Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
3
Replies

asa916 Non-Interface PAT with Port Forwarding Problem

Dean Romanelli
Level 4
Level 4

‎11-16-2017 10:45 AM - edited ‎02-21-2020 06:46 AM

Hi Guys,

I have an ASA 5505, 3 internal PBX servers, and one dedicated available public IP that is NOT the IP of the outside interface.

 host 172.16.142.5
 host 172.16.142.6
 host 172.16.142.7
 host 138.xxx.xx.154

I need all of the internal PBX servers to NAT to the public IP shown above (138.xxx.xx.154), be reachable from the outside, and depending on what ports are being used to connect to them from the outside, port forward to one of the three internal PBX servers in the following logic:

If inbound traffic from internet has destination port of 138.xxx.xx.154 @ TCP 35300, 15560 or UDP 15560, port-forward to PBX server 172.16.142.5


If inbound traffic from internet has destination port of 138.xxx.xx.154 @ UDP range 16000-16511, port-forward to PBX server 172.16.142.6


If inbound traffic from internet has destination port of 138.xxx.xx.154 @ UDP range 16512-17023, port-forward to PBX server 172.16.142.7

I have configured this the way I see it working, but it is not. My config is attached. What am I doing wrong?

 

 

Labels:
Preview file
3 KB
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎11-16-2017 03:20 PM

Hi @Dean Romanelli

 Do you have sip inspection on your firewall?

 Did you applied those ACL to a interface?

 Does your ISP has the  network 139.x.x.x.x on theirs routing table? 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Dean Romanelli
Level 4
Level 4
In response to Flavio Miranda

‎11-17-2017 08:19 AM

Hi Flavio,

Thanks for replying.  I do not have SIP inspection configured as it has caused problems for us in the past. Below are the inspections I have configured presently:

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect pptp
inspect icmp error
inspect icmp
inspect ipsec-pass-thru
inspect tftp
policy-map type inspect ftp FTP-strict
parameters
mask-banner
mask-syst-reply
!
service-policy global_policy global

 

The ACL's are applied in the following:

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ

 

The public IP address that I need to NAT those 3 PBX servers to is just an available address on my ISP's /29 that they gave me, so there is automatically a route because the outside interface of my ASA has another IP on that same subnet. 

 

Are the NAT statements correct?

0 Helpful

Flavio Miranda
VIP
VIP
In response to Dean Romanelli

‎11-17-2017 05:24 PM

NAT looks ok in terms of syntax. However, your approach looks not good. I'd recommend you to take a look in Opensips, which is a SIP load balancing.

 Voice and NAT historically is very complicate and try to avoid it is always the best solution. If impossible, at least try to make it simple.

 Hope that helps.

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card