Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1766
Views
0
Helpful
6
Replies

NAT Port Forwarding with multiple public IP Addresses

Amjad Shakeel
Level 1
Level 1

‎02-08-2017 11:05 AM - edited ‎03-12-2019 01:54 AM

Hi 

I am new to the Cisco ASA. We have a Cisco ASA 5510 and I am trying to open some NAT ports for a phone system server. I cannot figure out where I am going wrong.

I have a phone server whose inside IP Address is 10.2.50.170. The public IP Address on the external Interface given to me from my ISP is 185.67.116.17/28. I have been given a block of 16 addresses from my ISP. 

I wish to do the following:

Open ports udp/5060 and udp/9000-9500 to port forward to the phone server. I want the phone server to only be accessible using public IP Address 185.67.116.18 which is one of the addresses given to me by my ISP from the block of 16.

I have added following CLI commands but cannot get the port forwarding to work:

object network Outside_to_Inside_Phone_System

host 10.2.50.170
nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit tcp any host 10.2.50.70 eq 5060
access-group inbound in interface outside

object service Phone_RTP_Ports
service udp destination range 9000 9500
exit
nat (inside,outside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Range Phone_RTP_Range
access-list inbound extended permit udp any object Outside_to_Inside_Phone_System range 9000 9500
access-group Phone_TO_INSIDE in interface External

Any help would be really appreciated.

Kind Regards

Amjad

Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎02-08-2017 11:36 AM

The mistake that stands out is the ACL for port UDP 5060.

nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit tcp any host 10.2.50.70 eq 5060

in the NAT you are matching UDP while in the ACL you are matching TCP

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Amjad Shakeel
Level 1
Level 1
In response to Marius Gunnerud

‎02-09-2017 11:15 AM

Thanks I managed to get the single port forwarding working with the following:

object network Outside_to_Inside_Phone_System

host 10.2.50.170
nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit udp any host 10.2.50.170 eq 5060
access-group inbound in interface outside

For the range of ports I have done the following, but it does not seem to work:

object network Phone_SERVER
host 10.2.50.70
exit

object network Phone_outsideIP
185.67.116.21
exit

object service Phone_RTP_Range
service udp destination range 9000 9500

nat (outside,inside) source static any any destination static Phone_outsideIP Phone_SERVER service Phone_RTP_Range Phone_RTP_Range

access-list inbound extended permit udp any object Phone_SERVER range 9000 9500

Any help appreciated.

0 Helpful

Ajay Saini
Level 7
Level 7

‎02-08-2017 11:48 AM

TO add to that, the second NAT seems to be incorrect as well(IMO):

nat (inside,outside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Range Phone_RTP_Range

This needs to be like below (order matters):

nat (outside,inside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Range Phone_RTP_Range

also, the interface name is confusing. Is 'outside' the interface name or is it 'external' because access-list is applied on interface named External . Just correct that access-list, apply on correct interface and it should work.

If you still face issues, please post output of NAT and access-list.

-

AJ

0 Helpful

Amjad Shakeel
Level 1
Level 1
In response to Ajay Saini

‎02-08-2017 12:52 PM

Sorry I have re added re added the commands but still not working:

object network Outside_to_Inside_Phone_System

host 10.2.50.170
nat (inside,outside) static 185.67.116.18 service udp 5060 5060
access-list inbound extended permit udp any host 10.2.50.70 eq 5060
access-group inbound in interface outside

object service Phone_RTP_Ports
service udp destination range 9000 9500
exit
nat (inside,outside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Ports Phone_RTP_Ports
access-list inbound extended permit udp any object Outside_to_Inside_Phone_System range 9000 9500
access-group inbound in interface outside

Not sure where I am going wrong.

Thanks for the help so far.

0 Helpful

Ajay Saini
Level 7
Level 7
In response to Amjad Shakeel

‎02-08-2017 12:55 PM

you have not corrected the NAT statement as I suggested. It needs to be outside,inside) because of the way you have defined the other parameters.

Can you please change it and see if that helps. If not, please attach packet-tracer outputs and also syslogs when attempting the traffic.

-

AJ

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Amjad Shakeel

‎02-08-2017 01:31 PM

This is the statement you should change to the following NAT statement if you decide to keep the parameters the way they are.

nat (outside,inside) source static any any destination static interface Outside_to_Inside_Phone_System service Phone_RTP_Ports Phone_RTP_Ports

Personally I prefer to try to keep all my NAT statements source from the inside to outside, as follows:

nat (inside,outside) source static Outside_to_Inside_Phone_System interface destination static any any service Phone_RTP_Ports Phone_RTP_Ports

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card