Cisco ASA, skipping real source port number with PAT.
Cisco ASA configuration guide says:
"PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. "
Is it possible to skip this ? I do not want to use real source port number. The issue is, when I have a PAT entry with real source port (port 5060), - SIP session doesn't work. With all the other ports numbers,- everything works.
Notice that the configuration you try does not modify the real source port at all.
Since you are using the same "object" for the real/mapped service then the configuration above matches traffic where the connections destination is "any" and the destination is "udp 6000 65535" and only when the source is "udp sip" and in that event it keeps the exact same "udp sip" source port as you are using the same "object".
I am not sure if its a software or configuration related issue but I have not gotten this to work reliably on my ASA. I might have to try some other software level.
I guess you would want to match the SIP source port in the Dynamic PAT and avoid using the SIP port as the mapped port?. With that in mind I was thinking something like this
object service UDP-SIP service udp source eq sip
object service UDP-SIP-MAPPED service udp source range 30000 31000
Though it seems the above configuration seems to be bypassed by the ASA completely and it seems to use the identical source port as the mapped port even though it matches the configuration.
If I were to change the above configuration from "dynamic" to "static" then the configuration matches but it uses only the first mapped "source" port of "30000". I guess it would only use a different mapped port if you used multiple real source ports also instead of the current single source port "sip".
Yes, you are correct about the problem. To be more clear the situation looks like this.Phones uses SIP, xlate output:
ASA1# sh xlate | i VoIP UDP PAT from VoIP:10.0.20.1/5060 to outside:10.10.10.40/36197 flags ri idle 20:25:11 timeout 0:00:30 UDP PAT from VoIP:10.0.20.2/5060 to outside:10.10.10.40/28564 flags ri idle 20:25:11 timeout 0:00:30 UDP PAT from VoIP:10.0.20.3/5060 to outside:10.10.10.40/15617 flags ri idle 20:25:11 timeout 0:00:30
The problem happens with a phone, which gets this translation:
ASA1# sh xlate | i 40/5060 UDP PAT from VoIP:10.0.20.10/5060 to outside:10.10.10.40/5060 flags ri idle 20:25:11 timeout 0:00:30
This phone can't do anything, but nothing is blocked here. I'm not sure why the problem exists, so thought it's possible to skip this translation.
Everything is okay with other apps, real source port PAT mapping works well...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...