09-23-2014 08:16 AM - edited 03-11-2019 09:48 PM
Hi All,
I am an accidental administrator and need some assistance please. Our ASA firewall is apparently blocking our phone traffic, resulting in only one phone being active at a time. I've been told by provider that port 5060 needs to be able to receive. Can someone help me with whatever I'm missing to make this work? What I have tried has not helped, and hopefully hasn't hurt anything else.
Here are some parts from the config;
ASA Version 9.1(2)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.140.170 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1
vlan 2
nameif inside
security-level 100
ip address 10.2.170.254 255.255.248.0
!
interface GigabitEthernet0/1.71
vlan 71
nameif voice
security-level 100
ip address 10.2.191.254 255.255.255.0
!
access-list inside_access_in extended permit ip 10.2.176.0 255.255.248.0 any
access-list inside_access_in extended permit tcp 10.2.176.0 255.255.248.0 any
access-list inside_access_in extended permit udp 10.2.176.0 255.255.248.0 any
access-list global_access extended permit icmp 10.2.176.0 255.255.248.0 any
access-list global_access extended permit ip object xxxxvpn any
access-list global_access extended permit ip object lanadmin any
access-list voice_access_in extended permit ip 10.2.191.0 255.255.255.0 any
access-list voice_access_in extended permit tcp 10.2.191.0 255.255.255.0 eq sip any
access-list outside_access_in extended permit ip any 10.2.191.0 255.255.255.0
access-list outside_access_in extended permit udp any eq sip 10.2.191.0 255.255.255.0
access-list outside_access_in extended permit tcp any eq sip 10.2.191.0 255.255.255.0
!
!!
nat (inside,outside) source static any interface
nat (voice,outside) source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group global_access global
Thank you for your assistance!
09-24-2014 06:11 AM
Hi,
Could you share the output of the following command
show run nat
The thing that catches my eye on the above partial configuration is that there is a "static" type NAT configuration for the "inside" interface which binds "any" source address staticly to the public IP address of the "outside" interface since the parameter "interface" is used in the command. The "static" type configuration is typically used when you have a specific host for which you want to give a static public IP address or perhaps forward only specific ports. When you want to share a single public IP address for multiple hosts then the "nat" command typically uses the parameter "dynamic"
I mean this command
nat (inside,outside) source static any interface
Now I am not sure if this is related to the problem but its atleast a NAT configuration that I would change.
You could actually do a Dynamic PAT for all the internal hosts/devices with the below command in which case you would not need the above 2 commands at all. And actually the below Dynamic PAT configuration would only get used if the above NAT configurations were not on the device. The reason for this is that they are configured on higher priority which comes from the fact that they dont have the parameter "after-auto" included in them.
nat (any,outside) after-auto source dynamic any interface
Have you looked at the real time logs through the ASDM while attempting the connections through the firewall? This might give a hint on what the problem is if its not NAT related.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide