Solved: ASA 8.4 NAT Many Subnet to One Scenario

jayasimh · ‎05-22-2013

Hello,

I have a scenario like this -

192.168.12.x/24

[LAN]===========+

|

| GLOBAL IP ADDRESS

[Cisco 3750]-----------------[ASA 8.4]==================(INTERNET)

|

192.168.12.x/24 |

|

[LINUX ROUTER]

|

+-----------------[LAN 10.1.1.0]

|

+-----------------[LAN 10.1.2.0]

|

+-----------------[LAN 10.1.3.0]

On ASA I Have -

object network obj-192.168.12.26
nat (Inside,Outside) static interface
object network obj-192.168.12.0
nat (Inside,Outside) dynamic interface

Nat work beautifully for 192.168.12.x Network and all host can reach other side,

however i cannot seem to get NAT to work for subnets 10.1.1.0, 10.1.2.0 and 10.1.3.0

I have tried

Object network obj-10.1.1.0

subnet 10.1.1.0 255.255.255.0

nat (inside,outside) dynamic interface

For each of the subnets and it is not working. Could you please help me figure out how to get around

this scenario?

Best Regards,

Jayasimha

Jouni Forss · ‎05-22-2013

Hi,

As I said I am not very familiar with VOIP as I would hope.

So I dont really know how to help.

In the past we had a similiar problem related to VOIP traffic through FWSM and one way sound but even using Cisco TAC we were never able to correct problem and went with another VOIP solution/setup.

- Jouni

View solution in original post

Jouni Forss · ‎05-22-2013

Hi,

You can configure Dynamic PAT for all the networks with pretty small configuration

You can for example only use these configurations

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.12.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.1.2.0 255.255.255.0

network-object 10.1.3.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Also if you are using the "outside" interface IP address as the Dynamic PAT address then DONT use the "interface" IP address in a Static NAT configuration like you are now doing with the following configuration

object network obj-192.168.12.26

nat (Inside,Outside) static interface

Remove all the NAT configurations and then add the NAT configuration I suggested and test connections again.

If you want to configure Static NAT then you will have to use another public IP address. If you want to forward some port using the same public IP address then you will have to configure Static PAT

Please remember to mark the reply as the correct answer if it answered your question or ask more if needed

Hope this helps

- Jouni

jayasimh · ‎05-22-2013

Hi Jouni,

Thanks for your response. Have tried the following -

object network source-real
host 192.168.12.26
object service inside-sip-port
service udp source eq sip
object service outside-sip-port
service udp source eq sip
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.12.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0

nat (Inside,Outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
nat (Inside,Outside) after-auto source static source-real interface service inside-sip-port outside-sip-port

As you can tell, i am trying to get SIP client in the subnet of 10.1.x.x to work. I do have a client

in the 192.168.12.x and that SIP client works perfectly fine, in the sense that i can hear voice on both ends.

But with the 10.1.x.x client, i cannot hear voice coming from the other end, the other end hears the voice

from 10.1.x.x client. Any idea how to solve this issue?

Thanks,

Jayasimha

Jouni Forss · ‎05-22-2013

Hi,

Sorry, VOIP is not something that I am familiar with myself or have to deal with.

I would however change the NAT command a bit

You could try

no nat (Inside,Outside) after-auto source static source-real interface service inside-sip-port outside-sip-port

nat (Inside,Outside) source static source-real interface service inside-sip-port outside-sip-port

Though if your VOIP is working from another network behind the ASA and its using only Dynamic PAT then I dont see why the other network would need this Static PAT configuration to work?

- Jouni

jayasimh · ‎05-22-2013

Hi Jouni,

Thank you, i did change the NAT statement as you suggested. However the issue of One way Audio

is not fixed. Any ideas on how to fix it?

Thanks

Jayasimha

Jouni Forss · ‎05-22-2013

Hi,

As I said I am not very familiar with VOIP as I would hope.

So I dont really know how to help.

In the past we had a similiar problem related to VOIP traffic through FWSM and one way sound but even using Cisco TAC we were never able to correct problem and went with another VOIP solution/setup.

- Jouni

jayasimh · ‎05-22-2013

Thanks Jouni.

For completeness of the issue raised, marking this post as answered.

As for the One way audio issue, will probably raise a new discussion.

Thanks,

Jayasimha