Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA PAT UDP source port

Is there a way to preserve the source port for UDP packets that use a PAT pool?

Here is what I need:

The client (1.1.1.1) sends a UDP packet from port 5060 to port 5060 on our external 2.2.2.2. This packet is port forwarded to our internal server 10.10.10.10 with the original source and destination port. The server then sends a UDP response to the client from port 5060 to port 5060. The server is in a PAT pool that only contains the address 2.2.2.2. The ASA changes the source port and our client ends up rejecting the packet because the source port is not what it expected.

How can I preserve the original source port when the packet goes through the PAT pool?

Thanks,

Steven

Everyone's tags (2)
8 REPLIES
Super Bronze

ASA PAT UDP source port

Hi,

It can be done in the new software atleast which would be 8.3 or newer.

Whats your software level?

- Jouni

Community Member

ASA PAT UDP source port

8.4

Super Bronze

ASA PAT UDP source port

Hi,

So if I have not totally mistaken you have a following type of Static PAT configuration for the incoming UDP traffic

object network STATIC-PAT-UDP5060

host 10.10.10.10

nat (inside,outside) static interface service udp 5060 5060

If this is true then you could try adding this

  • Modify the names of objects as you like
  • Correct interface names if different

object network HOST

host 10.10.10.10

object service UDP5060

service udp source eq 5060 destination eq 5060

nat (inside,outside) source static HOST interface service UDP5060 UDP5060

This should preserve the source port for outbound connections.

You might see a error message static that the created NAT configuration overlaps with the existing Static PAT but it didnt seem to cause problems.

Though as long as both source and destination port remain UDP5060 then this NAT should handle both directions.

Let me know if this works for you

- Jouni

Community Member

ASA PAT UDP source port

That looks like it will work for 1 server. Can I get this to work for 2 servers?

We are trying to load balance our SIP traffic through a CSS.

Incoming traffic on 2.2.2.2 to port 5060 will get forwarded to the CSS's virtual IP 10.10.10.10 and it load balances the traffic to 10.10.11.11 and 10.10.11.12.

Can I get outgoing traffic from 10.10.11.11 and 10.10.11.12 to both use 2.2.2.2 and preserve their source ports?

Super Bronze

Re: ASA PAT UDP source port

Hi,

Well you could probably make this work for the outbound direction BUT in the inbound direction from the Internet I dont think the is really a way to use the same public IP address and public UDP port.

I mean, the ASA doesnt have any way to determine what traffic on destination port UDP5060 to destination IP 2.2.2.2 would have to be forwarded to which internal IP.

It would simply use the first rule matched always.

But as I said for the outbound direction it might work.

You would simply add another similiar NAT statement with different source object with different source IP address. ASA would again accept the command but give an warning about rule overlap.

I guess the below added would work for the outbound direction IN THEORY

object network HOST-1

host 10.10.11.11

object network HOST-2

host 10.10.11.12

nat (inside,outside) source static HOST-1 interface service UDP5060 UDP5060

nat (inside,outside) source static HOST-2 interface service UDP5060 UDP5060

But not for inbound, though if I understood correctly, the inbound traffic should only even go to a single virtual IP

I would imagine this is as close as you can get to "implementing" something wierd on the ASA

- Jouni

Super Bronze

Re: ASA PAT UDP source port

Edited my above post

- Jouni

Community Member

ASA PAT UDP source port

Would an extended pat pool make a difference?

Super Bronze

ASA PAT UDP source port

Hi,

I am not quite sure what you mean. I am also pretty unfamiliar with the actual setup.

I guess the configurations mentioned above would enable the local devices to source their traffic from the UDP/5060 port but as long as we are using a single public IP address the inbound traffic on a single destination port of UDP/5060 to my understanding can only be matched towards a single local IP address.

- Jouni

1089
Views
0
Helpful
8
Replies
CreatePlease to create content