cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3212
Views
10
Helpful
59
Replies

Allowing Outside traffice to inside on ASA

samirshaikh52
Level 2
Level 2

I have an ASA firewall placed at the perimeter network and host in the inside network.

I have only allowed these host to make voip calls using 3rd Party Voip service so-called Jumblo ( for info www.jumblo.com)

Below is the config.

>>access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
>>nat (inside) 10 192.168.5.150 255.255.255.255

The call can be made success succefull. Perhaps the problem is that when call is placed he cannot hear the dial tone and remote client voice

I believe that I'd to configure something on ASA, to allow the traffice from outside to inside. But I am confused

Please Advise me.

59 Replies 59

Hi,

Traffic from inside to outside is permitted by default.

You post the ACL and the NAT statement, but it does not show what it is translated to (the global command).

If you're doing PAT, it sometimes causes problems with applications that use fixed-ports.

The return traffic does not need to be explicitly permitted if it is being inspected on its way out.

If you provide more details, perhaps we can provide more help.

Federico.

Hi Federico

Thanks for your prompt response.

Firstly I have pat configured

global (outside) 10 interface

But when i confgured this way It works

access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255

It will allow all traffic, which I dont want to do it

On the official website of Jumblo they given the following ports to be allowed

UDP 5060
UDP 11113
UDP 10300 - 10311
UDP 6901 - 6920

And destination IP to be allowed I captured through Wireshark

To allow only the traffic you want yo do the following:

nat (inside) 10 192.168.5.150 255.255.255.255

global (outside) 10 interface

But instead of this:

access-list inside_access_in extended permit ip host 192.168.5.150 any

You allow only the desired ports:

access-list inside_access_in extended permit tcp host 192.168.5.150 any eq 80

access-list inside_access_in extended permit tcp host 192.168.5.150 any eq 25

The above assumes the following:

You want to allow only outbound TCP traffic destined to port 80 and 25

There's an access-group applied to the inside interface called inside_access_in

Federico.

I've created an Object Group (named Jumblo) for the folllowing udp ports

UDP 5060
UDP 11113
UDP 10300 - 10311
UDP 6901 - 6920

And the object-group for the destination ip's (named jumblo1 and jumblo2)

So the ACL is

access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
nat (inside) 10 192.168.5.150 255.255.255.255


As I told you by this way i connect to jumblo and places a call, But I cannot recieve the remote users voice

If you're passing voice traffic through the ASA, then it has both signaling and the actual voice packets.

If the call is established, then the signaling is correct (the called phone rings?)

The audio is then part of the voice packets (they shouldn't need to be permitted if the voice protocol is being inspected).

Just as a quick test, if you can permit IP from the remote IP inbound does it work? This will just prove if its a matter of permitting ports or not.

Federico.

Just as a quick test, if you can permit IP from the remote IP inbound 
does it work? This will just prove if its a matter of permitting ports 
or not.

How can i do this ? I didn't got it.

You say there's no audio between both phones.

Both phones have an IP address.

Is IP permitted between both IPs?

Federico.

I think you  didn't got me

we done have phones

Sorry you're right.

But the same idea applies...

You need to make a call between two IP addresses correct?

Federico.

No I have network host calling to mobile phones

Ok then...

When you place a call to a mobile does it rings and there's no audio? Or the mobile never rings?

Federico.

When I place a call I dont hear a dial tone..The remote user can listen my voice and but I cannot hear his

Do you have an spare IP (public) part of the outside interface?

If you do you can:

static (inside,outside) x.x.x.x

access-list outside permit ip any host x.x.x.x

access-group outside in interface outside

The idea is to create a static one-to-one translation to your internal machine (the one making the call).

Also create an ACL to permit all IP traffic inbound to that IP.

If the above test works, we can know the problem is caused by the ASA and it's just a matter of adjusting the configuration.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: