01-14-2014 05:45 AM - edited 03-11-2019 08:29 PM
8.2
HI ALL
Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.
basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.
We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57
So
I want to open it completely as this phone pc is the ONLY device on that public IP.
so my 2 questions are.
what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?
Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.
Thank you all for your time and help. if you need more info please ask.
01-14-2014 05:56 AM
Hi,
So your question is to simply configure a Static NAT which essentially binds one public IP address to one internal IP address. (Forwards all incoming connections to the public IP to the local IP provided the access rules permit this)
Then the configuration would be rather simple
The NAT configuration format depends on your software. ASA NAT configurations changed in the jump from software 8.2 to 8.3 (and beoynd)
Do notice that the below examples presume some interface names on the ASA and also presume that you previously have NO ACL configured and attached on the "outside" interface.
Software 8.2 (and below)
static (inside,outside)
access-list OUTSIDE-IN permit icmp any host
access-group OUTSIDE-IN in interface outside
Software 8.2 (and above)
object network VOIP
host
nat (inside,outside) static
access-list OUTSIDE-IN permit icmp any object VOIP
access-group OUTSIDE-IN in interface outside
Hope this helps
- Jouni
01-14-2014 06:46 AM
Thank you very much for your help.
I applied
access-list out-in extended permit icmp any host 50.x.x.x
and now i can ping TY
But,
I applied
static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255
ANd got this error:
ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$
ERROR: mapped-address conflict with existing static
inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255
I just want this port "wide open" to see if the remote phone will connect to it.
here is my edited SH RUN
ASA Version 8.2(1)
!
hostname ciscoasa
enable password PfdcbR/f90Mel1yp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.X.X.X 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login
banner login &
banner login ~
banner login ***********Warning*******
banner login
banner login ^
ftp mode passive
access-list out-in extended permit tcp any host 50.X.X.X eq 3462
access-list out-in extended permit tcp any host 50.X.X.X eq sip
access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data
access-list out-in extended permit tcp any host 40.X.X.X eq ftp
access-list out-in extended permit icmp any host 50.X.X.X
access-list split standard permit 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0
access-list FTP remark Allow
access-list FTP extended permit tcp any eq ftp any eq ftp
access-list FTP extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255
static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
svc enable
port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn
tunnel-group-list enable
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
banner value *****************************WARNING**********************************
banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator
banner value ****************************************************************************
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
url-list none
svc ask enable default webvpn
username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0
username aalmonte attributes
vpn-group-policy RemoteAccess
username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0
username mmaccormack attributes
vpn-group-policy RemoteAccess
username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0
username lmaccormack attributes
vpn-group-policy RemoteAccess
username admin password V8ctuy0OtxmDU4HD encrypted privilege 15
username rdirkee password mHVkPntgw4LQyh.U encrypted
username rdirkee attributes
service-type remote-access
username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0
username wmaccormack attributes
vpn-group-policy RemoteAccess
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0
username rickg attributes
vpn-group-policy RemoteAccess
service-type remote-access
username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0
username jgoucher attributes
vpn-group-policy RemoteAccess
username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0
username smaccormack attributes
vpn-group-policy RemoteAccess
username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0
username rmaccormack attributes
vpn-group-policy RemoteAccess
username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0
username bmaccormack attributes
vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool ippool
default-group-policy RemoteAccess
tunnel-group RemoteAccess webvpn-attributes
group-alias RemoteAccess enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
TYVM
01-14-2014 07:06 AM
Hi,
Seems you had the Static NAT configured
So only thing left to do would be to allow all traffic through to this host
access-list out-in permit ip host
If you dont know the source IP address where the connection is coming from them you would have to check either the logs or allow traffic temporarily from any source address
access-list out-in permit ip any host
- Jouni
01-14-2014 07:25 AM
Ok i will try that now. What is the "public nat ip" I will attempt the "temporary": allow all but not sure if that public nat ip is just my public IP of 50.x.x.x. or not? TY
01-14-2014 07:29 AM
Hi,
Its the public IP address you configured in the "static" command
The one starting 50.x.x.x
- Jouni
01-14-2014 08:58 AM
You solved 3 Hours of phone support in 3 post.. THank you so much.
The remote phone now connects, but supposedly has no audio.. the client seems to think this could be related to a setting on the firewall? possible?
01-14-2014 09:56 AM
Hi,
Glad to hear it helped
Though if there is still problem then its not quite yet solved.
Sadly I have very little knowledge of VoIP
In some cases the "inspect" configuration that you see under the default "policy-map" configuration cause problems to certain connections through the firewall. For example, "inspect esmtp" has caused a lot of problems in the past for us with SMTP connections.
I would try to maybe monitor the ASA logs through the ASDM GUI while connecting to see if the ASA logs any dropped connection attempt or any other error message that might give a clue about the problem.
You could naturally try to remove some VoIP related inspection from the ASA configuration and see if that helps and if not configure them back into the firewall.
Essentially to go to the right configuration mode you have to enter these
ASA# conf term
ASA(config)# policy-map global_policy
ASA(config-pmap)#policy-map global_policy class inspection_default
Then you can issue the "no inspect
For example
ASA(config-pmap-c)# no inspect sip
You can check the current "policy-map" configuration with the following command
show run policy-map
Its shown also at the bottom of the ASA configuration you posted above.
- Jouni
01-21-2014 06:57 AM
HI sorry for delay. wondering if you could help me with the following on this same topic/.issue.
The manual for the phone system states the following.
On the phone system router (the asa5505 8.2 ) Forward UDP ports 5060 (SIP) and 1024-1215 (RTP) to the phone systems IP address (192.168.10.57)
.
So i added (not sure if this is even legit or not)
access-list out-in extended permit udp any host 50.X.X.X eq sip
so not sure if thats ok, and also not sure how to get that RTP ports range in there either.
again they can "connect" the remote VOIP phone just audio is loss as stated below:
The phone finds the switch and connects and stays connected, but at times will lose audio. Also the phone uses a codec list
starting with G.729 and working its way down to G.722. At times we see it using G.711 (5th choice). This seems to be an
RTP issue. If you could check to see if RTP ports 1024-1215 are forwarded and not used by anything else. Thanks for
your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide