Thanks :)

So without ACL and without ZBFW, something is happening but ports still reported as closed when i test from outside. According to the company settting up the PBX there should also be a web interface available at 8181. But im having no luck with both firewall and ZBFW off. (Im using https://www.yougetsignal.com/tools/open-ports/ to test)

tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50632 198.199.98.246:50632
tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50638 198.199.98.246:50638
tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50643 198.199.98.246:50643
tcp <public_ip1>:8181 172.31.213.130:8181 --- ---
udp <public_ip1>:8181 172.31.213.130:8181 --- ---
udp <public_ip1>:9300 172.31.213.130:9300 --- ---
udp <public_ip1>:35560 172.31.213.130:15060 --- ---
tcp <public_ip1>:35561 172.31.213.130:15061 --- ---
Pro Inside global Inside local Outside local Outside global
tcp <public_ip2>:23 172.31.213.131:23 79.1.194.79:6413 79.1.194.79:6413
--- <public_ip2> 172.31.213.131 --- ---

08547: Apr 1 17:48:18.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008549: Apr 1 17:48:18.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0)
008550: Apr 1 17:48:18.700 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008552: Apr 1 17:48:18.700 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0)
008599: Apr 1 17:48:20.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008601: Apr 1 17:48:20.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0)
008789: Apr 1 17:48:37.152 CET: NAT: API parameters passed: src_addr:218.102.109.119, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008791: Apr 1 17:48:37.152 CET: NAT: API Failed to get Translated-Info from: (src-addr:218.102.109.119, src-port:0) (dest-addr:<public_ip1>, dest-port:0)

With the ACL in place not much happens

udp <public_ip1>:2727   172.31.213.130:2727   ---                   ---
tcp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:9300   172.31.213.130:9300   ---                   ---
udp <public_ip1>:35560  172.31.213.130:15060  ---                   ---
tcp <public_ip1>:35561  172.31.213.130:15061  ---                   ---
--- <public_ip2>        172.31.213.131        ---                   ---

08547: Apr  1 17:48:18.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008549: Apr  1 17:48:18.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
008550: Apr  1 17:48:18.700 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008552: Apr  1 17:48:18.700 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
008599: Apr  1 17:48:20.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008601: Apr  1 17:48:20.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
008789: Apr  1 17:48:37.152 CET: NAT: API parameters passed: src_addr:218.102.109.119, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008791: Apr  1 17:48:37.152 CET: NAT: API Failed to get Translated-Info from: (src-addr:218.102.109.119, src-port:0) (dest-addr:<public_ip2>, dest-port:0)

With ZBFW on, I get :

udp <public_ip1>:2727   172.31.213.130:2727   ---                   ---
tcp <public_ip1>:8181   172.31.213.130:8181   198.199.98.246:52724  198.199.98.246:52724
tcp <public_ip1>:8181   172.31.213.130:8181   198.199.98.246:52729  198.199.98.246:52729
tcp <public_ip1>:8181   172.31.213.130:8181   198.199.98.246:52734  198.199.98.246:52734
tcp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:9300   172.31.213.130:9300   ---                   ---
udp <public_ip1>:35560  172.31.213.130:15060  ---                   ---
tcp <public_ip1>:35561  172.31.213.130:15061  ---                   ---
tcp <public_ip2>:1433   172.31.213.131:1433   42.247.5.87:55377     42.247.5.87:55377
--- <public_ip2>        172.31.213.131        ---                   ---


025140: Apr  1 18:02:51.351 CET: NAT: API parameters passed: src_addr:185.217.0.156, src_port:0 dest_addr:87.198.211                                .162, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
025142: Apr  1 18:02:51.351 CET: NAT: API Failed to get Translated-Info from: (src-addr:185.217.0.156, src-port:0) (                                dest-addr:<public_ip1>, dest-port:0)
025143: Apr  1 18:02:51.355 CET: NAT - SYSTEM PORT for <public_ip1>: allocated port 0, refcount 208, localport 429                                4967295, localaddr 0.0.0.0, flags 1, syscount 208, proto 6
025294: Apr  1 18:02:59.287 CET: NAT: API parameters passed: src_addr:195.54.166.26, src_port:0 dest_addr:87.198.211                                .162, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
025296: Apr  1 18:02:59.287 CET: NAT: API Failed to get Translated-Info from: (src-addr:195.54.166.26, src-port:0) (                                dest-addr:<public_ip1>, dest-port:0)
025297: Apr  1 18:02:59.287 CET: NAT - SYSTEM PORT for <public_ip1>: allocated port 0, refcount 209, localport 429                                4967295, localaddr 0.0.0.0, flags 1, syscount 209, proto 6
025305: Apr  1 18:02:59.667 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181)
025331: Apr  1 18:03:00.691 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181)
025368: Apr  1 18:03:01.715 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181)

Hello,

post the full running configuration...

Hi,

   Your static PAT statement for port 8181 makes use of UDP, while i see you generating TCP traffic for port 8181, which clearly doesn't match any NAT statements. So make sure the testing matches the configuration.

  Also, what you could do is a 1-to-1 static NAT for the PBX and restrict access at the service level (TCP,UDP) via your ZBFW configuration.

Regards,

Cristian Matei.

ahh, i had both UDP and TCP, but for testing removed UDP now.

One to one static wouldnt work due to 35560/25561 > 15060/15061. This what I have now:

ip nat inside source static udp 172.31.213.130 2727 <pubIP1> 2727 extendable
ip nat inside source static tcp 172.31.213.130 8181 <pubIP1> 8181 extendable
ip nat inside source static udp 172.31.213.130 9300 <pubIP1> 9300 extendable
ip nat inside source static udp 172.31.213.130 15060 <pubIP1> 35560 extendable
ip nat inside source static tcp 172.31.213.130 15061 <pubIP1> 35561 extendable
ip nat inside source static 172.31.213.131 <pubIP2>
I will try to post the whole config, but gonna take me some time to redact it :(