Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2621
Views
10
Helpful
8
Comments

How to configure a Cisco ASA Firewall for MRA services (2 legged Expressway E)

Clifford McGlamry
Spotlight
Spotlight

‎04-27-2020 10:30 AM - edited ‎04-28-2020 10:45 AM

Symptoms

I have found myself frustrated at times when a requirement exists to configure something (in this case, a firewall), and while the there is high level documentation available describing what's required, there aren't samples provided (which to me is surprising, especially since the ASA is also a Cisco product).  Many engineers and customers have spent long hours struggling with this, often engaging Cisco TAC to get it resolved.  

 

In my opinion, a good document would avoid that.  Since none were available, I choose to create this one.  

 

This document is SPECIFICALLY about configuring an ASA Firewall for MRA.  The ASA Firmware version in use in this example is 9.2.2.

Diagnosis

You need a good sample configuration to configure your firewall with.  This example was done using an ASA running version 9.2.2 firmware.  In our case here, the Expressway E is two legged with one leg in the DMZ, and the other in the internal network.  

Solution

MRA requires several ports open.  At a minimum, you need 5061, 8443 and 5222 open (TCP), and you need to open the range 36000 to 59999 for UDP (your RTP packets).  In it's simplest form, assuming the firewall is already up and working, all we need to add is the following (don't worry...we'll provide the full config in context later.  In my example, the firewall has an assigned public ip address of 1.1.1.2 with a default route already in place to 1.1.1.1.  The internal ip address of the firewall is configured to 10.0.1.2, and the internal routing goes to 10.0.1.1.

 

We will add a DMZ, and give the DMZ interface the ip address of 10.0.60.1.  Here's what we add: 

 

interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.0.60.1 255.255.255.0 !<the dmz interface ip address>

object network EXPE1
host 10.0.60.2
nat (DMZ,outside) static 1.1.1.10 ! <Public IP Address of Expressway>
object network DMZ-subnet
subnet 10.0.60.0 255.255.255.0
nat (DMZ,outside) dynamic interface ! <not required, but helpful>

access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 5061
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq sip
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 5062
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 8443
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 5222
access-list INCOMINGINTERNET extended permit udp any host 10.0.60.2 range 36000 59999

access-group INCOMINGINTERNET in interface outside

 

For some reason, even though you can enter all the information about a network object at one time, the ASA splits it up with the NAT information appearing after the access lists in the configuration.  The full configuration looks like what you see below.  I did my best to remove anything from the config that was not directly related to this particular issue, to help make the solution clearer.  In a production ASA, you will likely see far more configuration for things like ipSec tunnels, Anyconnect, etc.  

 

FULL CONFIG with MRA implemented:


ciscoasa(config)# sh run
: Saved
:
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(2)4
!
hostname ciscoasa
domain-name <anynetwork.net>
enable password <your enable password>
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0 !<your outside interface ip address>
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.1.2 255.255.255.0 ! <the inside interface ip address>
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.0.60.1 255.255.255.0 !<the dmz interface ip address>
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDST recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.1.100 ! <your internal DNS Servers>
name-server 10.0.1.101 ! <your internal DNS Servers>
domain-name <anynetwork.net>
same-security-traffic permit intra-interface
object network obj-10.0.1.0
subnet 10.0.1.0 255.255.255.0
object network my_inside_net
subnet 10.0.0.0 255.255.240.0
object network EXPE1
host 10.0.60.2
object network DMZ-subnet
subnet 10.0.60.0 255.255.255.0
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 5061
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq sip
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 5062
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 8443
access-list INCOMINGINTERNET extended permit tcp any host 10.0.60.2 eq 5222
access-list INCOMINGINTERNET extended permit udp any host 10.0.60.2 range 36000 59999
pager lines 40
logging enable
logging timestamp
logging buffer-size 500000
logging monitor debugging
logging buffered debugging
logging asdm informational
no logging message 305012
no logging message 302014
no logging message 302013
no logging message 609001
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
!
object network my_inside_net
nat (inside,outside) dynamic interface
object network EXPE1
nat (DMZ,outside) static 1.1.1.10 ! <Public IP Address of Expressway>
object network DMZ-subnet
nat (DMZ,outside) dynamic interface ! <not required, but helpful>
access-group INCOMINGINTERNET in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 10.0.0.0 255.255.240.0 10.0.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt noproxyarp inside
no ssh stricthostkeycheck
ssh 10.0.0.0 255.255.0.0 inside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 1.1.1.200 ! <your NTP Server>
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ae978095f98ed1ffacf33e0b216cc985
: end
ciscoasa(config)#

Comments
rory.schmitz
Level 1
Level 1
‎05-04-2020 07:14 AM

Thank you for this.  We are struggling with MRA/Jabber working through a CheckPoint firewall.  Jabber drops calls and goes to fast busy after 2-3 minutes when using CP client VPN from the outside.  We previously used ASA so it helps to translate over to CheckPoint.

Clifford McGlamry
Spotlight
Spotlight
‎05-04-2020 07:52 AM
Glad if it helps, but this isn't a VPN setup. This is for Mobile and Remote access using Cisco Expressway. You don't use a VPN and MRA at the same time.


Mingjia Zhang
Level 1
Level 1
‎05-14-2020 05:56 AM

Excellent. It is the same scenario I am facing. I have been confusing about how to configure ASA firewall for MRA service for several days. This is a great sample for me.

Mingjia Zhang
Level 1
Level 1
‎05-14-2020 07:38 AM

Hi McGlamry,

 

May I ask another question about MRA?

 

Base on your ASA firewall, it has completed the translation from your expe internal address to public address (10.0.60.2→1.1.1.10). So, would you mind to tell me your detailed configuration of "LAN 2 - External" in your expressway-edge? Does IPv4 address set your internal address 10.0.60.2? If it doesn't, does IPv4 static NAT mode need to set on and fill the following blank about NAT address with 10.0.60.2?

 

Thanks. 

Clifford McGlamry
Spotlight
Spotlight
‎05-14-2020 08:24 AM

@Mingjia Zhang,  The EXP E is configured with dual interfaces.  The default gateway is set to 10.0.60.1.  The IP address on LAN 2 is set to 10.0.60.2.  The static NAT checkbox is checked, and the ip address 1.1.1.10 is set as the "public" ip address. 

 

This is required because NAT will "break" the SIP protocol.  This allows the Expressway to substitute in the correct IP address within the SIP messaging itself (when necessary) in order to make SIP work correctly. 

Mingjia Zhang
Level 1
Level 1
‎05-14-2020 06:52 PM

Hi McGlamry,

 

I get it. Thanks for your guidance.

CUCMCenter26681
Level 1
Level 1
‎09-12-2022 05:46 AM

Hi@Clifford McGlamry 

What about LAN 1 on Expressway , Should I Configure it with same IP Range of  my Internal LAN (EXP-C)

Or just not activate it?

 

Thank you

Clifford McGlamry
Spotlight
Spotlight
‎09-12-2022 06:43 AM

@CUCMCenter26681 , Cisco's recommendation for the interfaces on the Expressway E are to configure it in a dual interface configuration with the DMZ interface assigned to Lan 2, and the trusted interface assigned to Lan1.  Lan1 may or may not be in the same numerical subnet as the expressway C, but in most cases I have seen, it is.  But it could be in a different internal numerical subnet if need be.

 

Cliff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents