Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 - NAT

This is a somewhat broad question, but i am going post it anyway and see if anyone can comment, as i feel it may relate to an incorrect NAT statement. I have a telephone system sitting behind the ASA, which i've NAT'd inbound and outbound to an internet address.

static (inside,outside) 209.92.46.156 10.0.0.7 netmask 255.255.255.255

nat (inside) 1 10.0.0.7 255.255.255.255

global (outside) 1 209.92.46.156

This is the way I normally do the NAT to make the traffic match the same IP both inbound and outbound. I am now unsure if this is the correct way to go about things. Here is the problem i am running into.

A (remote) telephone boots up, grabs an IP, and registers with the phone system. All is well, except for when a call is made and there is no audio. All of the necessary ports are open (on both ends, here it is a 2800 ISR with the firewall enabled) and for testing purposes an ip any any statement was added. So here is the problem..

The phone registers, and in a capture you can see the local address of the phone communicating with the internet routeable address of the phone system. All is well.. However, once the RTP stream initiates the local telephone is now communicating with the inside address of the phone system and i feel that is the bottleneck.

Does anyone see anything wrong with the NAT config ? I am assuming the media stream should be between each end point and not the system, but im not quite sure if the protocol is proprietary (more than likely is) and may work differently.

5 REPLIES
New Member

Re: ASA5505 - NAT

sorry, i forgot to include remarks about the inspection table.

on the ASA, there is an access-list applied to the inside interface with a permit ip any any statement.

Re: ASA5505 - NAT

use only one variant

(if you need access to the telephone system from outside, STATIC NAT)

static (inside,outside) 209.92.46.156 10.0.0.7 netmask 255.255.255.255

or

(PAT)

nat (inside) 1 10.0.0.7 255.255.255.255

global (outside) 1 209.92.46.156

could you show the topology?

New Member

Re: ASA5505 - NAT

when you say use one variant, is that best practice or a fact because .... ?

the reason i ask, i've noticed that if you have a global NAT setup for an entire network but also have a webserver, a static NAT would only provide 1 way translation.

lets say all hosts on the 10.0.0.0/24 subnet use the outside interface for internet access. the outside interface is set to 207.99.0.1. A webserver, 10.0.0.254 is binded to 207.99.0.2 through a static NAT.

I can communicate with the server just fine, however, if i am on the webserver and make a request to go out the internet it will be from the 207.99.0.1 address.

just an FYI, one of the telephone guys called and said he had the IP in the wrong field, so the remote phone is now communicating. but i am still interested in the topic of the 1 way NATing.

Re: ASA5505 - NAT

I can communicate with the server just fine, however, if i am on the webserver and make a request to go out the internet it will be from the 207.99.0.1 address.

yes, correct

if you also add access-list, you will be able to access the server from the outside (internet)

access-list OUTSIDE-IN permit tcp any host 207.99.0.1 www

but if you want just only have internet aceess from the server, you can use PAT

327
Views
1
Helpful
5
Replies