Forward multiple ports and a port range to an internal host

Tobi · ‎12-08-2021

Hey all,

i have a customer (small business) without a static external IP adress. They use a VoIP solution with an internal appliance and i have to forward some ports and a port range to the VoIP device.

Using a public server did not work as it needs a static external ip and im pretty lost configuring this via CLI. From what i found out i need to define the object service, the access-list and the nat rule but i find it very confusing if the nat rule is outside, inside or the opposite and if the obejct service needs to be the source or destination.

object service RTP-Daten
service udp destination> range 10000 20000
object service Autoprov
service tcp source eq 50080

access-list inbound extended permit tcp any host 192.168.100.10 range 10000 20000
access-list inbound extended permit tcp any host 192.168.100.10 eq 50080

nat (outside,inside) source static any any destination static interface Starface service RTP-Daten RTP-Daten
nat (outside,inside) source static any any destination static interface Starface service Autoprov Autoprov

Would this be correct? And is it source or destination and outside, inside or the opposite?

Thanks in advance

Tobias

balaji.bandi · ‎12-08-2021

what device is this ? and what IOS running ?

high level below should work :

object service RTP-Daten
service udp source range 10000 20000
object service Autoprov
service tcp source eq 50080

object network VOIP_SERVER
host 192.168.100.10
nat (inside,outside) static interface service RTP-Daten RTP-Daten
nat (inside,outside) static interface service Autoprov Autoprov

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tobi · ‎12-13-2021

Hi,

this does not work

object network VOIP_SERVER
host 192.168.100.10
nat (inside,outside) static interface service RTP-Daten RTP-Daten
nat (inside,outside) static interface service Autoprov Autoprov

Leads to the config only having the last service present and it only works with single ports.

nat (inside,outside) static interface service 54321 54321
nat (inside,outside) static interface service 12345 12345

Leads to a config where only

nat (inside,outside) static interface service 12345 12345

is present. And it does not work for port ranges. Any ideas?

Tobi · ‎12-08-2021

Its a Firepower 1010 with ASA Version 9.14(1)

Is there no need to open the firewall?

access-list inbound extended permit tcp any host 192.168.100.10 range 10000 20000
access-list inbound extended permit tcp any host 192.168.100.10 eq 50080

balaji.bandi · ‎12-08-2021

You need NAT and ACL to work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tobi · ‎12-08-2021

OK so this below should do the trick? From what i saw online the VOIP_SERVER should be in the NAT Rule like i marked in red below?

object network VOIP_SERVER
host 192.168.100.10

object service RTP-Daten
service udp source range 10000 20000
object service Autoprov
service tcp source eq 50080
object service AutoprovS
service tcp source eq 50081

access-list inbound extended permit tcp any host 192.168.100.10 range 10000 20000
access-list inbound extended permit tcp any host 192.168.100.10 eq 50080
access-list inbound extended permit tcp any host 192.168.100.10 eq 50081

access-group inbound in interface outside

nat (inside, outside) static interface VOIP_SERVER service RTP-Daten RTP-Daten
nat (inside, outside) static interface VOIP_SERVER service Autoprov Autoprov
nat (inside, outside) static interface VOIP_SERVER service AutoprovS AutoprovS

Tobi · ‎12-09-2021

Since i am out of office until monday: Would this be the correct solution? And with or without the VOIP_Server given in the nat rule? Thanks in advance!

Tobi · ‎12-13-2021

Can anyone confirm this?