11-16-2021 12:26 PM
I’m looking for assistance with a rule and NAT policy Attached are the ports the phone company needs forwarded. I have the static IP of their system they are testing from and a user’s home static IP. Do you have an example of how the rules should be setup? I applied the inbound rule and NAT but do not see traffic hitting the rule.
Thanks!
11-17-2021 10:51 AM
Can you run packet-tracer command and post the output here?
11-22-2021 08:14 AM
11-22-2021 08:33 AM
Result of the command: "packet-tracer input outside UDP 107.129.224.207 69 147.0.240.46 69"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 147.0.240.46 using egress ifc identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
11-22-2021 08:38 AM
Here is my rule
access-list outside_access_in line 2 extended permit udp host 107.129.224.207 eq tftp host 147.0.240.46 eq tftp (hitcnt=0) 0xdc897c27
access-list outside_access_in line 2 extended permit udp host 107.129.224.207 eq tftp host 10.10.170.53 eq tftp (hitcnt=0) 0x73a890c8
11-22-2021 08:41 AM
@cknowlton it's unlikely the source port will be "tftp", remove that, just define "tftp" as the destination port. Also use the real destination IP address (untranslated) not the public IP address.
11-22-2021 10:09 AM
To add more detail to what Rob already outlined:
1. Your flow is being blocked by your ACL. You should adjust your ACL and remove "TFTP" as source port since the source port is going to be some random port that is picked by the client. On the other hand, TFPT for the destination port is correct since that is the port that the TFTP server is listening on
2. Do you have public IPs assigned to your devices or do you have NAT configured in place?
Thank you for rating helpful posts!
11-22-2021 10:39 AM
I have a NAT in place.
When I do the packet trace it shows the NAT lookup works.
8 (outside) to (outside) source static DavissaWAN DavissaWAN destination static interface Mitel-VoIP-Server service Mitel69 Mitel69 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
I'll revise the rule now thanks!!!
11-22-2021 10:40 AM
11-22-2021 11:03 AM
Can you draw up a quick diagram/sketch that shows where each device is, public/private IPs, interface names (Inside, outside, etc.), where NAT is configured, where ACL is applied and in what direction. I think this will help paint a better picture here.
11-22-2021 12:33 PM
11-22-2021 01:02 PM
Thank you, this helps! One more question: Do you have a single public IP for our ASA or do you have a block that your ISP issued you? If yes, does the Mitel PBX have a public IP dedicated for it? If no, do you have any free public IPs that you can assign to it?
11-22-2021 01:56 PM
Currently no 255.255.255.252 is the subnet mask though so I have an additional address.
Something to note though, they phone company has a NAT and inbound rule already for management of the phone system ( different port, same IP )
attached are screen shots
It's setup a network object NAT though, a little different than I'm used to.
11-23-2021 11:40 AM
Any additional thoughts on this? Thanks for all your help! I've done NAT and inbound rules on Fortinet, SonicWall, etc. but this is the first I've done it on an ASA.
Thanks!
11-24-2021 08:07 AM
Sorry, got tied up with regular work duties. You will essentially need to mimic the configuration (NAT + ACL) rules that were created for the management port for the rest of the ports required. Since you do not have any free public IPs you need to do static NATs for each port that needs to be exposed externally and then edit the ACL to allow the connection. Does that make sense?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: