lines 24
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface https ctxdmz https netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface www mailsvr www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 backupsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp ftp1 ftp netmask 255.255.255.255
static (inside,outside) tcp outside_115 ftp ftp2 ftp netmask 255.255.255.255
static (inside,outside) tcp outside_117 ftp ftp3 ftp netmask 255.255.255.255
static (inside,outside) tcp outside_119 www minimac1 www netmask 255.255.255.255
static (inside,outside) tcp outside_115 www transfer_server www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 mailsvr pop3 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica citrixsvr1 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to patrifick

‎03-24-2011 11:20 PM

For the voice part, here is what needs to be configured:

static (inside,outside) 217.207.96.120 10.10.1.89 netmask 255.255.255.255

static (inside,outside) 217.207.96.121 10.10.1.3 netmask 255.255.255.255

For ACL, is your SIP procotol using the default ports for its RTP and Video connections? If they are, then all you need to allow is SIP signalling, ie: port 5060 because "inspect sip" is already enabled and it will inspect SIP signalling and open pin hole for the RTP and Video connections.

Here is "inspect sip" description for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1724082

For PPTP, you would need to enable "inspect pptp", and here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656

Hope this helps.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-23-2011 05:45 PM

You have left out very important information

1) Please advise what is the inside ip address that you want the NAT from, for both 217.207.96.121 and 217.207.96.120.

2) Please advise what is the PPTP server ip address as well as what you would like to NAT it to.

0 Helpful

Go to solution
patrifick
Level 1
Level 1
In response to Jennifer Halim

‎03-24-2011 06:25 AM

Hi,

sorry, the details are as follow.

1)  217.207.96.120 to 10.10.1.89

     217.207.96.121 to 10.10.1.3

2) the pptp has no internal server, what I try to achieve is ti enable 3rd party user who come with their laptops to our network and try to connect to their companies with pptp vpn connection.

thanks

Patrick

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to patrifick

‎03-24-2011 11:20 PM

For the voice part, here is what needs to be configured:

static (inside,outside) 217.207.96.120 10.10.1.89 netmask 255.255.255.255

static (inside,outside) 217.207.96.121 10.10.1.3 netmask 255.255.255.255

For ACL, is your SIP procotol using the default ports for its RTP and Video connections? If they are, then all you need to allow is SIP signalling, ie: port 5060 because "inspect sip" is already enabled and it will inspect SIP signalling and open pin hole for the RTP and Video connections.

Here is "inspect sip" description for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1724082

For PPTP, you would need to enable "inspect pptp", and here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656

Hope this helps.

0 Helpful

Go to solution
patrifick
Level 1
Level 1
In response to Jennifer Halim

‎03-25-2011 04:02 AM

hi,

thanks, i will test it next weekend and will get back to you.

I am sure that it is going to work.

thanks

Patrick

0 Helpful

Go to solution
patrifick
Level 1
Level 1
In response to Jennifer Halim

‎03-30-2011 07:01 AM

Hi,

just to let you know that the SIP filtering must be turned off to work correctly with our phone system, otherwise all worked well as planned.

I have also upgraded the version of asa to 6.3, but with this I lost small functionality. Would you be able to advise me on following points?

1) in ACL on DMZ i have several rules which should be available between DMZ and INSIDE network, but only 1 is working. I had to includu ANY rule to be able comunicate betwwen the networks
2) I cannot use ultimamedia.com domain resoluton within inside network ( DNS is not resolved ) I was able to do that on previous version of ASA, but on this new I cannot figure it out. The one I am after is remote.ultimamedia.com - 217.207.96.114
regards
Patrick
Result of the command: "sh ver"
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 14 hours 42 mins
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
0: Int: Internal-Data0/0    : address is 503d.e53f.c8ba, irq 11
1: Ext: Ethernet0/0         : address is 503d.e53f.c8b2, irq 255
2: Ext: Ethernet0/1         : address is 503d.e53f.c8b3, irq 255
3: Ext: Ethernet0/2         : address is 503d.e53f.c8b4, irq 255
4: Ext: Ethernet0/3         : address is 503d.e53f.c8b5, irq 255
5: Ext: Ethernet0/4         : address is 503d.e53f.c8b6, irq 255
6: Ext: Ethernet0/5         : address is 503d.e53f.c8b7, irq 255
7: Ext: Ethernet0/6         : address is 503d.e53f.c8b8, irq 255
8: Ext: Ethernet0/7         : address is 503d.e53f.c8b9, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 20             DMZ Unrestricted
Dual ISPs                      : Enabled        perpetual
VLAN Trunk Ports               : 8              perpetual
Inside Hosts                   : Unlimited      perpetual
Failover                       : Active/Standby perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 25             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual
This platform has an ASA 5505 Security Plus license.
Serial Number: JMX150840RU
Running Permanent Activation Key: 0x5724fe76 0xc41bda0c 0xa0436d90 0xac4c14a0 0x44153b9f
Configuration register is 0x1
Configuration last modified by enable_15 at 21:37:10.269 GMT/BDT Mon Mar 28 2011
Result of the command: "show running-config"
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa

names
name 10.10.1.19 barracuda
name 192.168.1.2 ctxdmz
name 10.10.1.39 ftp1
name 10.10.1.38 ftp2
name 10.10.1.37 ftp3
name 10.10.1.192 mailsvr
name 217.207.96.114 outside_114
name 217.207.96.115 outside_115
name 217.207.96.116 outside_116
name 217.207.96.117 outside_117
name 217.207.96.118 outside_118
name 217.207.96.119 outside_119
name 217.207.96.120 outside_120
name 10.10.1.8 transfer_server
name 10.10.1.10 backupsvr
name 10.10.1.4 citrixsvr1
name 85.90.225.100 voip_sip
name 10.10.1.9 minimac1
name 82.111.186.146 sdt_rdp
name 217.207.96.121 outside_121
name 10.10.1.3 pbx
name 10.10.1.89 vc-pc
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Vlan12
nameif outside
security-level 0
ip address outside_114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object network barracuda
host 10.10.1.19
object network mailsvr
host 10.10.1.192
object network backupsvr
host 10.10.1.10
object network ftp1
host 10.10.1.39
object network ftp2
host 10.10.1.38
object network outside_115
host 217.207.96.115
object network ftp3
host 10.10.1.37
object network outside_117
host 217.207.96.117
object network minimac1
host 10.10.1.9
object network outside_119
host 217.207.96.119
object network transfer_server
host 10.10.1.8
object network mailsvr-01
host 10.10.1.192
object network citrixsvr1
host 10.10.1.4
object network barracuda-01
host 10.10.1.19
object network vc-pc
host 10.10.1.89
object network outside_120
host 217.207.96.120
object network pbx
host 10.10.1.3
object network outside_121
host 217.207.96.121
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network ctxdmz
host 192.168.1.2
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network sdt_rdp
host 82.111.186.146
description Created during name migration 
object-group network obj_any
object-group service rdp tcp
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object host mailsvr
network-object host transfer_server
network-object host minimac1
object-group network DM_INLINE_NETWORK_2
network-object host mailsvr
network-object host barracuda
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service session_reliability tcp
port-object eq 2598
object-group service voip tcp-udp
port-object range 10000 20000
access-list outside_access_in extended permit tcp object sdt_rdp any object-group rdp
access-list outside_access_in extended permit tcp any object ctxdmz eq https
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in extended permit tcp any object barracuda eq smtp
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit object-group TCPUDP any any eq sip
access-list outside_access_in extended permit object-group TCPUDP any any object-group voip
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip 10.10.1.0 255.255.255.0 object ctxdmz
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp object ctxdmz 10.10.1.0 255.255.255.0 object-group rdp
access-list dmz_access_in extended permit tcp object ctxdmz 10.10.1.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp object ctxdmz 10.10.1.0 255.255.255.0 eq citrix-ica
access-list dmz_access_in extended permit tcp object ctxdmz 10.10.1.0 255.255.255.0 object-group session_reliability
access-list dmz_access_in extended permit object-group TCPUDP object ctxdmz 10.10.1.0 255.255.255.0 eq domain
access-list dmz_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network barracuda
nat (inside,outside) static interface service tcp smtp smtp
object network mailsvr
nat (inside,outside) static interface service tcp www www
object network backupsvr
nat (inside,outside) static interface service tcp 3389 3389
object network ftp1
nat (inside,outside) static interface service tcp ftp ftp
object network ftp2
nat (inside,outside) static outside_115 service tcp ftp ftp
object network ftp3
nat (inside,outside) static outside_117 service tcp ftp ftp
object network minimac1
nat (inside,outside) static outside_119 service tcp www www
object network transfer_server
nat (inside,outside) static outside_115 service tcp www www
object network mailsvr-01
nat (inside,outside) static interface service tcp pop3 pop3
object network citrixsvr1
nat (inside,outside) static interface service tcp citrix-ica citrix-ica
object network barracuda-01
nat (inside,outside) static interface service tcp ssh ssh
object network vc-pc
nat (inside,outside) static outside_120
object network pbx
nat (inside,outside) static outside_121
object network obj_any-01
nat (inside,outside) dynamic interface
object network ctxdmz
nat (dmz,outside) static interface service tcp https https
object network obj-192.168.1.0
nat (dmz,inside) static 192.168.1.0
object network obj_any-02
nat (dmz,outside) dynamic interface
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.207.96.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.10.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
match port tcp eq pptp
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map pptp_policy
class pptp-port
  inspect pptp
!
service-policy global_policy global
service-policy pptp_policy interface outside
prompt hostname context

: end
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card