06-22-2013 05:48 PM - edited 03-11-2019 07:01 PM
Hello Everyone,
This is my first post so please forgive me if I miss something. I have an ASA5512 running 8.6(1)2 that I am trying to NAT a public IP address from my ISP to multiple phone systems on the inside of my network. One of these phone systems is at the same site as the ASA5512 and I have no problems getting this one to work with my current config. The problem comes when I apply the same type of NAT rule that works at the main site to allow NAT to the other sites. These sites are connected via a point-to-point system from our ISP. The point-to-point does not seem to be an issue as I can ping any device at our other sites and I can RDP into computers and servers at the others sites. I can also call internally between sites but when I try to call the other sites from my cell I cant get through. Also when I forward one of the extensions at the others sites to my cell and then call internally I do not get an outside line.
In the config below you can see that Ive applied the same NAT and ACL rules to the adminphonesystem and the deltaphonesystem objects. The adminphonesystem can make calls and recieve them with no issues. The deltaphonesystem cannot make or recieve calls from outside our network. Only internal calls are working for the deltaphonesystem. Ive done packet traces in every which way and corrected any issues that I have found with no fix to the problem. So I cleaned up my config and posted it here. Really hope someone can give me a few pointers in getting this problem solved.
On another note I have a Cisco ASA5505 with smartnet support. So i throw it in place of the 5512 and call cisco support. A tech calls me back and we get everything working perfectly on the 5505 with a few simple rules. I say thank you and have a nice. Then I throw the 5512 back in and replicate the rules from the 5505 that were working. Both of these units are using the new NAT setup that was released after 8.3. To my surprise the 5512 doesnt work even though I have the same rules as the 5505. If anyone can answer that side question please do.
ASA Version 8.6(1)2
!
hostname AdminASA
domain-name
enable password encrypted
passwd encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 76.320.333.43 255.255.255.224
!
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 10.1.99.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif P2P
security-level 100
ip address 10.2.99.2 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name corp.centermh.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DeltaNetwork
subnet 10.1.96.0 255.255.255.0
object network GunnisonNetwork
subnet 10.1.97.0 255.255.255.0
object network MiamiNetwork
subnet 10.1.98.0 255.255.255.0
object network NuclaNetwork
subnet 10.1.93.0 255.255.255.0
object network TellurideNetwork
subnet 10.1.94.0 255.255.255.0
object network AdminPhoneSystem
host 10.1.99.225
description Inside IP Address of Admin Phone System
object network DeltaPhoneSystem
host 10.1.96.225
description Internal IP Address of Delta Phone System
object network AdminPhonePublic
host 76.320.333.48
description Public IP Address of Admin Phone System
object network FastTrackPhone
host 234.213.124.81
description FastTrack SIP Trunk Authtication IP Address
object network FastTrackMonitor
host 290.230.195.8
description FastTrack Monitoring server
object network DeltaPhonePublic
host 76.320.333.51
description Public IP Address of Delta Phone System
object-group icmp-type ICMP-All
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object alternate-address
icmp-object conversion-error
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list global_access extended permit icmp object FastTrackMonitor any object-group ICMP-All
access-list Local_access_in extended permit ip any any
access-list MPLS_access_in extended permit ip any any
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object DeltaPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object DeltaPhoneSystem object-group ICMP-All
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object AdminPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object AdminPhoneSystem object-group ICMP-All
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu P2P 1500
mtu management 1500
ip local pool vpnUsers 10.1.99.200-10.1.99.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
nat (Inside,Outside) source static AdminPhoneSystem AdminPhonePublic no-proxy-arp
!
nat (P2P,Outside) after-auto source dynamic any interface
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group P2P_access_in in interface P2P
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 76.320.333.42 6
route P2P 10.1.93.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.94.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.95.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.97.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.98.0 255.255.255.0 10.2.99.1 1
route P2P 10.2.93.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.94.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.95.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.96.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.97.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.98.0 255.255.255.0 10.2.99.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.99.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.1.99.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.138.140.44 prefer
webvpn
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
username privilege 15
username privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
Solved! Go to Solution.
06-22-2013 11:04 PM
Hi,
If I am not mistaken then atleast one big problem is the source interface in the other NAT configuration command
You have this
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Yet you have this "object network" and "route"
object network DeltaPhoneSystem
host 10.1.96.225
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
So seems to me that your NAT configuration should be
nat (P2P,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Just as a side note, I personally prefer to configure Static NAT with Network Object NAT. With those configurations your Static NAT configurations would look like this
object network DeltaPhoneSystem
host 10.1.96.225
nat (P2P,Outside) static 76.320.333.51
object network AdminPhoneSystem
host 10.1.99.225
nat (Inside,Outside) static 76.320.333.48
Also one very important note, if you are using multiple public subnets on your ASA "Outside" interface then the way this is implemented by your ISP has a lot of meaning.
Here is the section from the patch notes that also explains the commands purpose
If you want to take a look at a NAT 8.3+ document I made here on the CSC then follow this link
https://supportforums.cisco.com/docs/DOC-31116
Hopefully the above helps with your problem
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-22-2013 11:04 PM
Hi,
If I am not mistaken then atleast one big problem is the source interface in the other NAT configuration command
You have this
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Yet you have this "object network" and "route"
object network DeltaPhoneSystem
host 10.1.96.225
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
So seems to me that your NAT configuration should be
nat (P2P,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Just as a side note, I personally prefer to configure Static NAT with Network Object NAT. With those configurations your Static NAT configurations would look like this
object network DeltaPhoneSystem
host 10.1.96.225
nat (P2P,Outside) static 76.320.333.51
object network AdminPhoneSystem
host 10.1.99.225
nat (Inside,Outside) static 76.320.333.48
Also one very important note, if you are using multiple public subnets on your ASA "Outside" interface then the way this is implemented by your ISP has a lot of meaning.
Here is the section from the patch notes that also explains the commands purpose
If you want to take a look at a NAT 8.3+ document I made here on the CSC then follow this link
https://supportforums.cisco.com/docs/DOC-31116
Hopefully the above helps with your problem
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide