03-19-2013 07:24 AM - edited 03-11-2019 06:16 PM
Good Morning all,
I have a question, I've researched around the internet to find the CLI commands to open ports TCP 5060/5061 and UDP ports 1024 to 65535 to my SIP provider. I'm a voice guy so i'm VERY new to Security and I would like some assistance.
I'm using a ASA 5505, and below is my Show Run:
------------------ show running-config ------------------
: Saved
:
ASA Version 8.3(2)
!
hostname ECSASA-5505
domain-name hostedatandvoice.local
enable password <removed>
passwd <removed>
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/0
description COMCAST
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec EnterCloud Solutions ASA
banner login AAA is enabled, Local access has been restricted to local Administrators and Engineers of ECS, LLC.
banner motd EnterCloud Solutions ASA Applicance. Unauthorized users will be logged and flagged for unauthorized access. IP's are tracked and logged and will be reported to local State and Federal agencies.
banner motd Contact security@hostedatandvoice.com for additional help or support.
banner asdm WELCOME TO ECS ASA 5505 SECURITY APPLICANCE!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name hostedatandvoice.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Internet
subnet 0.0.0.0 0.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service NTP
service tcp source eq 123 destination eq 123
description Time Clock
object network STATIC-PAT
subnet 192.168.1.0 255.255.255.0
object network VPN-Pool
subnet 190.168.10.0 255.255.255.240
description VPN IP Address
object network SSL-VPN-POOL
description SSL-VPN-POOL
object network SSL-VPN-POOL1
object network SSL-VPN-NET1
subnet 192.168.10.0 255.255.255.240
object network outside_to_inside_VoIP
host 192.168.1.8
object-group network PRIVATE-LAN
network-object 192.168.1.0 255.255.255.0
object-group network SSL-VPN-NETWORKS
description SSL VPN NETWORKS
object-group network VPN-NETWORK
network-object object SSL-VPN-NET1
access-list OUTSIDE-IN extended permit udp any object STATIC-PAT eq ntp
access-list ECSSLVPN remark Allow VPN Access to LAN
access-list ECSSLVPN standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool VPN-Pool 192.168.10.1-192.168.10.12 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static PRIVATE-LAN PRIVATE-LAN destination static VPN-NETWORK VPN-NETWORK
!
object network STATIC-PAT
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x1
route inside 192.168.10.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email security@hostedatandvoice.com
subject-name CN=ESCASA-5505
ip-address x.x.x.x
keypair ECS-KP
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 59203f51
308202a8 30820211 a0030201 02020459 203f5130 0d06092a 864886f7 0d010105
05003066 31143012 06035504 03130b45 53434153 412d3535 3035314e 301b0609
2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138 35302f06 092a8648
86f70d01 09021622 45534341 53412d35 3530352e 686f7374 65646174 616e6476
6f696365 2e6c6f63 616c301e 170d3133 30333132 31333233 34375a17 0d323330
33313031 33323334 375a3066 31143012 06035504 03130b45 53434153 412d3535
3035314e 301b0609 2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138
35302f06 092a8648 86f70d01 09021622 45534341 53412d35 3530352e 686f7374
65646174 616e6476 6f696365 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100dd 432f3bbc 24f0329f 81f0faea 27555dd6
972dfcc0 697dd74b 8ebdfe7a b7adb611 a97b3881 baef9373 d6442571 7da6d0b1
f74e9ff9 6602d832 6a092719 2460ecb1 0088a4f0 fbf0c2b0 13586c87 c23d69b2
08525422 f66e735c 46f3b3c8 d3f41c21 5a204fea cd798c7b e15c018a 6f6d344d
de24ac87 12cc69a7 b07023a4 302a0702 03010001 a3633061 300f0603 551d1301
01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23
04183016 80149724 66a81b45 e402da6f f9e47a87 6c01af08 5476301d 0603551d
0e041604 14972466 a81b45e4 02da6ff9 e47a876c 01af0854 76300d06 092a8648
86f70d01 01050500 03818100 517b691a 285b035e 5e4ffaba 02467a5a 45d1d4fd
0e39838d caf77bf1 4cc2f5a6 2fefb926 d0a2fdc4 ebabc75a 28380c06 60df23ee
8be72ddc b3587956 1eb1df89 d7b4293a ad0db500 bf651885 0a44ba2c 4b94f8ce
e27b8242 4abead6b a1af0468 5ed4a8ef 013f2d08 59df2f2e e6afcc21 2df6bbd0
a1f15a01 4ba8960a ec9771bb
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2 8.8.1.1
dhcpd domain hostedatandvoice.local
!
dhcpd address 192.168.1.12-192.168.1.130 inside
dhcpd dns 4.2.2.2 8.8.1.1 interface inside
dhcpd domain hostedatandvoice.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 199.249.224.123 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.0.11042-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ECSSLVPN
default-domain value hostedatandvoice.local
split-dns value hostedatandvoice.com
address-pools value VPN-Pool
webvpn
svc ask enable default webvpn
username khayes password <removed> privilege 15
username mharrell password <removed> privilege 15
username bdillard password <removed> privilege 15
username skonti password <removed> privilege 15
tunnel-group ECSSLVPN type remote-access
tunnel-group ECSSLVPN general-attributes
address-pool VPN-Pool
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:977f2a92875a8c744753124c94adbb09
: end
03-19-2013 09:56 AM
Anyone?
03-19-2013 10:17 AM
Hey Kenneth,
Please include more details such as where is your SIP provider, what is the traffic flow.
By default, there is an implicit permit from a higher security interface (100) to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface.
From lower to higher you need access list and NAT (which in that case you need ACL opening SIP port and range).
Regards,
Juan Lombana
Please rate helpful posts.
03-19-2013 10:20 AM
Traffic Flow as follows:
ITSP->Comcast->ASA 5505->CUBE->CUCM
03-19-2013 10:35 AM
Kenneth,
You need to allow inbound traffic through the ASA. For this since you are coming from the Internet (lower to higher) you need a NAT one to one and access list:
object network
host x.x.x.x
nat (inside,outside) static y.y.y.y
!
access-list outside_access_in permit tcp any host y.y.y.y eq 5060
access-list outside_access_in permit tcp any host y.y.y.y eq 5061
access-list outside_access_in permit tcp any host y.y.y.y range 1024 65535
Replace the x.x.x.x with the CUCM manager IP address and the y.y.y.y with a public IP on your outside interface.
Please be aware that you need a public IP but not your outside interface, it must be another on the same range of the outside.
Regards,
Juan Lombana
03-19-2013 10:36 AM
I have one public IP.
03-19-2013 10:45 AM
The public IP of the carrier or my static IP?
03-19-2013 11:31 AM
Kenneth,
If that's the case you can use a range of port and create a NAT using your outside interface IP.
object network CUCM_Private
host 10.10.10.10
!
object service Range_1024_65535
service udp source range 1024 65535
object service SIP_range
service tcp source range 5060 5061
!
nat (inside,outside) source static CUCM_Private interface service Range_1024_65535 Range_1024_65535
nat (inside,outside) source static CUCM_Private interface service SIP_range SIP_range
!
access-list outside_access_in permit tcp any object CUCM_Private eq 5060
access-list outside_access_in permit tcp any object CUCM_Private eq 5061
access-list outside_access_in permit tcp any object CUCM_Private range 1024 65535
Take in consideration that I am using different IP address, please use the correponding IP's.
Hope it helps,
Juan Lombana
03-19-2013 03:17 PM
ERROR: NAT unable to reserve ports.
that's what I got.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide