Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
2
Replies

ASA 5512-x opening ports to phone server using other External IP Address

Tim Jeens
Level 1
Level 1

‎09-18-2017 02:01 AM - edited ‎03-08-2019 12:04 PM

Hi There,

I am running a Cisco ASA 5512-x version 9.4

Is there a way to port forward a bunch of ports from specific external IP address to one of my internal IP addresses.

 

What I currently have is a lot of network objects, all with the same host, each with its out NAT configuration.

 

As you will see below it is quite cumbersome.

 

what I am trying to achieve is for our SIP service to access our network on a different external IP address:

internal phone server: 192.168.10.10

Our External: 1.1.1.1

External Provider: 3.3.3.3

external Phone IP: 2.2.2.2 (a company that also manages the phone system)

 

and we will be having some IP phones access the phone server from the internet.

Therefore we would need lots of ports open, and a few ranges.

I have only found a way to open 1 port at a time, and one of the ranges is over 1000 ports long..

 

 


object network PhoneServer8085
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 80 8085
object network PhoneServer20001
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20001 20001
object network PhoneServer20002
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20002 20002
object network PhoneServer20003
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20003 20003
object network PhoneServer20005
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20005 20005
object network PhoneServer20006
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20006 20006
object network PhoneServer5432
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 5432 5432
object network PhoneServer506020200
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 20200 5060

object network PhoneServer20200
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 20200 20200

object network PhoneServer449
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 449 449

object network PhoneServer
host 192.168.0.10

object network PhoneServer20200tcp
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20200 20200

object network PhoneServer52002
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52002 52002


object network PhoneServer52003
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52003 52003


object network PhoneServer52004
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52004 52004


object network PhoneServer52005
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52005 52005


access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer449
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer8085
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20001
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20002
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20003
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20005
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20006
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer5432
access-list outside_in extended permit udp 3.3.3.3 255.255.255.255 object PhoneServer506020200
access-list outside_in extended permit udp 3.3.3.3 255.255.255.255 object PhoneServer20200
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer range 52000 53024
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer eq 5060
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20200tcp
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52002
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52003
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52004
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52005

 

 

 

 

 

Any help would be appreciated.

Thanks,

-Tim

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Julio E. Moisa
VIP
VIP

‎09-18-2017 04:24 AM - edited ‎09-18-2017 04:39 AM

Hi,

The following link could be useful. 

https://www.petenetlive.com/KB/Article/0001111

 

Or try the following:

 

object network PUBLIC
host 1.1.1.1


object service TEST-VOICE
service tcp source range 20000 65535 destination range 20000 65535

 

object network VOICE-SERVER
host 192.168.0.10

nat (INSIDE,OUTSIDE) source static PUBLIC PUBLIC service TEST-VOICE TEST-VOICE

 

For the ACLs you could use something like:

 

object-group service TEST tcp-udp
port-object eq www
port-object eq 5021
port-object range 20005 20006
port-object eq 5432

 

 

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Tim Jeens
Level 1
Level 1
In response to Julio E. Moisa

‎09-18-2017 08:21 AM

Hi Julio,

 

Thanks for your response, the other issue is that we have multiple external IP addresses, and these ports will need to present on not my outbound IP, but on this other IP...

i.e.: normal outbound: 7.7.7.7

external phone server ip: 7.7.7.8

and so anything on port 52007 hitting 7.7.7.8 goes to the internal server on the same port.

and also the same internal server needs to send as this same ip 7.7.7.8 and not the normal external IP address..

That I can see from your example there is no way of specifing the external IP address.

Does that make sense?

Thanks,

-Tim

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card