Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
5
Helpful
2
Replies

Port Forwarding for Voice Application

Go to solution
MARCELORODRIGUES68978
Level 1
Level 1

‎01-20-2021 06:21 PM

I wanna configure a port forwarding on ASA so users can register their smartphones, wherever they are, on company PBX. I did configs as below, but softphone not registering. 

 

Can you please help me?


:
ASA Version 9.6(1)

!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 200.0.0.158 255.255.255.240
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 10.1.0.1 255.255.255.0
!
interface GigabitEthernet1/5
nameif Inside
security-level 100
ip address 192.168.0252 255.255.255.0
!
object network INSIDE_NET
subnet 192.168.00 255.255.255.0
object network PABX_10.1.0.2
host 10.1.0.2
object service UDP_15757
service udp source eq 15757
object service UDP_5060
service udp source eq sip
object service RANGE_16000-17023
service udp source range 16000 17023
object service RANGE_17024-18047
service udp source range 17024 18047
object network GLOBAL_200.0.0.157
host 200.0.0.157
object-group service PABX_SERVICES
service-object object UDP_15757
service-object object UDP_5060
service-object object RANGE_16000-17023
service-object object RANGE_17024-18047
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any eq 15767
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any eq sip
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any range 16000 17023
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any range 17024 18047
!
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any UDP_15757
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any UDP_5060
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any RANGE_16000-17023
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any RANGE_17024-18047
route Outside 0.0.0.0 0.0.0.0 200.0.0.145 1
route Inside 10.143.0.0 255.255.0.0 192.168.02 1

 

Capturing inbound packets on Outside interface, I have message: "udp 665 Drop-reason: (acl-drop) Flow is denied by configured rule"

 

Thanks in advance

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-21-2021 12:06 AM

Hi,

I don't see ACL on outside interface to allow smart phones to connect on
internet, for example

access-list OUTSIDE_ACL extended permit udp object any
GLOBAL_200.0.0.157 eq sip

Also, your nats are incorrect. The service should be duplicated, for example

nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service
UDP_15757 UDP_15757

***** please remember to rate useful posts

View solution in original post

2 Replies 2

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-21-2021 12:06 AM

Hi,

I don't see ACL on outside interface to allow smart phones to connect on
internet, for example

access-list OUTSIDE_ACL extended permit udp object any
GLOBAL_200.0.0.157 eq sip

Also, your nats are incorrect. The service should be duplicated, for example

nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service
UDP_15757 UDP_15757

***** please remember to rate useful posts

Go to solution
MARCELORODRIGUES68978
Level 1
Level 1
In response to Mohammed al Baqari

‎01-21-2021 07:16 AM

Hi Mohammed,

 

My ACL statement was there, but with no hits. I applied an ACL "udp any to any service XXX" and also performed adjustments on NAT as per your recomendation. Now it is working fine. Thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card