Re: Port Forwarding Question on ASA 5506 (9.8)

F3nrir · ‎04-18-2019

I need to setup port forwarding on my ASA from external ports 5060-5061 and 10000-65000 to an internal host on port 5060 and 10000. Is this the correct configuration? Thanks in advance.

object service Obj-SIP
service udp destination 5060
Object service Obj-RTP
service udp destination 10000

object service Obj-UDP-Range
service udp destination range 10000 65000
object service Obj-SIP-Range
service udp destination range 5060 5061

access-list inbound extended permit udp any host X.X.X.X range 10000 65000
access-list inbound extended permit udp any host X.X.X.X range 5060 5061

access-group inbound in interface outside

nat (outside,inside_1) source static any any destination static interface obj_X.X.X.X service Obj-RTP Obj-UDP-Range
nat (outside,inside_1) source static any any destination static interface obj_X.X.X.X service Obj-SIP Obj-SIP-Range

balaji.bandi · ‎04-18-2019

On high level looks good.

make sure you have inside_1 <-- you have this interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

F3nrir · ‎04-18-2019

Thanks for providing your thoughts. I just thought of this afterwards but will currently a connection only be able to be made coming from the public interface because it is nat (outside,inside) ? Say the internal host needs to initiate the connection do I need to add a nat (inside,outside) rule?

balaji.bandi · ‎04-18-2019

Do you have SIP inspect configured?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

F3nrir · ‎04-18-2019

Yes I do have SIP inspection configured.

regards,