Solved: cisco asa 5505 settings

troosters · ‎07-02-2013

Hello, I received the following mail to open ports and do port forwarding and natting , but these are for Cisco IOS routers and so they don't work on the ASA , can anyone help me transform them for a asa ? Also what interface is BVI1 meant by, or is it just a name like any other ?

Udp 5060 -> 10.0.0.15:5060

Udp 49152 à 53246 -> 10.0.0.15 (same ports)

Udp 5001 -> 10.0.0.15:5001

Tcp 2222 -> 10.0.0.15:2222

UDP 1194 ->10.0.0.15:1194

Commands for the cisco :

ip nat inside source list 101 interface BVI1 overload

ip nat inside source static udp 10.0.0.15 5060 interface BVI1 5060

ip nat inside source static udp 10.0.0.15 5001 interface BVI1 5001

ip nat inside source static tcp 10.0.0.15 2222 interface BVI1 2222

ip nat inside source static udp 10.0.0.15 1194 interface BVI1 1194

access-list 101 permit udp any host 10.0.0.15 range 49152 53246

To disactivate the nat sip helper :

no ip nat service sip udp port 5060

Jouni Forss · ‎07-02-2013

Hi,

The "inspect sip" can be either removed by going under the "policy-map" configurations and removing it with "no" format of the command.(no inspect sip)

Or it could possibly be removed by using

no fixup protocol sip 5060

The NAT configurations would be

static (inside,outside) udp interface 5060 10.0.0.15 5060 netmask 255.255.255.255

static (inside,outside) udp interface 5001 10.0.0.15 5001 netmask 255.255.255.255

static (inside,outside) udp interface 1194 10.0.0.15 1194 netmask 255.255.255.255

static (inside,outside) tcp interface 2222 10.0.0.15 2222 netmask 255.255.255.255

If one of the Port Forwards was for a range of ports then sadly you would have to make the above mentioned configuration for every single port. In the newer software levels of ASA where the NAT configuration format changes you could do this alot easier but again that would mean having to learn a totally new NAT configuration format.

If you have simple configurations on the ASA then it would almost be suggestable to move to the new software now before the the NAT configuration gets any more complex.

Here is a good link to that shows both old an new format NAT configuration for common setups

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni

View solution in original post

Jouni Forss · ‎07-02-2013

Hi,

Can you tell us the software level of the ASA?

- Jouni

troosters · ‎07-02-2013

Hi,

Cisco ASDM 6.4(5)

ASA Version 8.2(5)

Jouni Forss · ‎07-02-2013

Hi,

The "inspect sip" can be either removed by going under the "policy-map" configurations and removing it with "no" format of the command.(no inspect sip)

Or it could possibly be removed by using

no fixup protocol sip 5060

The NAT configurations would be

static (inside,outside) udp interface 5060 10.0.0.15 5060 netmask 255.255.255.255

static (inside,outside) udp interface 5001 10.0.0.15 5001 netmask 255.255.255.255

static (inside,outside) udp interface 1194 10.0.0.15 1194 netmask 255.255.255.255

static (inside,outside) tcp interface 2222 10.0.0.15 2222 netmask 255.255.255.255

If one of the Port Forwards was for a range of ports then sadly you would have to make the above mentioned configuration for every single port. In the newer software levels of ASA where the NAT configuration format changes you could do this alot easier but again that would mean having to learn a totally new NAT configuration format.

If you have simple configurations on the ASA then it would almost be suggestable to move to the new software now before the the NAT configuration gets any more complex.

Here is a good link to that shows both old an new format NAT configuration for common setups

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni

troosters · ‎07-02-2013

Also if I portforwarding to 10.0.0.15 , nothing happens on this port. AND direct numbers is not working as it should.

If I use Destination outside instead of 10.0.0.15 , I see hits (in the access rules)

Also if I do a online port scanning , it works for eg 443 , but not for 5060 ?

Allthough this port is open ?

Jouni Forss · ‎07-02-2013

Hi,

Naturally if you are connecting to the host from behind the "outside" interface then you will be using the public IP address of the ASA "outside" interface as its used for the Port Forward / Static PAT configuration on the ASA.

Also if you are using the "packet-tracer" command to test the firewall rules then you will use the IP address of the ASA "outside" interface as the destination IP address

You can test the configuration on the ASA with the "packet-tracer" command which format is

packet-tracer intput outside

You just have to replace the above information depending on what you are testing. Generally the source ip/port dont matter if you have allowed access from anywhere.

- Jouni