02-03-2014 12:33 PM - edited 03-11-2019 08:39 PM
I'm setting up a 5505 to connect our phone system to SIP trunking. The phone system is the only thing that will be behind the 5505, however there are multiple IP's associated with the phone system and I need to port forward based on specific port ranges. The following is what I want/need to accomplish.
outside udp traffic on UDP5060-5061 and UPD 16384-17383 needs to be delivered to internal IP 192.168.1.26
outside udp traffic on UDP 17384-17639 needs to be delivered to internal IP 192.168.1.28
outside udp traffic on UDP 17640-17895 needs to be delivered to internal IP 192.168.1.27
Other than this i want traffic blocked except what is initiated internally.
I have created object groups for the host objects and for the port ranges. and set nat rules . am I missing anything?
Here is my running config
Any help/confirmation/critical analysis appreciated.
: Saved : ASA Version 8.4(6) ! hostname wavefc domain-name center enable password 8EBQPyIGHYB9jy6X encrypted passwd 8EBQPyIGHYB9jy6X encrypted names name 192.168.1.28 MRMA description Wave MRMA IP name 192.168.1.27 MRMB description Wave MRMB IP name 192.168.1.26 vam description WAVE VAM IP ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.30 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 108.174.110.110 255.255.255.0 ! boot system disk0:/asa846-k8.bin ftp mode passive dns server-group DefaultDNS domain-name center object network vam host 192.168.1.26 description Created during name migration object network MRMB_1 host 192.168.1.27 description Created during name migration object network MRMA_1 host 192.168.1.28 description MRMB object service VAM1 service udp source range sip 5061 destination range sip 5061 description VAM Ports object service VAM2 service udp source range 16384 17383 destination range 16384 17383 description VAM SIP PORTS object service MRMA service udp source range 17384 17639 destination range 17384 17639 description MRM A PORTS object service MRMB service udp source range 17640 17895 destination range 17640 17895 description MRM B PORTS object network Dynamic_NAT subnet 192.168.1.0 255.255.255.0 object network vamIP host 192.168.1.26 object network MRMAIP host 192.168.1.28 object network MRMBIP host 192.168.1.27 object service vamIP1 service udp source range 16384 17383 object service SIP service udp source range sip 5061 object service mrmaUDP service udp source range 17384 17639 object service mrmbUDP service udp source range 17640 17895 object service vam5060 service udp source range sip 5061 object-group service VAM_PORTS service-object object VAM1 service-object object VAM2 access-list outside_access_in extended permit object-group VAM_PORTS interface outside interface inside access-list outside_access_in extended permit object MRMA interface outside interface inside access-list outside_access_in extended permit object MRMB interface outside 192.168.1.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-715-100.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static vamIP interface service vamIP1 vamIP1 nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP nat (inside,outside) source static vamIP interface service vam5060 vam5060 access-group outside_access_in in interface outside route inside 0.0.0.0 255.255.255.255 108.174.110.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http authentication-certificate inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.1.99-192.168.1.100 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username wave password 7dzE8CxoLKj5NbvA encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:c8602fd7e5eca94f54c4ae20296b28bc : end asdm image disk0:/asdm-715-100.bin no asdm history enable
Solved! Go to Solution.
02-03-2014 02:49 PM
Hi,
The NAT configurations seem fine for the Static PAT (Port Forward) configurations. Notice though that you will probably want to configure Dynamic PAT for any internal host even if you only had the single host behind ASA
You can accomplish that with the following command for example
nat (inside,outside) after-auto source dynamic any interface
Also the ACL seems to be a bit off.
First thing you should confirm is that are the connections truly coming from the same source ports as their destination port will be? If not then I would suggest only using the "destination" port in the "object service". This is since usually the source port of the connection can be random and only the destination port is usually some known port or range of ports.
Also, since we are talking about the new ASA software and its NAT/ACL configuration you wont be allowing the traffic towards the "outside" interface public IP address. You always allow the traffic to the real IP address of the NATed host.
So it would seem to me that you would have to have these configurations for the ACL portion (part of it simply modified from the above configuration)
object service VAM1
service udp destination range sip 5061
description VAM Ports
object service VAM2
service udp destination range 16384 17383
description VAM SIP PORTS
object service MRMA
service udp destination range 17384 17639
description MRM A PORTS
object service MRMB
service udp destination range 17640 17895
description MRM B PORTS
object-group service VAM_PORTS
service-object object VAM1
service-object object VAM2
object network vamIP
host 192.168.1.26
object network MRMAIP
host 192.168.1.28
object network MRMBIP
host 192.168.1.27
access-list outside_access_in remark Allow ports for Phone System
access-list outside_access_in permit object-group VAM_PORTS any object vamIP
access-list outside_access_in permit object MRMA any object MRMAIP
access-list outside_access_in permit object MRMB any object MRMBIP
You can naturally limit the connections from certain source networks/IPs if you want/can.
Let me know how it works out.
Hope this helps
- Jouni
02-03-2014 02:49 PM
Hi,
The NAT configurations seem fine for the Static PAT (Port Forward) configurations. Notice though that you will probably want to configure Dynamic PAT for any internal host even if you only had the single host behind ASA
You can accomplish that with the following command for example
nat (inside,outside) after-auto source dynamic any interface
Also the ACL seems to be a bit off.
First thing you should confirm is that are the connections truly coming from the same source ports as their destination port will be? If not then I would suggest only using the "destination" port in the "object service". This is since usually the source port of the connection can be random and only the destination port is usually some known port or range of ports.
Also, since we are talking about the new ASA software and its NAT/ACL configuration you wont be allowing the traffic towards the "outside" interface public IP address. You always allow the traffic to the real IP address of the NATed host.
So it would seem to me that you would have to have these configurations for the ACL portion (part of it simply modified from the above configuration)
object service VAM1
service udp destination range sip 5061
description VAM Ports
object service VAM2
service udp destination range 16384 17383
description VAM SIP PORTS
object service MRMA
service udp destination range 17384 17639
description MRM A PORTS
object service MRMB
service udp destination range 17640 17895
description MRM B PORTS
object-group service VAM_PORTS
service-object object VAM1
service-object object VAM2
object network vamIP
host 192.168.1.26
object network MRMAIP
host 192.168.1.28
object network MRMBIP
host 192.168.1.27
access-list outside_access_in remark Allow ports for Phone System
access-list outside_access_in permit object-group VAM_PORTS any object vamIP
access-list outside_access_in permit object MRMA any object MRMAIP
access-list outside_access_in permit object MRMB any object MRMBIP
You can naturally limit the connections from certain source networks/IPs if you want/can.
Let me know how it works out.
Hope this helps
- Jouni
02-03-2014 07:02 PM
Thanks for the input. I'm a n00b with cisco. It all makes sense in my head but putting it into practicefor the first few times is always an experience. I'll be putting this live tomorrow, I'll let you know how it goes.
02-04-2014 08:32 AM
OK, I made the changes you suggested. I'll attach my running config. I'm not able to get to the internet from the phone system (its basically a server2003 box) I can ping from the asa successfully, but not from the phone system. I am resolving DNS.
: Saved : ASA Version 8.4(6) ! hostname wavefc domain-name center enable password 8EBQPyIGHYB9jy6X encrypted passwd 8EBQPyIGHYB9jy6X encrypted names name 192.168.1.28 MRMA description Wave MRMA IP name 192.168.1.27 MRMB description Wave MRMB IP name 192.168.1.26 vam description WAVE VAM IP ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.30 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 108.174.110.110 255.255.255.0 ! boot system disk0:/asa846-k8.bin ftp mode passive dns server-group DefaultDNS domain-name center object network vam host 192.168.1.26 description Created during name migration object network MRMB_1 host 192.168.1.27 description Created during name migration object network MRMA_1 host 192.168.1.28 description MRMB object service VAM1 service udp destination range sip 5061 description VAM ports object service VAM2 service udp destination range 16384 17383 description VAM SIP PORTS object service MRMA service udp destination range 17640 17895 description MRM A PORTS object service MRMB service udp destination range 17640 17895 description MRM B PORTS object network Dynamic_NAT subnet 192.168.1.0 255.255.255.0 object network vamIP host 192.168.1.26 object network MRMAIP host 192.168.1.27 object network MRMBIP host 192.168.1.27 object service vamIP1 service udp source range 16384 17383 object service SIP service udp source range sip 5061 object service mrmaUDP service udp source range 17384 17639 object service mrmbUDP service udp source range 17640 17895 object service vam5060 service udp source range sip 5061 object-group service VAM_PORTS service-object object VAM1 service-object object VAM2 access-list outside_access_in remark Allow ports for phone system access-list outside_access_in extended permit object-group VAM_PORTS any object vamIP access-list outside_access_in extended permit object MRMA any object MRMAIP access-list outside_access_in extended permit object MRMB any object MRMBIP pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-715-100.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static vamIP interface service vamIP1 vamIP1 nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP nat (inside,outside) source static vamIP interface service vam5060 vam5060 ! nat (inside,outside) after-auto source dynamic any interface route outside 0.0.0.0 0.0.0.0 108.174.110.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http authentication-certificate inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.1.99-192.168.1.100 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username wave password 7dzE8CxoLKj5NbvA encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:f1c2682304b634248f80c2cbccf90928 : end asdm image disk0:/asdm-715-100.bin no asdm history enable
02-04-2014 08:38 AM
Hi,
Do you mean that you cannot ICMP/PING to the Internet from the server?
I can't see any problem with the ASA configurations for normal TCP/UDP connectivity towards Internet but for ICMP to work you must add these.
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Let me know if that helps
- Jouni
02-04-2014 08:55 AM
i've put in a static route for the gateway. . . but when I run the sh route command it doesn't show up there?
wavefc(config)# route outside 0.0.0.0 0.0.0.0 108.174.110.1 1
wavefc(config)# sh rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0 255.255.255.0 is directly connected, inside
wavefc(config)#
02-04-2014 08:56 AM
correct, I can't ping, but I also can't browse to websites, and my SIP trunk isn't connecting. I'll add in the policy map command and test it.
02-04-2014 08:57 AM
Hi,
That would usually indicate that the interface itself is down.
Have you confirmed that the ASA port Ethernet0/0 is connected to the external network?
- Jouni
02-04-2014 09:20 AM
e0/0 is physically connected to the external network
I am replacing a sonic wall with this ASA5505
I am moving the cable from the sonic wall wan port to the e0/0 interface on the ASA5505
I am moving the cable from the sonic wall lan0/1 port to the e0/1 interface on the ASA5505
on the sonicwall the settings are
lan IP 192.168.1.30
wan IP 108.174.110.110
gateway 108.174.110.1
the sonic wall is functional.
so on the cisco I set vlan2 to 108.174.110.110 and set e0/0 switchport access vlan 2
and I set vlan 1 ip to 192.168.1.30
and route 0.0.0.0 0.0.0.0 108.174.110.1 1 for the default route/gateway
I can ping my vlan2 ip but I can't ping the gateway IP from the cisco
am I missing the part that lets vlan 1 talk with vlan 2?
02-04-2014 09:27 AM
Hi,
The configuration itself seems good to me except that the ACL is not attached to the external interface yet
access-group outside_access_in in interface outside
Also, when you look at the routing table of the ASA with the command
show route
You should see both the "outside" interface network there and you should also see the default route.
Can you share the output of the following when the ASA is connected to the network.
show interface Ethernet0/0
show route
show arp
show run interface Vlan2
Notice also that when you are switching 2 different devices with the same public IP address (but different MAC address) your ISP gateway might not always update and therefore traffic might not work. This should not prevent the routes from showing on the ASA but would rather mean that traffic wouldnt flow unless the ISP gateway updated with the new MAC address. You also have the option to configure the SonicWall external interface MAC address on the ASA Vlan2 interface if ARP is part of the problem.
- Jouni
02-04-2014 09:33 AM
wavefc(config)# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 885a.922c.59fc, MTU not set
IP address unassigned
4858 packets input, 1031732 bytes, 0 no buffer
Received 694 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
3972 switch ingress policy drops
26 packets output, 3014 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
wavefc(config)#
wavefc(config)# sh rou
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 108.174.110.1 to network 0.0.0.0
C 108.174.110.0 255.255.255.0 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 108.174.110.1, outside
wavefc(config)#
wavefc(config)# sh arp
inside 192.168.1.108 842b.2ba9.7e36 0
inside 192.168.1.23 0021.9b8f.75de 3
inside vam 0060.e055.cd70 206
inside 192.168.1.11 009c.021f.0eac 2782
outside 108.174.110.1 0000.5e00.010a 5171
wavefc(config)#
wavefc(config)# sh run int vlan 2
!
interface Vlan2
nameif outside
security-level 0
ip address 108.174.110.110 255.255.255.0
wavefc(config)#
Thanks for all the assistance. Here is the info you wanted. I'll get with the ISP about the MAC Address. I was just thinking about that. how would I go about adding in the sonicwall MAC to vlan2?
02-04-2014 09:38 AM
Hi,
If you can check the SonicWall external interface MAC address then you can configure that MAC address to the ASA Vlan2 interface by using these commands
wavefc(config)# interface Vlan2
wavefc(config-if)# mac-address aaaa.bbbb.cccc
Where the aaaa.bbbb.cccc is naturally the MAC address from the SonicWall
- Jouni
02-04-2014 09:41 AM
the sonicwall mac comes in a xx:xx:xx:xx:xx:xx format, I've tried entering it in straight but it won't take it. how do I convert?
02-04-2014 09:43 AM
Hi,
You just write it in part of 4 like I mentioned.
xxxx.xxxx.xxxx
- Jouni
02-04-2014 09:54 AM
Great. I can now ping (from the ASA) to external internet IP's, as well as the default route IP. But I'm still unable to get to the internet from the host. I've applied the ACL aforementioned.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide