Re: Problem with NAT with video call on ASA5510

kpoon · ‎02-24-2011

Hello all,

We have a video system at 10.4.86.199 trying to call another system at 172.30.1.102.

The System at 10.4.86.199 receive the video image and sound, but at 172.30.1.102 doesn't after the call is established.

10.4.86.199 actaully contacts 10.40.86.102 which NAT to 172.30.1.102, it cannot contact 172.30.1.102 directly. It is done by design.

I've tried to packettrace and it points to problem with NAT but I can't pinpoint it. Any help would be appreciated.

please see attached config.

Thank you in advance.

Federico Coto Fajardo · ‎02-24-2011

Hi,

If I understand correctly 10.4.86.199 should reach 10.40.86.102 to be able to get the service from 172.30.1.102

172.30.1.102 NATs to 10.40.86.102

In order to allow 10.4.86.199 to reach 10.40.86.102 you need a static NAT (which you have):
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.

and also ACL:

access-list Endo-40_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list Endo-40_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

Should be permitting this traffic (all ports required to make this work).

Normally if Packet-Tracer reports a problem (a NAT problem in this case), should show you which NAT rule is causing
the conflict.
Can you include that information?

Federico.

kpoon · ‎02-24-2011

Hi Ferderico,

here's the result:

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 172.30.1.102 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.30.1.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Entrust-40_access_in in interface E-40
access-list Entrust-40_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-out-acl out interface inside
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object 10.4.86.0 255.255.255.0
network-object 10.40.86.0 255.255.255.0
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,E-40) 10.40.86.102 172.30.1.102 netmask 255.255.255.255
nat-control
match ip inside host 172.30.1.102 E-40 any
static translation to 10.40.86.102
translate_hits = 15, untranslate_hits = 36
Additional Information:

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Federico Coto Fajardo · ‎02-24-2011

The test is incorrect.

You're attempting to reach 172.30.1.102 on port 80 from 10.4.86.199

From 10.4.86.199 you should reach 10.40.86.102 (and the ASA will statically NAT it to 172.30.1.102

Do the following test:

packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80

Federico.

kpoon · ‎02-24-2011

Everything seems ok....

any exempt rule I'm missing? everything else works except the video on one end...

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.86.0 255.255.255.0 E-40

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Entrust-40_access_in in interface E-40
access-list Entrust-40_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group E-40_access_out out interface E-40
access-list E-40_access_out extended permit ip any any
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56854583, packet dispatched to next module

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: E-40
output-status: up
output-line-status: up
Action: allow

Federico Coto Fajardo · ‎02-24-2011

Everything seems fine for the test you made on destination port 80:

packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 80

But are there any other ports needed? What kind of video/traffic/protocol you're using?

Maybe, we need to open other port besides 80?

Federico.

kpoon · ‎02-24-2011

I thought the ACLs are allowing everything already.

access-list Endo-40_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list Endo-40_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

I've also tested the ports necessary such as SIP, H323, etc. Is there anything in the conf might have prevented any kind of traffic going to 172.30.1.102? any NAT exempt needed or anything that could overlap any NAT or ACL?

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 SIP

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.86.0 255.255.255.0 E-40

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Entrust-40_access_in in interface E-40
access-list Entrust-40_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group E-40_access_out out interface E-40
access-list E-40_access_out extended permit ip any any
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56882019, packet dispatched to next module

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: E-40
output-status: up
output-line-status: up
Action: allow

ciscoasa# packet-tracer in E-40 tcp 10.4.86.199 12345 10.4.86.102 H323

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.86.0 255.255.255.0 E-40

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Entrust-40_access_in in interface E-40
access-list Entrust-40_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group E-40_access_out out interface E-40
access-list E-40_access_out extended permit ip any any
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56882069, packet dispatched to next module

Result:
input-interface: E-40
input-status: up
input-line-status: up
output-interface: E-40
output-status: up
output-line-status: up
Action: allow

Federico Coto Fajardo · ‎02-24-2011

The access-lists seem to be permitting the entire IP stack to that IP, so you should be good.

Now, I think that we can look at the logs to see what's happening with that traffic.
I see there's a syslog server configured (or you can check the logs directly on the ASA).

sh log | i 10.40.86.102
sh log | i 172.30.1.102

Federico.

Kent Heide · ‎02-24-2011

Have you turned on inspect for h.323? It uses a certain port for control traffic and dynamic ports (if not configured otherwise) for data.

Also open 1720/1721 in your acls!

Sent from Cisco Technical Support iPhone App

kpoon · ‎02-25-2011

Hi gentlemen,

I've turned on inspect for h.323, added another ACL on top of the one for all IP traffic and the followings, now it seems to work fine but I will do more testing and followup.

object-group service DM_INLINE_SERVICE_1
service-object udp eq 1719

service-object tcp eq 1721

service-object tcp eq h323

service-object tcp eq sip

* orginally only had service-object ip

      policy-map E-40-policy
        class E-40-class
          inspect h323 h225

inspect h323 ras

inspect sip

access-list inside_nat0_outbound_1 line 1 extended permit ip 172.30.1.0 255.255.255.0 10.40.86.0 255.255.255.0

kpoon · ‎02-25-2011

I've found that only H323 calls work, SIP don't...

Any idea would be appreciated.

Federico Coto Fajardo · ‎02-25-2011

Just want to know....

Have you tried with SIP inspection disabled?

no inspect sip

Federico.

kpoon · ‎02-25-2011

I THOUGHT I solved the problem by putting inspect sip on the E-40 interface instead of the global.

service-policy E-40-policy interface E-40

      policy-map E-40-policy
        class E-40-class
          inspect sip

kpoon · ‎02-28-2011

tried with no inspect sip and it still doesn't work...

kpoon · ‎02-26-2011

actually, negative..... it actually broke all other traffic such as http, https, etc to/from 10.4.86.xx to/from/172.30.1.xx.

Any other suggestion?

I've also tried inspect sip on global without success...