Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
308
Views
1
Helpful
10
Replies

Peer to Peer traffic through ASA 5516

timothy_MTS
Level 1
Level 1

ā€Ž04-30-2024 10:58 PM

Hello all,

Recently there is a request from my user to use a software "Sonobus" that can allow other users to join together to share their audio recording. This looks like to be the peer-to-peer UDP traffic. Sonobus 

I decided to go ahead for testing inour corporate network. I have some searches around and the software simply suggests to do Port Forwarding. At the same time, I took a look in the Cisco community, there is a suggestion that we can use NAT to make this PC to be viewable from internet. Yes I have a spare IP address to do so. I have done some testing like ping and RDP, it works pretty fine. But when I start the software, try to connect it, it still not failed to get connected.

My network is having a two tiered firewalls ASA5516 x 2. There is a Cisco ASDM that I can configure the NAT and allow/deny those ping/RDP traffics. There is also a Firewall Management Console. But then I am not sure what I can do to allow this machine to get this connected through this software.

 

0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

ā€Ž05-01-2024 12:59 AM

Can You share packets tracer in both ASA for this software traffic 

MHM

0 Helpful

timothy_MTS
Level 1
Level 1
In response to MHM Cisco World

ā€Ž05-01-2024 05:13 AM - edited ā€Ž05-01-2024 05:13 AM

I didn't use the packet tracer before. Is the one inside the Cisco ASDM - Packet Tracer? which interface I should use? And the packet type?

timothy_MTS_0-1714565531888.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to timothy_MTS

ā€Ž05-01-2024 05:24 AM

Yes friend it is 

Run it 

And for IP the IP of traffic you need to pass through ASA for that software.

Interface is from which point this traffic ingress into ASA 

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž05-01-2024 05:32 AM

As per their document i guess they use UDP 12000.

what you can do take the user IP and try to use sonobus (on ASDM check the real time logs) you can see the user IP and deny logs.

If that is port you have setup, then Add ACL for that user IP as source and destination "if you can find IP fine)" or else use any - Services  UDP 12000 and apply on the firewall.

then do the testing, if that works, then change the source IP from user IP to Lan sbubnet if that is your requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

timothy_MTS
Level 1
Level 1

ā€Ž05-01-2024 11:21 PM

@balaji.bandi 

I have a done a testing on the machine. Whenever I start to connect the application, there was a log in the FW.

From my machine's IP and then pointing to 52.71.29.240. It shows the TCP with the destination port 10998

timothy_MTS_0-1714627931477.png

@MHM Cisco World 

timothy_MTS_1-1714629439776.png

I tried to Packet Trace and shows this.

0 Helpful

MHM Cisco World
VIP
VIP
In response to timothy_MTS

ā€Ž05-02-2024 12:13 AM

there is ACL in DMZ 
this ACL drop traffic 

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to timothy_MTS

ā€Ž05-02-2024 12:52 AM

Looks like that port you configured on the device, allow 1 ACL source and destination 

but both show RF 1918 address - is this something you have DMZ and NATed setup ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

timothy_MTS
Level 1
Level 1

ā€Ž05-06-2024 05:19 PM

@balaji.bandi @MHM Cisco World 

I figured out that from the FMC portal. I created two rules to allow the traffic of the port from internal to outside, then the application allows me to be connected. Two machines with the software installed. I also made the two machines with using two static UDP ports.

timothy_MTS_0-1715039711008.png

timothy_MTS_1-1715040151096.png

[internal --> dmz with the TCP and UDP ports of 10998] and [dmz--> outside with the TCP and UDP ports of 10998] 

PC1 with no NAT - It works with the first rule applied

PC2 with NAT - It works only when the two rules applied

Now the two PCs inside the corporate network can talk to each other in the application. But the situation is one from internal network, the other is from public network, even though they can be connected to see each others, they can't exchange audio. The point now is it shows the alert from the app.

timothy_MTS_2-1715040626043.png

timothy_MTS_3-1715040833524.png

Now the ASDM shows the log like that. The 172.22.187.21/13599 is the PC inside the corporate.

The 172.20.10.2/60073 is the PC using the hotspot connecting directly to the internet.

As mentioned, the UDP ports are set to those PCs. So what can I do next?

 

MHM Cisco World
VIP
VIP
In response to timothy_MTS

ā€Ž05-08-2024 08:06 AM

PC1 with no NAT - It works with the first rule applied

PC2 with NAT - It works only when the two rules applied

Can you more elaborate 

And if you draw topology it will perfect 

MHM

0 Helpful

timothy_MTS
Level 1
Level 1

ā€Ž05-16-2024 05:16 PM

Hello @MHM Cisco World ,

Sorry that I may make a mistake on what I said. It is actually something like the drawing below. All the outbound traffics are through the many to 1 NAT. I think this is properly the normal setup as usual.

I setup a machine with a 1-to-1 NAT, which this machine is for this Sonobus testing.

timothy_MTS_1-1715904894830.png

 

when I do the testing, I have to create two rules for the PC (1to1 NAT) in the Firewall MC.

timothy_MTS_1-1715720703504.png

timothy_MTS_2-1715720729678.png

Regards,

Timothy

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card