Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Allowing Outside traffice to inside on ASA

I have an ASA firewall placed at the perimeter network and host in the inside network.

I have only allowed these host to make voip calls using 3rd Party Voip service so-called Jumblo ( for info www.jumblo.com)

Below is the config.

>>access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
>>nat (inside) 10 192.168.5.150 255.255.255.255

The call can be made success succefull. Perhaps the problem is that when call is placed he cannot hear the dial tone and remote client voice

I believe that I'd to configure something on ASA, to allow the traffice from outside to inside. But I am confused

Please Advise me.

59 REPLIES

Re: Allowing Outside traffice to inside on ASA

Hi,

Traffic from inside to outside is permitted by default.

You post the ACL and the NAT statement, but it does not show what it is translated to (the global command).

If you're doing PAT, it sometimes causes problems with applications that use fixed-ports.

The return traffic does not need to be explicitly permitted if it is being inspected on its way out.

If you provide more details, perhaps we can provide more help.

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

Hi Federico

Thanks for your prompt response.

Firstly I have pat configured

global (outside) 10 interface

But when i confgured this way It works

access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255

It will allow all traffic, which I dont want to do it

New Member

Re: Allowing Outside traffice to inside on ASA

On the official website of Jumblo they given the following ports to be allowed

UDP 5060
UDP 11113
UDP 10300 - 10311
UDP 6901 - 6920

And destination IP to be allowed I captured through Wireshark

Re: Allowing Outside traffice to inside on ASA

To allow only the traffic you want yo do the following:

nat (inside) 10 192.168.5.150 255.255.255.255

global (outside) 10 interface

But instead of this:

access-list inside_access_in extended permit ip host 192.168.5.150 any

You allow only the desired ports:

access-list inside_access_in extended permit tcp host 192.168.5.150 any eq 80

access-list inside_access_in extended permit tcp host 192.168.5.150 any eq 25

The above assumes the following:

You want to allow only outbound TCP traffic destined to port 80 and 25

There's an access-group applied to the inside interface called inside_access_in

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

I've created an Object Group (named Jumblo) for the folllowing udp ports

UDP 5060
UDP 11113
UDP 10300 - 10311
UDP 6901 - 6920

And the object-group for the destination ip's (named jumblo1 and jumblo2)

So the ACL is

access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM
_INLINE_NETWORK_11 object-group Jumblo
nat (inside) 10 192.168.5.150 255.255.255.255


As I told you by this way i connect to jumblo and places a call, But I cannot recieve the remote users voice

Re: Allowing Outside traffice to inside on ASA

If you're passing voice traffic through the ASA, then it has both signaling and the actual voice packets.

If the call is established, then the signaling is correct (the called phone rings?)

The audio is then part of the voice packets (they shouldn't need to be permitted if the voice protocol is being inspected).

Just as a quick test, if you can permit IP from the remote IP inbound does it work? This will just prove if its a matter of permitting ports or not.

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

Just as a quick test, if you can permit IP from the remote IP inbound 
does it work? This will just prove if its a matter of permitting ports 
or not.

How can i do this ? I didn't got it.

Re: Allowing Outside traffice to inside on ASA

You say there's no audio between both phones.

Both phones have an IP address.

Is IP permitted between both IPs?

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

I think you  didn't got me

we done have phones

Re: Allowing Outside traffice to inside on ASA

Sorry you're right.

But the same idea applies...

You need to make a call between two IP addresses correct?

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

No I have network host calling to mobile phones

Re: Allowing Outside traffice to inside on ASA

Ok then...

When you place a call to a mobile does it rings and there's no audio? Or the mobile never rings?

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

When I place a call I dont hear a dial tone..The remote user can listen my voice and but I cannot hear his

Re: Allowing Outside traffice to inside on ASA

Do you have an spare IP (public) part of the outside interface?

If you do you can:

static (inside,outside) x.x.x.x

access-list outside permit ip any host x.x.x.x

access-group outside in interface outside

The idea is to create a static one-to-one translation to your internal machine (the one making the call).

Also create an ACL to permit all IP traffic inbound to that IP.

If the above test works, we can know the problem is caused by the ASA and it's just a matter of adjusting the configuration.

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

but the voip service (jumblo) have whole subnet

221.123.176.0

77.72.174.0

how can i make static for the subnet


Really appreciate for your time

Re: Allowing Outside traffice to inside on ASA

I don't mean making static for the jumblo subnet.

You have an internal device making the outbound call 192.168.5.150

Then, you do a static for that device:

static (inside,outside) PUBLIC_IP 192.168.5.150

access-list outside permit ip any host PUBLIC_IP

access-group outside in interface outside

In this way, we use a one-to-one translation for the calling-device to make sure PAT is not causing conflicts and also permitting the entire IP protocols to that IP. (if it works, we just adjust it as I mentioned before).

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

I will try and keep you update

New Member

Re: Allowing Outside traffice to inside on ASA

No its not working

Re: Allowing Outside traffice to inside on ASA

Not that I have knowdlege how this service jumblo works but...

The device making the call is an actual IP phone in software (do you have an IP telephony device)? or its done via skype or something like that?

If the call is send to the jumblo server, then it somehow routes that to the telephony network to the mobile phone.

The mobile phone when it sends the audio (the jumblo server should notify that the call should be send to the public IP that you're using).

I think that the jumblo service is not sending the audio packets back to your IP properly?

You can do a capture on the ASA's outside interface and check if there's any incoming traffic on those ports being received.

Federico.

New Member

Re: Allowing Outside traffice to inside on ASA

It works find when I permit the host to pass through the firewall completely, as i mentioned before

access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255
global (outside) 10 interface outside

Even I believe that ASA is not able make inbound connecction to a host

I am really confused. How to solve this issue ?

New Member

Re: Allowing Outside traffice to inside on ASA

I ran the wireshark utility on a host 192.168.5.150

I disconnect all the session and I kept only jumblo runnning and making calls

I saw my host 192.168.5.150 trying to reach destination

221.123.176.56

77.72.174.33

And these public ip trying reach my IP 192.168.5.150

These things working when gave the whole permission to a host

access-list inside_access_in extended permit ip host 192.168.5.150 any
nat (inside) 10 192.168.5.150 255.255.255.255
global (outside) 10 interface outside

Please Advise

Re: Allowing Outside traffice to inside on ASA

So running wireshark besides the outgoing traffic, you actually see incoming traffic back to your host?

If you PAT your internal 192.168.5.150, then the return traffic (when trying to reach your public IP from Internet), could have problems.

That's the reason I was suggesting to try with a STATIC translation.

Also, outbound traffic is permitted by the ACL that you described.

What I'll do is to enable logging

logging on

logging buffered 7

sh log

and check if you see any teardown message or something indicating a failed connection.

Also, can you run the wireshark on the outside interface?

Federico.

Cisco Employee

Re: Allowing Outside traffice to inside on ASA

Hello Samir,

If I understand you correctly, it is working fine when you allow inside host

full access to internet. Do you have inspects enabled? My guess is that you

need to enable few TCP ports along with UDP ports for signaling purposes.

Can you allow TCP 5060 and 1719/1720 and see if that helps?

Regards,

NT

New Member

Re: Allowing Outside traffice to inside on ASA

Hi NT,

Yes exactly, when I permit full internet access it works fine

I have default inspect enabled

Here is the output of show command

ASA-5520# sh running-config | include inspect
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp

Cisco Employee

Re: Allowing Outside traffice to inside on ASA

Hello Samir,

On your inside interface, can you allow TCP port 5060 along with other

ports? It seems like Jumblo uses SIP to establish calls.

Regards,

NT

New Member

Re: Allowing Outside traffice to inside on ASA

Hi NT,

Can you give some command help to allow TCP 5060 and 1719/1720 ports

Cisco Employee

Re: Allowing Outside traffice to inside on ASA

Hello Samir,

Try the following:

access-list inside_access_in line 1 permit tcp host 192.168.5.150 any eq

1720

access-list inside_access_in line 2 permit tcp host 192.168.5.150 any eq

1719

access-list inside_access_in line 3 permit tcp host 192.168.5.150 any eq

5060

Regards,

NT

New Member

Re: Allowing Outside traffice to inside on ASA

Hello NT,

I'll try and update you then.

New Member

Re: Allowing Outside traffice to inside on ASA

Hello NT,

I did as you say that but still the same.

965
Views
10
Helpful
59
Replies
CreatePlease to create content