cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2285
Views
25
Helpful
6
Replies

Cisco ASA, skipping real source port number with PAT.

EvaldasOu
Level 4
Level 4

Hi Experts,

Cisco ASA configuration guide says:

"PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. "

Is it possible to skip this ? I do not want to use real source port number. The issue is, when I have a PAT entry with real source port (port 5060), - SIP session doesn't work. With all the other ports numbers,- everything works.

6 Replies 6

turbo_engine26
Level 4
Level 4

It seems you are using dynamic PAT for SIP. Consider using static PAT instead.

 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cups/8_0/english/integration_notes/Federation/Federation/ASAConfig_chapter.html

 

 

EvaldasOu
Level 4
Level 4

Thanks for your response.


Sorry, but are you referring to configure 100 PAT rules for 100 VoIP phones?

Is there are command to specify port range for PAT without using native 5060 port?

Hi,

Can you try like the below for your scenario?

object network test
 subnet 10.0.0.0 255.255.255.0
object service testing
 service tcp source range 1100 1200

nat (in,out) source dynamic test interface service testing testing

 

Regards

Karthik

 

Hi,

 

I tried this:

object service SIP_TEST
 service udp source eq sip destination range 6000 65535

nat (VoIP,outside) source dynamic VoIP interface service SIP_TEST SIP_TEST

 

but it looks like it doesn't work at all...

Hi,

 

Notice that the configuration you try does not modify the real source port at all.

 

Since you are using the same "object" for the real/mapped service then the configuration above matches traffic where the connections destination is "any" and the destination is "udp 6000 65535" and only when the source is "udp sip" and in that event it keeps the exact same "udp sip" source port as you are using the same "object".

 

I am not sure if its a software or configuration related issue but I have not gotten this to work reliably on my ASA. I might have to try some other software level.

 

I guess you would want to match the SIP source port in the Dynamic PAT and avoid using the SIP port as the mapped port?. With that in mind I was thinking something like this

 

object service UDP-SIP
 service udp source eq sip

 

object service UDP-SIP-MAPPED
 service udp source range 30000 31000

 

nat (VoiP,outside) source dynamic <source network object> interface service UDP-SIP UDP-SIP-MAPPED

 

Though it seems the above configuration seems to be bypassed by the ASA completely and it seems to use the identical source port as the mapped port even though it matches the configuration.

 

If I were to change the above configuration from "dynamic" to "static" then the configuration matches but it uses only the first mapped "source" port of "30000". I guess it would only use a different mapped port if you used multiple real source ports also instead of the current single source port "sip".

 

nat (VoiP,outside) source static <source network object> interface service UDP-SIP UDP-SIP-MAPPED unidirectional

 

Example from my own ASA.

 

DYNAMIC

- Matches the configuration but doesnt map the port at all

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic LAN-NETWORK interface service SIP SIP-MAPPED
Additional Information:
Dynamic translate 10.0.0.123/5060 to <my pat ip>/5060

 

STATIC

- Matches the configuration and maps the source port but only uses the first mapped port from the range

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static LAN-NETWORK interface service SIP SIP-MAPPED unidirectional
Additional Information:
Static translate 10.0.0.123/5060 to <my pat ip>/30000

 

I am not really sure if this configuration is reliable at all but its the only thing I can think of at the moment.

 

Hope this helps :)

 

- Jouni
 

 

 

Thanks for your help Jouni!

Yes, you are correct about the problem. To be more clear the situation looks like this.Phones uses SIP, xlate output:

ASA1# sh xlate | i VoIP
UDP PAT from VoIP:10.0.20.1/5060 to outside:10.10.10.40/36197 flags ri idle 20:25:11 timeout 0:00:30
UDP PAT from VoIP:10.0.20.2/5060 to outside:10.10.10.40/28564 flags ri idle 20:25:11 timeout 0:00:30
UDP PAT from VoIP:10.0.20.3/5060 to outside:10.10.10.40/15617 flags ri idle 20:25:11 timeout 0:00:30

The problem happens with a phone, which gets this translation:

ASA1# sh xlate | i 40/5060
UDP PAT from VoIP:10.0.20.10/5060 to outside:10.10.10.40/5060 flags ri idle 20:25:11 timeout 0:00:30

This phone can't do anything, but nothing is blocked here. I'm not sure why the problem exists, so thought it's possible to skip this translation.

Everything is okay with other apps, real source port PAT mapping works well...

I'm running ASA5512X with ASA 9.2(1) software.

Thanks a lot for your time!

 

 

 

Review Cisco Networking for a $25 gift card