Allowing Outside traffice to inside on ASA - Page 4

samirshaikh52 · ‎09-07-2010

I have an ASA firewall placed at the perimeter network and host in the inside network.

I have only allowed these host to make voip calls using 3rd Party Voip service so-called Jumblo ( for info www.jumblo.com)

Below is the config.

>>access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
>>nat (inside) 10 192.168.5.150 255.255.255.255

The call can be made success succefull. Perhaps the problem is that when call is placed he cannot hear the dial tone and remote client voice

I believe that I'd to configure something on ASA, to allow the traffice from outside to inside. But I am confused

Please Advise me.

manish arora · ‎09-08-2010

The output of wireshark that you posted earlier , was it with or without any access list ?

Thanks

Manish

manish arora · ‎09-08-2010

Also , post the current sh run & sh version of the device.

Thanks

Manish

samirshaikh52 · ‎09-08-2010

I already posted the sh run in the previous reply with ASDM images

manish arora · ‎09-08-2010

The ASDM output does show the ports being allowed but on the other hand i do not see any access-list or access group being applied on the interface. I know this could be annoying but we trying to help , sh post the out put of SH VERSION.

thanks

manish

Nagaraja Thanthry · ‎09-08-2010

Hello Samir,

I think we are missing something here. Let us do the following. I am

assuming that you have the capture configurations I had provided earlier in

the firewall.

access-list cap permit ip host 192.168.5.150 any

access-list cap permit ip any host 192.168.5.150

capture capin access-list cap interface inside

1. Turn off the inside host

2. Execute following command on the firewall: "clear capture capin"

3. Now turn on the inside host

4. Except Jumblo application, do not open anything else

5. Try to make a call

6. Now collect the capture output "show capture capin"

Hope this gives us a good pointer on where the packet is getting dropped.

Regards,

NT

samirshaikh52 · ‎09-08-2010

Hello NT.

I'll try and let you know

Really I appreciate your efforts.

samirshaikh52 · ‎09-08-2010

Hello NT,

I have done as you have given the steps.

Please the attached files

Sh Run Config

Sh Capture Capin

Nagaraja Thanthry · ‎09-08-2010

Hello,

Can you add port 80 to your object group?

object-group service Jumblo tcp-udp

port-object eq 80

Regards,

NT

Nagaraja Thanthry · ‎09-08-2010

Hello,

Please ignore my earlier post.

Regards,

NT

samirshaikh52 · ‎09-08-2010

Hi

Its already added under the Jumblo object group

Nagaraja Thanthry · ‎09-08-2010

Hello Samir,

From the capture, it seems like the application is using some additional

ports:

100: 01:55:13.520755 10.1.1.2.49632 > 77.72.173.189.58056: udp 12

101: 01:55:14.520816 10.1.1.2.49632 > 77.72.173.189.58056: udp 12

102: 01:55:15.520862 10.1.1.2.49632 > 77.72.173.189.58056: udp 12

103: 01:55:16.520923 10.1.1.2.49632 > 77.72.173.189.58056: udp 12

104: 01:55:17.520984 10.1.1.2.49632 > 77.72.173.189.58056: udp 12

I also noticed that it is using some additional IP addresses

141: 01:55:25.900572 10.1.1.2.13045 > 80.239.235.232.80: udp 172

142: 01:55:25.930448 10.1.1.2.13045 > 194.120.0.232.80: udp 172

143: 01:55:25.940579 10.1.1.2.13045 > 62.41.83.232.80: udp 172

144: 01:55:25.960567 10.1.1.2.13045 > 195.219.64.232.80: udp 172

145: 01:55:25.980555 10.1.1.2.13045 > 77.72.168.232.80: udp 172

146: 01:55:26.010482 10.1.1.2.13045 > 208.167.230.117.80: udp 172

147: 01:55:26.020628 10.1.1.2.13045 > 80.239.235.232.80: udp 172

148: 01:55:26.040891 10.1.1.2.13045 > 194.120.0.232.80: udp 172

149: 01:55:26.070476 10.1.1.2.13045 > 62.41.83.232.80: udp 172

150: 01:55:26.080623 10.1.1.2.13045 > 195.219.64.232.80: udp 172

151: 01:55:26.100595 10.1.1.2.13045 > 77.72.168.232.80: udp 172

152: 01:55:26.120919 10.1.1.2.13045 > 208.167.230.117.80: udp 172

153: 01:55:26.150489 10.1.1.2.13045 > 80.239.235.232.80: udp 172

154: 01:55:26.160651 10.1.1.2.13045 > 194.120.0.232.80: udp 172

155: 01:55:26.181234 10.1.1.2.13045 > 62.41.83.232.80: udp 172

156: 01:55:26.210484 10.1.1.2.13045 > 195.219.64.232.80: udp 172

So, I guess the best way is to open up 10.1.1.2 to all external IP addresses

on the set of ports. Otherwise, you can try to include above IP addresses in

your Jumblo object group.

Regards,

NT

samirshaikh52 · ‎09-08-2010

Hi NT,

I have included the whole subnet for the said IP addressesand still problem persists

Please see the attached ASDM snaps for access rules,object-group and port groups

Nagaraja Thanthry · ‎09-08-2010

Hello Samir,

Can you open up the inside host for all internet addresses on the Jumblo

ports? Also, include port "58056" in the object group.

Regards,

NT

manish arora · ‎09-09-2010

Hi Samir/NT,

It appears that the application uses Random ports as destination ports rather than just the few mentioned on the JUMBLO web-site regarding external firewalls. as we all saw that the wireshark capture caught port 24670 and you saw port 58056 in the captures setup on the firewall.

I think you should give a call to JUMBLO and confirm which destination ports needs to be open some times , the information on the web site is not edited for long time. But looking at the different/ unmentioned destination ports i think it uses random ports for connectivity.

Thanks

Manish

samirshaikh52 · ‎09-12-2010

Hi Manish and NT,

Sorry for the delay in my responding back but I was actually on vacation.

Absolutely it uses random ports, ok then i will try to contact jumb

Big thanks for your efforts. I really appreciate.