cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
3
Helpful
11
Replies

Peer to Peer traffic through ASA 5516

timothy_MTS
Level 1
Level 1

Hello all,

Recently there is a request from my user to use a software "Sonobus" that can allow other users to join together to share their audio recording. This looks like to be the peer-to-peer UDP traffic. Sonobus 

I decided to go ahead for testing inour corporate network. I have some searches around and the software simply suggests to do Port Forwarding. At the same time, I took a look in the Cisco community, there is a suggestion that we can use NAT to make this PC to be viewable from internet. Yes I have a spare IP address to do so. I have done some testing like ping and RDP, it works pretty fine. But when I start the software, try to connect it, it still not failed to get connected.

My network is having a two tiered firewalls ASA5516 x 2. There is a Cisco ASDM that I can configure the NAT and allow/deny those ping/RDP traffics. There is also a Firewall Management Console. But then I am not sure what I can do to allow this machine to get this connected through this software.

 

1 Accepted Solution

Accepted Solutions

timothy_MTS
Level 1
Level 1

Good news that I can finally find out what's missing from the configurations.

They split into two parts. One is application connecting to the server. The other one is the UDP for audio connectivity.

The application itself did not mention in any where on their website on which ports need to be allowed but then, Permit both TCP and UDP ports.

Secondly, after the NAT for the PC, then allowing certain UDP ports, and at last, the most important one i missed,

was from DMZ to Outside and permit the source with the specified UDP port

Now it works fine finally... Thanks all for the help.

Cheers

 

 

 

 

View solution in original post

11 Replies 11

Can You share packets tracer in both ASA for this software traffic 

MHM

I didn't use the packet tracer before. Is the one inside the Cisco ASDM - Packet Tracer? which interface I should use? And the packet type?

timothy_MTS_0-1714565531888.png

 

Yes friend it is 

Run it 

And for IP the IP of traffic you need to pass through ASA for that software.

Interface is from which point this traffic ingress into ASA 

MHM

balaji.bandi
Hall of Fame
Hall of Fame

As per their document i guess they use UDP 12000.

what you can do take the user IP and try to use sonobus (on ASDM check the real time logs) you can see the user IP and deny logs.

If that is port you have setup, then Add ACL for that user IP as source and destination "if you can find IP fine)" or else use any - Services  UDP 12000 and apply on the firewall.

then do the testing, if that works, then change the source IP from user IP to Lan sbubnet if that is your requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

timothy_MTS
Level 1
Level 1

@balaji.bandi 

I have a done a testing on the machine. Whenever I start to connect the application, there was a log in the FW.

From my machine's IP and then pointing to 52.71.29.240. It shows the TCP with the destination port 10998

timothy_MTS_0-1714627931477.png

@MHM Cisco World 

timothy_MTS_1-1714629439776.png

I tried to Packet Trace and shows this.

there is ACL in DMZ 
this ACL drop traffic 

MHM

Looks like that port you configured on the device, allow 1 ACL source and destination 

but both show RF 1918 address - is this something you have DMZ and NATed setup ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

timothy_MTS
Level 1
Level 1

@balaji.bandi @MHM Cisco World 

I figured out that from the FMC portal. I created two rules to allow the traffic of the port from internal to outside, then the application allows me to be connected. Two machines with the software installed. I also made the two machines with using two static UDP ports.

timothy_MTS_0-1715039711008.png

timothy_MTS_1-1715040151096.png

[internal --> dmz with the TCP and UDP ports of 10998] and [dmz--> outside with the TCP and UDP ports of 10998] 

PC1 with no NAT - It works with the first rule applied

PC2 with NAT - It works only when the two rules applied

Now the two PCs inside the corporate network can talk to each other in the application. But the situation is one from internal network, the other is from public network, even though they can be connected to see each others, they can't exchange audio. The point now is it shows the alert from the app.

timothy_MTS_2-1715040626043.png

timothy_MTS_3-1715040833524.png

Now the ASDM shows the log like that. The 172.22.187.21/13599 is the PC inside the corporate.

The 172.20.10.2/60073 is the PC using the hotspot connecting directly to the internet.

As mentioned, the UDP ports are set to those PCs. So what can I do next?

 

PC1 with no NAT - It works with the first rule applied

PC2 with NAT - It works only when the two rules applied

Can you more elaborate 

And if you draw topology it will perfect 

MHM

timothy_MTS
Level 1
Level 1

Hello @MHM Cisco World ,

Sorry that I may make a mistake on what I said. It is actually something like the drawing below. All the outbound traffics are through the many to 1 NAT. I think this is properly the normal setup as usual.

I setup a machine with a 1-to-1 NAT, which this machine is for this Sonobus testing.

timothy_MTS_1-1715904894830.png

 

when I do the testing, I have to create two rules for the PC (1to1 NAT) in the Firewall MC.

timothy_MTS_1-1715720703504.png

timothy_MTS_2-1715720729678.png

Regards,

Timothy

 

 

 

timothy_MTS
Level 1
Level 1

Good news that I can finally find out what's missing from the configurations.

They split into two parts. One is application connecting to the server. The other one is the UDP for audio connectivity.

The application itself did not mention in any where on their website on which ports need to be allowed but then, Permit both TCP and UDP ports.

Secondly, after the NAT for the PC, then allowing certain UDP ports, and at last, the most important one i missed,

was from DMZ to Outside and permit the source with the specified UDP port

Now it works fine finally... Thanks all for the help.

Cheers

 

 

 

 

Review Cisco Networking for a $25 gift card