cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
0
Helpful
1
Replies
Highlighted
Beginner

Cisco ASA, IPSec, NAT, SIP

Hello, all. Please help with my problem: I have remote office with ASA5505 and central office. I configured ipsec tunnel between it. Next step I route all traffice from remote office to the tunnel (this is done to ensure that remote users have access to the Internet through the filters at the central office). Everithing works fine. But recently took in a remote office to connect the phone (Cisco UCM) with external address, so I need to configure NAT for single external host. I made it, but phone can't calling and I can't call to it. (CUCM displayed that phone is registered).

names

name 5.5.5.1 outside_gate

!

interface Vlan1

description main isp link

nameif outside

security-level 0

ip address 5.5.5.5 255.255.255.0

!

interface Vlan2

description internal link

nameif inside

security-level 100

ip address 10.0.0.0 255.255.255.0

!

object network obj-any

subnet 0.0.0.0 0.0.0.0

object network obj-sub

subnet 10.0.0.0 255.255.255.0

object network CUCM

host 1.2.3.4

!

access-list FROM_OUT extended permit ip any any

access-list FROM_IN extended permit ip any any

access-list FROM_IN extended permit esp any any

access-list FROM_IN extended permit icmp any any

access-list global_access extended permit ip any object CUCM

!

!Crypto ACL. 1.2.3.4 is external address of CUCM

!

access-list To_IPSec_tun extended deny ip 10.0.0.0 255.255.255.0 host 1.2.3.4

access-list To_IPSec_tun extended permit ip 10.0.222.224 255.255.255.0 any

!

nat (inside,outside) source static obj-sub interface destination static CUCM CUCM unidirectional

nat (inside,outside) source static obj-sub obj-sub route-lookup

access-group FROM_IN in interface outside

access-group FROM_OUT in interface inside

access-group global_access global

!

! 172.20.1.21 is remote host behind IPSec tunnel, located in central office

!

route outside 0.0.0.0 0.0.0.0 172.20.1.21 1

route outside 172.20.1.21 255.255.255.255 outside_gate 1

route outside 1.2.3.4 255.255.255.255 outside_gate 1

The same configuration works fine in asa911-4 firmware (I mean IPSec with NAT), but not for long, cause it version have a bug, so I can't use it.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCue18975&from=summary

1 REPLY 1
Highlighted
Beginner

IT WORKS!

Change

nat (inside,outside) source static obj-sub interface destination static CUCM CUCM unidirectional

to

nat (inside,outside) source dynamic any interface destination static CUCM CUCM