cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3688
Views
5
Helpful
19
Replies

ASA 5505 Port forwarding UDP ranges to multiple internal IP addresses

AaronCase3
Level 1
Level 1

I'm setting up a 5505 to connect our phone system to SIP trunking.  The phone system is the only thing that will be behind the 5505, however there are multiple IP's associated with the phone system and I need to port forward based on specific port ranges.  The following is what I want/need to accomplish.

outside udp traffic on UDP5060-5061 and UPD 16384-17383 needs to be delivered to internal IP 192.168.1.26

outside udp traffic on UDP 17384-17639 needs to be delivered to internal IP 192.168.1.28

outside udp traffic on UDP 17640-17895 needs to be delivered to internal IP 192.168.1.27

Other than this i want traffic blocked except what is initiated internally.

I have created object groups for the host objects and for the port ranges. and set nat rules .   am I missing anything?

Here is my running config

Any help/confirmation/critical analysis  appreciated.

: Saved
:
ASA Version 8.4(6) 
!
hostname wavefc
domain-name center
enable password 8EBQPyIGHYB9jy6X encrypted
passwd 8EBQPyIGHYB9jy6X encrypted
names
name 192.168.1.28 MRMA description Wave MRMA IP
name 192.168.1.27 MRMB description Wave MRMB IP
name 192.168.1.26 vam description WAVE VAM IP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.30 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 108.174.110.110 255.255.255.0 
!
boot system disk0:/asa846-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name center
object network vam
 host 192.168.1.26
 description Created during name migration
object network MRMB_1
 host 192.168.1.27
 description Created during name migration
object network MRMA_1
 host 192.168.1.28
 description MRMB
object service VAM1
 service udp source range sip 5061 destination range sip 5061 
 description VAM Ports
object service VAM2
 service udp source range 16384 17383 destination range 16384 17383 
 description VAM SIP PORTS
object service MRMA
 service udp source range 17384 17639 destination range 17384 17639 
 description MRM A PORTS
object service MRMB
 service udp source range 17640 17895 destination range 17640 17895 
 description MRM B PORTS
object network Dynamic_NAT
 subnet 192.168.1.0 255.255.255.0
object network vamIP
 host 192.168.1.26
object network MRMAIP
 host 192.168.1.28
object network MRMBIP
 host 192.168.1.27
object service vamIP1
 service udp source range 16384 17383 
object service SIP
 service udp source range sip 5061 
object service mrmaUDP
 service udp source range 17384 17639 
object service mrmbUDP
 service udp source range 17640 17895 
object service vam5060
 service udp source range sip 5061 
object-group service VAM_PORTS
 service-object object VAM1 
 service-object object VAM2 
access-list outside_access_in extended permit object-group VAM_PORTS interface outside interface inside 
access-list outside_access_in extended permit object MRMA interface outside interface inside 
access-list outside_access_in extended permit object MRMB interface outside 192.168.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static vamIP interface service vamIP1 vamIP1
nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP
nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP
nat (inside,outside) source static vamIP interface service vam5060 vam5060
access-group outside_access_in in interface outside
route inside 0.0.0.0 255.255.255.255 108.174.110.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.99-192.168.1.100 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username wave password 7dzE8CxoLKj5NbvA encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:c8602fd7e5eca94f54c4ae20296b28bc
: end
asdm image disk0:/asdm-715-100.bin
no asdm history enable
19 Replies 19

Hi,

So I imagine that you are trying from a host thats network settings are staticly configured and NOT DHCP?

If you have staticly configured the setting please confirm the IP address/network mask/gateway/DNS server so that they are correct.

If you are testing from a DHCP host then please add some DNS servers to your DHCP configuration on the ASA

dhcpd dns 8.8.8.8

For example or the DNS servers provided by your ISP

- Jouni

Hi,

Actually seems you have not even enabled the DHCP

dhcpd enable inside

That is if you want to enable it even.

- Jouni

Yes it is statically configured. 

IP - 192.168.1.26 255.255.255.0

GW - 192.168.1.30

DNS 8.8.8.8

DNS will resolve. . .and

after a third reboot its working like a charm.   Thanks a TON for your assistance!  You're a lifesaver!

Great to hear its working now

I was starting to think I was missing something simple

- Jouni

Jouni,

I've got one more thing.

I've got some traffice coming in on the internal interface that is from the 192.168.2.0 range.  This is coming in over a VPN.  I need to send that traffic back via 192.168.1.254 (which is the gatewat controlling the point to point vpn).  On my sonicwall I have a route set as follows

source = 192.168.1.0/24    destination=192.168.2.0/24   protocol=any    gateway = 192.168.1.254

I'm thinking that on the ASA  I need to put in something like

route inside 192.168.2.0 255.255.255.0 192.168.1.254 1

I've got that enterd in but I'm not establishing communication.  am I on the right track?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: