Hi,

Can you try like the below for your scenario?

object network test
 subnet 10.0.0.0 255.255.255.0
object service testing
 service tcp source range 1100 1200

nat (in,out) source dynamic test interface service testing testing

Regards

Karthik

Hi,

I tried this:

object service SIP_TEST
 service udp source eq sip destination range 6000 65535

nat (VoIP,outside) source dynamic VoIP interface service SIP_TEST SIP_TEST

but it looks like it doesn't work at all...

Hi,

Notice that the configuration you try does not modify the real source port at all.

Since you are using the same "object" for the real/mapped service then the configuration above matches traffic where the connections destination is "any" and the destination is "udp 6000 65535" and only when the source is "udp sip" and in that event it keeps the exact same "udp sip" source port as you are using the same "object".

I am not sure if its a software or configuration related issue but I have not gotten this to work reliably on my ASA. I might have to try some other software level.

I guess you would want to match the SIP source port in the Dynamic PAT and avoid using the SIP port as the mapped port?. With that in mind I was thinking something like this

object service UDP-SIP
 service udp source eq sip

object service UDP-SIP-MAPPED
 service udp source range 30000 31000

nat (VoiP,outside) source dynamic <source network object> interface service UDP-SIP UDP-SIP-MAPPED

Though it seems the above configuration seems to be bypassed by the ASA completely and it seems to use the identical source port as the mapped port even though it matches the configuration.

If I were to change the above configuration from "dynamic" to "static" then the configuration matches but it uses only the first mapped "source" port of "30000". I guess it would only use a different mapped port if you used multiple real source ports also instead of the current single source port "sip".

nat (VoiP,outside) source static <source network object> interface service UDP-SIP UDP-SIP-MAPPED unidirectional

Example from my own ASA.

DYNAMIC

- Matches the configuration but doesnt map the port at all

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic LAN-NETWORK interface service SIP SIP-MAPPED
Additional Information:
Dynamic translate 10.0.0.123/5060 to <my pat ip>/5060

STATIC

- Matches the configuration and maps the source port but only uses the first mapped port from the range

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static LAN-NETWORK interface service SIP SIP-MAPPED unidirectional
Additional Information:
Static translate 10.0.0.123/5060 to <my pat ip>/30000

I am not really sure if this configuration is reliable at all but its the only thing I can think of at the moment.

Hope this helps :)

- Jouni
 

Thanks for your help Jouni!

Yes, you are correct about the problem. To be more clear the situation looks like this.Phones uses SIP, xlate output:

ASA1# sh xlate | i VoIP
UDP PAT from VoIP:10.0.20.1/5060 to outside:10.10.10.40/36197 flags ri idle 20:25:11 timeout 0:00:30
UDP PAT from VoIP:10.0.20.2/5060 to outside:10.10.10.40/28564 flags ri idle 20:25:11 timeout 0:00:30
UDP PAT from VoIP:10.0.20.3/5060 to outside:10.10.10.40/15617 flags ri idle 20:25:11 timeout 0:00:30

The problem happens with a phone, which gets this translation:

ASA1# sh xlate | i 40/5060
UDP PAT from VoIP:10.0.20.10/5060 to outside:10.10.10.40/5060 flags ri idle 20:25:11 timeout 0:00:30

This phone can't do anything, but nothing is blocked here. I'm not sure why the problem exists, so thought it's possible to skip this translation.

Everything is okay with other apps, real source port PAT mapping works well...

I'm running ASA5512X with ASA 9.2(1) software.

Thanks a lot for your time!