02-03-2014 12:33 PM - edited 03-11-2019 08:39 PM
I'm setting up a 5505 to connect our phone system to SIP trunking. The phone system is the only thing that will be behind the 5505, however there are multiple IP's associated with the phone system and I need to port forward based on specific port ranges. The following is what I want/need to accomplish.
outside udp traffic on UDP5060-5061 and UPD 16384-17383 needs to be delivered to internal IP 192.168.1.26
outside udp traffic on UDP 17384-17639 needs to be delivered to internal IP 192.168.1.28
outside udp traffic on UDP 17640-17895 needs to be delivered to internal IP 192.168.1.27
Other than this i want traffic blocked except what is initiated internally.
I have created object groups for the host objects and for the port ranges. and set nat rules . am I missing anything?
Here is my running config
Any help/confirmation/critical analysis appreciated.
: Saved : ASA Version 8.4(6) ! hostname wavefc domain-name center enable password 8EBQPyIGHYB9jy6X encrypted passwd 8EBQPyIGHYB9jy6X encrypted names name 192.168.1.28 MRMA description Wave MRMA IP name 192.168.1.27 MRMB description Wave MRMB IP name 192.168.1.26 vam description WAVE VAM IP ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.30 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 108.174.110.110 255.255.255.0 ! boot system disk0:/asa846-k8.bin ftp mode passive dns server-group DefaultDNS domain-name center object network vam host 192.168.1.26 description Created during name migration object network MRMB_1 host 192.168.1.27 description Created during name migration object network MRMA_1 host 192.168.1.28 description MRMB object service VAM1 service udp source range sip 5061 destination range sip 5061 description VAM Ports object service VAM2 service udp source range 16384 17383 destination range 16384 17383 description VAM SIP PORTS object service MRMA service udp source range 17384 17639 destination range 17384 17639 description MRM A PORTS object service MRMB service udp source range 17640 17895 destination range 17640 17895 description MRM B PORTS object network Dynamic_NAT subnet 192.168.1.0 255.255.255.0 object network vamIP host 192.168.1.26 object network MRMAIP host 192.168.1.28 object network MRMBIP host 192.168.1.27 object service vamIP1 service udp source range 16384 17383 object service SIP service udp source range sip 5061 object service mrmaUDP service udp source range 17384 17639 object service mrmbUDP service udp source range 17640 17895 object service vam5060 service udp source range sip 5061 object-group service VAM_PORTS service-object object VAM1 service-object object VAM2 access-list outside_access_in extended permit object-group VAM_PORTS interface outside interface inside access-list outside_access_in extended permit object MRMA interface outside interface inside access-list outside_access_in extended permit object MRMB interface outside 192.168.1.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-715-100.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static vamIP interface service vamIP1 vamIP1 nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP nat (inside,outside) source static vamIP interface service vam5060 vam5060 access-group outside_access_in in interface outside route inside 0.0.0.0 255.255.255.255 108.174.110.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http authentication-certificate inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.1.99-192.168.1.100 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username wave password 7dzE8CxoLKj5NbvA encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:c8602fd7e5eca94f54c4ae20296b28bc : end asdm image disk0:/asdm-715-100.bin no asdm history enable
Solved! Go to Solution.
02-04-2014 09:58 AM
Hi,
So I imagine that you are trying from a host thats network settings are staticly configured and NOT DHCP?
If you have staticly configured the setting please confirm the IP address/network mask/gateway/DNS server so that they are correct.
If you are testing from a DHCP host then please add some DNS servers to your DHCP configuration on the ASA
dhcpd dns 8.8.8.8
For example or the DNS servers provided by your ISP
- Jouni
02-04-2014 10:00 AM
Hi,
Actually seems you have not even enabled the DHCP
dhcpd enable inside
That is if you want to enable it even.
- Jouni
02-04-2014 10:07 AM
Yes it is statically configured.
IP - 192.168.1.26 255.255.255.0
GW - 192.168.1.30
DNS 8.8.8.8
DNS will resolve. . .and
after a third reboot its working like a charm. Thanks a TON for your assistance! You're a lifesaver!
02-04-2014 10:10 AM
Great to hear its working now
I was starting to think I was missing something simple
- Jouni
02-04-2014 12:58 PM
Jouni,
I've got one more thing.
I've got some traffice coming in on the internal interface that is from the 192.168.2.0 range. This is coming in over a VPN. I need to send that traffic back via 192.168.1.254 (which is the gatewat controlling the point to point vpn). On my sonicwall I have a route set as follows
source = 192.168.1.0/24 destination=192.168.2.0/24 protocol=any gateway = 192.168.1.254
I'm thinking that on the ASA I need to put in something like
route inside 192.168.2.0 255.255.255.0 192.168.1.254 1
I've got that enterd in but I'm not establishing communication. am I on the right track?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide