cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
5
Helpful
2
Replies

Port Forwarding for Voice Application

I wanna configure a port forwarding on ASA so users can register their smartphones, wherever they are, on company PBX. I did configs as below, but softphone not registering. 

 

Can you please help me?


:
ASA Version 9.6(1)

!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 200.0.0.158 255.255.255.240
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 10.1.0.1 255.255.255.0
!
interface GigabitEthernet1/5
nameif Inside
security-level 100
ip address 192.168.0252 255.255.255.0
!
object network INSIDE_NET
subnet 192.168.00 255.255.255.0
object network PABX_10.1.0.2
host 10.1.0.2
object service UDP_15757
service udp source eq 15757
object service UDP_5060
service udp source eq sip
object service RANGE_16000-17023
service udp source range 16000 17023
object service RANGE_17024-18047
service udp source range 17024 18047
object network GLOBAL_200.0.0.157
host 200.0.0.157
object-group service PABX_SERVICES
service-object object UDP_15757
service-object object UDP_5060
service-object object RANGE_16000-17023
service-object object RANGE_17024-18047
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any eq 15767
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any eq sip
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any range 16000 17023
access-list PABX_ACL extended permit udp object PABX_10.1.0.2 any range 17024 18047
!
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any UDP_15757
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any UDP_5060
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any RANGE_16000-17023
nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service any RANGE_17024-18047
route Outside 0.0.0.0 0.0.0.0 200.0.0.145 1
route Inside 10.143.0.0 255.255.0.0 192.168.02 1

 

Capturing inbound packets on Outside interface, I have message: "udp 665 Drop-reason: (acl-drop) Flow is denied by configured rule"

 

Thanks in advance

 

1 Accepted Solution

Accepted Solutions

Hi,

I don't see ACL on outside interface to allow smart phones to connect on
internet, for example

access-list OUTSIDE_ACL extended permit udp object any
GLOBAL_200.0.0.157 eq sip

Also, your nats are incorrect. The service should be duplicated, for example

nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service
UDP_15757 UDP_15757

***** please remember to rate useful posts

View solution in original post

2 Replies 2

Hi,

I don't see ACL on outside interface to allow smart phones to connect on
internet, for example

access-list OUTSIDE_ACL extended permit udp object any
GLOBAL_200.0.0.157 eq sip

Also, your nats are incorrect. The service should be duplicated, for example

nat (DMZ,Outside) source static PABX_10.1.0.2 GLOBAL_200.0.0.157 service
UDP_15757 UDP_15757

***** please remember to rate useful posts

Hi Mohammed,

 

My ACL statement was there, but with no hits. I applied an ACL "udp any to any service XXX" and also performed adjustments on NAT as per your recomendation. Now it is working fine. Thank you

Review Cisco Networking for a $25 gift card