ASA5505 - NAT

Unanswered Question
Jul 11th, 2008

This is a somewhat broad question, but i am going post it anyway and see if anyone can comment, as i feel it may relate to an incorrect NAT statement. I have a telephone system sitting behind the ASA, which i've NAT'd inbound and outbound to an internet address.

static (inside,outside) netmask

nat (inside) 1

global (outside) 1

This is the way I normally do the NAT to make the traffic match the same IP both inbound and outbound. I am now unsure if this is the correct way to go about things. Here is the problem i am running into.

A (remote) telephone boots up, grabs an IP, and registers with the phone system. All is well, except for when a call is made and there is no audio. All of the necessary ports are open (on both ends, here it is a 2800 ISR with the firewall enabled) and for testing purposes an ip any any statement was added. So here is the problem..

The phone registers, and in a capture you can see the local address of the phone communicating with the internet routeable address of the phone system. All is well.. However, once the RTP stream initiates the local telephone is now communicating with the inside address of the phone system and i feel that is the bottleneck.

Does anyone see anything wrong with the NAT config ? I am assuming the media stream should be between each end point and not the system, but im not quite sure if the protocol is proprietary (more than likely is) and may work differently.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
allenelson Fri, 07/11/2008 - 10:50

sorry, i forgot to include remarks about the inspection table.

on the ASA, there is an access-list applied to the inside interface with a permit ip any any statement.

a.alekseev Fri, 07/11/2008 - 11:10

use only one variant

(if you need access to the telephone system from outside, STATIC NAT)

static (inside,outside) netmask



nat (inside) 1

global (outside) 1

could you show the topology?

allenelson Fri, 07/11/2008 - 11:19

when you say use one variant, is that best practice or a fact because .... ?

the reason i ask, i've noticed that if you have a global NAT setup for an entire network but also have a webserver, a static NAT would only provide 1 way translation.

lets say all hosts on the subnet use the outside interface for internet access. the outside interface is set to A webserver, is binded to through a static NAT.

I can communicate with the server just fine, however, if i am on the webserver and make a request to go out the internet it will be from the address.

just an FYI, one of the telephone guys called and said he had the IP in the wrong field, so the remote phone is now communicating. but i am still interested in the topic of the 1 way NATing.

a.alekseev Fri, 07/11/2008 - 12:05

I can communicate with the server just fine, however, if i am on the webserver and make a request to go out the internet it will be from the address.

yes, correct

if you also add access-list, you will be able to access the server from the outside (internet)

access-list OUTSIDE-IN permit tcp any host www

but if you want just only have internet aceess from the server, you can use PAT


This Discussion