ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP

jason · ‎01-14-2014

8.2

HI ALL

Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.

basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.

We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57

So

I want to open it completely as this phone pc is the ONLY device on that public IP.

so my 2 questions are.

what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?

Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.

Thank you all for your time and help. if you need more info please ask.

Jouni Forss · ‎01-14-2014

Hi,

So your question is to simply configure a Static NAT which essentially binds one public IP address to one internal IP address. (Forwards all incoming connections to the public IP to the local IP provided the access rules permit this)

Then the configuration would be rather simple

The NAT configuration format depends on your software. ASA NAT configurations changed in the jump from software 8.2 to 8.3 (and beoynd)

Do notice that the below examples presume some interface names on the ASA and also presume that you previously have NO ACL configured and attached on the "outside" interface.

Software 8.2 (and below)

static (inside,outside) netmask 255.255.255.255

access-list OUTSIDE-IN permit icmp any host

access-group OUTSIDE-IN in interface outside

Software 8.2 (and above)

object network VOIP

host

nat (inside,outside) static

access-list OUTSIDE-IN permit icmp any object VOIP

access-group OUTSIDE-IN in interface outside

Hope this helps

- Jouni

jason · ‎01-14-2014

Thank you very much for your help.

I applied

access-list out-in extended permit icmp any host 50.x.x.x

and now i can ping TY

But,

I applied

static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255

ANd got this error:

ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$

ERROR: mapped-address conflict with existing static

inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255

I just want this port "wide open" to see if the remote phone will connect to it.

here is my edited SH RUN

ASA Version 8.2(1)

!

hostname ciscoasa

enable password PfdcbR/f90Mel1yp encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.X.X.X 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner login

banner login &

banner login ~

banner login ***********Warning*******

banner login

banner login ^

ftp mode passive

access-list out-in extended permit tcp any host 50.X.X.X eq 3462

access-list out-in extended permit tcp any host 50.X.X.X eq sip

access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data

access-list out-in extended permit tcp any host 40.X.X.X eq ftp

access-list out-in extended permit icmp any host 50.X.X.X

access-list split standard permit 192.168.10.0 255.255.255.0

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0

access-list FTP remark Allow

access-list FTP extended permit tcp any eq ftp any eq ftp

access-list FTP extended permit tcp any any eq ftp-data

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255

static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255

access-group out-in in interface outside

route outside 0.0.0.0 0.0.0.0 50.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.10.50-192.168.10.100 inside

dhcpd dns 75.75.75.75 75.75.76.76 interface inside

dhcpd lease 86400 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1

svc enable

port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn

tunnel-group-list enable

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

banner value *****************************WARNING**********************************

banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator

banner value ****************************************************************************

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

webvpn

url-list none

svc ask enable default webvpn

username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0

username aalmonte attributes

vpn-group-policy RemoteAccess

username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0

username mmaccormack attributes

vpn-group-policy RemoteAccess

username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0

username lmaccormack attributes

vpn-group-policy RemoteAccess

username admin password V8ctuy0OtxmDU4HD encrypted privilege 15

username rdirkee password mHVkPntgw4LQyh.U encrypted

username rdirkee attributes

service-type remote-access

username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0

username wmaccormack attributes

vpn-group-policy RemoteAccess

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0

username rickg attributes

vpn-group-policy RemoteAccess

service-type remote-access

username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0

username jgoucher attributes

vpn-group-policy RemoteAccess

username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0

username smaccormack attributes

vpn-group-policy RemoteAccess

username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0

username rmaccormack attributes

vpn-group-policy RemoteAccess

username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0

username bmaccormack attributes

vpn-group-policy RemoteAccess

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

address-pool ippool

default-group-policy RemoteAccess

tunnel-group RemoteAccess webvpn-attributes

group-alias RemoteAccess enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

TYVM

Jouni Forss · ‎01-14-2014

Hi,

Seems you had the Static NAT configured

So only thing left to do would be to allow all traffic through to this host

access-list out-in permit ip host host

If you dont know the source IP address where the connection is coming from them you would have to check either the logs or allow traffic temporarily from any source address

access-list out-in permit ip any host

- Jouni

jason · ‎01-14-2014

Ok i will try that now. What is the "public nat ip" I will attempt the "temporary": allow all but not sure if that public nat ip is just my public IP of 50.x.x.x. or not? TY

Jouni Forss · ‎01-14-2014

Hi,

Its the public IP address you configured in the "static" command

The one starting 50.x.x.x

- Jouni

jason · ‎01-14-2014

You solved 3 Hours of phone support in 3 post.. THank you so much.

The remote phone now connects, but supposedly has no audio.. the client seems to think this could be related to a setting on the firewall? possible?

Jouni Forss · ‎01-14-2014

Hi,

Glad to hear it helped

Though if there is still problem then its not quite yet solved.

Sadly I have very little knowledge of VoIP

In some cases the "inspect" configuration that you see under the default "policy-map" configuration cause problems to certain connections through the firewall. For example, "inspect esmtp" has caused a lot of problems in the past for us with SMTP connections.

I would try to maybe monitor the ASA logs through the ASDM GUI while connecting to see if the ASA logs any dropped connection attempt or any other error message that might give a clue about the problem.

You could naturally try to remove some VoIP related inspection from the ASA configuration and see if that helps and if not configure them back into the firewall.

Essentially to go to the right configuration mode you have to enter these

ASA# conf term

ASA(config)# policy-map global_policy

ASA(config-pmap)#policy-map global_policy class inspection_default

Then you can issue the "no inspect " commands or enter them again with "inspect "

For example

ASA(config-pmap-c)# no inspect sip

You can check the current "policy-map" configuration with the following command

show run policy-map

Its shown also at the bottom of the ASA configuration you posted above.

- Jouni

jason · ‎01-21-2014

HI sorry for delay. wondering if you could help me with the following on this same topic/.issue.

The manual for the phone system states the following.

On the phone system router (the asa5505 8.2 ) Forward UDP ports 5060 (SIP) and 1024-1215 (RTP) to the phone systems IP address (192.168.10.57)

.

So i added (not sure if this is even legit or not)

access-list out-in extended permit udp any host 50.X.X.X eq sip

so not sure if thats ok, and also not sure how to get that RTP ports range in there either.

again they can "connect" the remote VOIP phone just audio is loss as stated below:

The phone finds the switch and connects and stays connected, but at times will lose audio. Also the phone uses a codec list

starting with G.729 and working its way down to G.722. At times we see it using G.711 (5th choice). This seems to be an

RTP issue. If you could check to see if RTP ports 1024-1215 are forwarded and not used by anything else. Thanks for

your help.