Re: Allowing Outside traffice to inside on ASA - Page 2

samirshaikh52 · ‎09-07-2010

I have an ASA firewall placed at the perimeter network and host in the inside network.

I have only allowed these host to make voip calls using 3rd Party Voip service so-called Jumblo ( for info www.jumblo.com)

Below is the config.

>>access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
>>nat (inside) 10 192.168.5.150 255.255.255.255

The call can be made success succefull. Perhaps the problem is that when call is placed he cannot hear the dial tone and remote client voice

I believe that I'd to configure something on ASA, to allow the traffice from outside to inside. But I am confused

Please Advise me.

samirshaikh52 · ‎09-07-2010

but the voip service (jumblo) have whole subnet

221.123.176.0

77.72.174.0

how can i make static for the subnet

Really appreciate for your time

Federico Coto Fajardo · ‎09-07-2010

I don't mean making static for the jumblo subnet.

You have an internal device making the outbound call 192.168.5.150

Then, you do a static for that device:

static (inside,outside) PUBLIC_IP 192.168.5.150

access-list outside permit ip any host PUBLIC_IP

access-group outside in interface outside

In this way, we use a one-to-one translation for the calling-device to make sure PAT is not causing conflicts and also permitting the entire IP protocols to that IP. (if it works, we just adjust it as I mentioned before).

Federico.

samirshaikh52 · ‎09-07-2010

I will try and keep you update

samirshaikh52 · ‎09-07-2010

No its not working

Federico Coto Fajardo · ‎09-07-2010

Not that I have knowdlege how this service jumblo works but...

The device making the call is an actual IP phone in software (do you have an IP telephony device)? or its done via skype or something like that?

If the call is send to the jumblo server, then it somehow routes that to the telephony network to the mobile phone.

The mobile phone when it sends the audio (the jumblo server should notify that the call should be send to the public IP that you're using).

I think that the jumblo service is not sending the audio packets back to your IP properly?

You can do a capture on the ASA's outside interface and check if there's any incoming traffic on those ports being received.

Federico.

samirshaikh52 · ‎09-07-2010

It works find when I permit the host to pass through the firewall completely, as i mentioned before

access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255
global (outside) 10 interface outside

Even I believe that ASA is not able make inbound connecction to a host

I am really confused. How to solve this issue ?

samirshaikh52 · ‎09-07-2010

I ran the wireshark utility on a host 192.168.5.150

I disconnect all the session and I kept only jumblo runnning and making calls

I saw my host 192.168.5.150 trying to reach destination

221.123.176.56

77.72.174.33

And these public ip trying reach my IP 192.168.5.150

These things working when gave the whole permission to a host

access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255
global (outside) 10 interface outside

Please Advise

Federico Coto Fajardo · ‎09-07-2010

So running wireshark besides the outgoing traffic, you actually see incoming traffic back to your host?

If you PAT your internal 192.168.5.150, then the return traffic (when trying to reach your public IP from Internet), could have problems.

That's the reason I was suggesting to try with a STATIC translation.

Also, outbound traffic is permitted by the ACL that you described.

What I'll do is to enable logging

logging on

logging buffered 7

sh log

and check if you see any teardown message or something indicating a failed connection.

Also, can you run the wireshark on the outside interface?

Federico.

Nagaraja Thanthry · ‎09-07-2010

Hello Samir,

If I understand you correctly, it is working fine when you allow inside host

full access to internet. Do you have inspects enabled? My guess is that you

need to enable few TCP ports along with UDP ports for signaling purposes.

Can you allow TCP 5060 and 1719/1720 and see if that helps?

Regards,

NT

samirshaikh52 · ‎09-07-2010

Hi NT,

Yes exactly, when I permit full internet access it works fine

I have default inspect enabled

Here is the output of show command

ASA-5520# sh running-config | include inspect
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

Nagaraja Thanthry · ‎09-07-2010

Hello Samir,

On your inside interface, can you allow TCP port 5060 along with other

ports? It seems like Jumblo uses SIP to establish calls.

Regards,

NT

samirshaikh52 · ‎09-07-2010

Hi NT,

Can you give some command help to allow TCP 5060 and 1719/1720 ports

Nagaraja Thanthry · ‎09-07-2010

Hello Samir,

Try the following:

access-list inside_access_in line 1 permit tcp host 192.168.5.150 any eq

1720

access-list inside_access_in line 2 permit tcp host 192.168.5.150 any eq

1719

access-list inside_access_in line 3 permit tcp host 192.168.5.150 any eq

5060

Regards,

NT

samirshaikh52 · ‎09-07-2010

Hello NT,

I'll try and update you then.

samirshaikh52 · ‎09-07-2010

Hello NT,

I did as you say that but still the same.