×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA PAT UDP source port

Unanswered Question

Is there a way to preserve the source port for UDP packets that use a PAT pool?


Here is what I need:


The client (1.1.1.1) sends a UDP packet from port 5060 to port 5060 on our external 2.2.2.2. This packet is port forwarded to our internal server 10.10.10.10 with the original source and destination port. The server then sends a UDP response to the client from port 5060 to port 5060. The server is in a PAT pool that only contains the address 2.2.2.2. The ASA changes the source port and our client ends up rejecting the packet because the source port is not what it expected.


How can I preserve the original source port when the packet goes through the PAT pool?


Thanks,

Steven

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 07/17/2013 - 13:49
User Badges:
  • Super Bronze, 10000 points or more

Hi,


It can be done in the new software atleast which would be 8.3 or newer.


Whats your software level?


- Jouni

Jouni Forss Thu, 07/18/2013 - 05:29
User Badges:
  • Super Bronze, 10000 points or more

Hi,


So if I have not totally mistaken you have a following type of Static PAT configuration for the incoming UDP traffic


object network STATIC-PAT-UDP5060

host 10.10.10.10

nat (inside,outside) static interface service udp 5060 5060


If this is true then you could try adding this

  • Modify the names of objects as you like
  • Correct interface names if different


object network HOST

host 10.10.10.10


object service UDP5060

service udp source eq 5060 destination eq 5060


nat (inside,outside) source static HOST interface service UDP5060 UDP5060


This should preserve the source port for outbound connections.


You might see a error message static that the created NAT configuration overlaps with the existing Static PAT but it didnt seem to cause problems.


Though as long as both source and destination port remain UDP5060 then this NAT should handle both directions.


Let me know if this works for you


- Jouni

That looks like it will work for 1 server. Can I get this to work for 2 servers?


We are trying to load balance our SIP traffic through a CSS.

Incoming traffic on 2.2.2.2 to port 5060 will get forwarded to the CSS's virtual IP 10.10.10.10 and it load balances the traffic to 10.10.11.11 and 10.10.11.12.


Can I get outgoing traffic from 10.10.11.11 and 10.10.11.12 to both use 2.2.2.2 and preserve their source ports?

Jouni Forss Thu, 07/18/2013 - 05:48
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Well you could probably make this work for the outbound direction BUT in the inbound direction from the Internet I dont think the is really a way to use the same public IP address and public UDP port.


I mean, the ASA doesnt have any way to determine what traffic on destination port UDP5060 to destination IP 2.2.2.2 would have to be forwarded to which internal IP.


It would simply use the first rule matched always.


But as I said for the outbound direction it might work.


You would simply add another similiar NAT statement with different source object with different source IP address. ASA would again accept the command but give an warning about rule overlap.


I guess the below added would work for the outbound direction IN THEORY


object network HOST-1

host 10.10.11.11


object network HOST-2

host 10.10.11.12


nat (inside,outside) source static HOST-1 interface service UDP5060 UDP5060

nat (inside,outside) source static HOST-2 interface service UDP5060 UDP5060


But not for inbound, though if I understood correctly, the inbound traffic should only even go to a single virtual IP


I would imagine this is as close as you can get to "implementing" something wierd on the ASA



- Jouni

Jouni Forss Thu, 07/18/2013 - 05:51
User Badges:
  • Super Bronze, 10000 points or more

Edited my above post


- Jouni

Jouni Forss Thu, 07/18/2013 - 06:55
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I am not quite sure what you mean. I am also pretty unfamiliar with the actual setup.


I guess the configurations mentioned above would enable the local devices to source their traffic from the UDP/5060 port but as long as we are using a single public IP address the inbound traffic on a single destination port of UDP/5060 to my understanding can only be matched towards a single local IP address.


- Jouni

Actions

This Discussion

Related Content