07-17-2013 01:37 PM - edited 03-11-2019 07:13 PM
Is there a way to preserve the source port for UDP packets that use a PAT pool?
Here is what I need:
The client (1.1.1.1) sends a UDP packet from port 5060 to port 5060 on our external 2.2.2.2. This packet is port forwarded to our internal server 10.10.10.10 with the original source and destination port. The server then sends a UDP response to the client from port 5060 to port 5060. The server is in a PAT pool that only contains the address 2.2.2.2. The ASA changes the source port and our client ends up rejecting the packet because the source port is not what it expected.
How can I preserve the original source port when the packet goes through the PAT pool?
Thanks,
Steven
07-17-2013 01:49 PM
Hi,
It can be done in the new software atleast which would be 8.3 or newer.
Whats your software level?
- Jouni
07-18-2013 05:16 AM
8.4
07-18-2013 05:29 AM
Hi,
So if I have not totally mistaken you have a following type of Static PAT configuration for the incoming UDP traffic
object network STATIC-PAT-UDP5060
host 10.10.10.10
nat (inside,outside) static interface service udp 5060 5060
If this is true then you could try adding this
object network HOST
host 10.10.10.10
object service UDP5060
service udp source eq 5060 destination eq 5060
nat (inside,outside) source static HOST interface service UDP5060 UDP5060
This should preserve the source port for outbound connections.
You might see a error message static that the created NAT configuration overlaps with the existing Static PAT but it didnt seem to cause problems.
Though as long as both source and destination port remain UDP5060 then this NAT should handle both directions.
Let me know if this works for you
- Jouni
07-18-2013 05:36 AM
That looks like it will work for 1 server. Can I get this to work for 2 servers?
We are trying to load balance our SIP traffic through a CSS.
Incoming traffic on 2.2.2.2 to port 5060 will get forwarded to the CSS's virtual IP 10.10.10.10 and it load balances the traffic to 10.10.11.11 and 10.10.11.12.
Can I get outgoing traffic from 10.10.11.11 and 10.10.11.12 to both use 2.2.2.2 and preserve their source ports?
07-18-2013 05:48 AM
Hi,
Well you could probably make this work for the outbound direction BUT in the inbound direction from the Internet I dont think the is really a way to use the same public IP address and public UDP port.
I mean, the ASA doesnt have any way to determine what traffic on destination port UDP5060 to destination IP 2.2.2.2 would have to be forwarded to which internal IP.
It would simply use the first rule matched always.
But as I said for the outbound direction it might work.
You would simply add another similiar NAT statement with different source object with different source IP address. ASA would again accept the command but give an warning about rule overlap.
I guess the below added would work for the outbound direction IN THEORY
object network HOST-1
host 10.10.11.11
object network HOST-2
host 10.10.11.12
nat (inside,outside) source static HOST-1 interface service UDP5060 UDP5060
nat (inside,outside) source static HOST-2 interface service UDP5060 UDP5060
But not for inbound, though if I understood correctly, the inbound traffic should only even go to a single virtual IP
I would imagine this is as close as you can get to "implementing" something wierd on the ASA
- Jouni
07-18-2013 05:51 AM
Edited my above post
- Jouni
07-18-2013 06:33 AM
Would an extended pat pool make a difference?
07-18-2013 06:55 AM
Hi,
I am not quite sure what you mean. I am also pretty unfamiliar with the actual setup.
I guess the configurations mentioned above would enable the local devices to source their traffic from the UDP/5060 port but as long as we are using a single public IP address the inbound traffic on a single destination port of UDP/5060 to my understanding can only be matched towards a single local IP address.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide