Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
0
Helpful
8
Replies

Configuring PAT for VoIP got a Turn Up today!!!

khayes1984
Level 1
Level 1

‎03-19-2013 07:24 AM - edited ‎03-11-2019 06:16 PM

Good Morning all,

I have a question, I've researched around the internet to find the CLI commands to open ports TCP 5060/5061 and UDP ports 1024 to 65535 to my SIP provider. I'm a voice guy so i'm VERY new to Security and I would like some assistance.

I'm using a ASA 5505, and below is my Show Run:

------------------ show running-config ------------------

: Saved

:

ASA Version 8.3(2)

!

hostname ECSASA-5505

domain-name hostedatandvoice.local

enable password <removed>

passwd <removed>

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Ethernet0/0

description COMCAST

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner exec EnterCloud Solutions ASA

banner login AAA is enabled, Local access has been restricted to local Administrators and Engineers of ECS, LLC.

banner motd EnterCloud Solutions ASA Applicance.  Unauthorized users will be logged and flagged for unauthorized access. IP's are tracked and logged and will be reported to local State and Federal agencies.

banner motd Contact security@hostedatandvoice.com for additional help or support.

banner asdm WELCOME TO ECS ASA 5505 SECURITY APPLICANCE!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name hostedatandvoice.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Internet

subnet 0.0.0.0 0.0.0.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service NTP

service tcp source eq 123 destination eq 123

description Time Clock     

object network STATIC-PAT

subnet 192.168.1.0 255.255.255.0

object network VPN-Pool

subnet 190.168.10.0 255.255.255.240

description VPN IP Address    

object network SSL-VPN-POOL

description SSL-VPN-POOL   

object network SSL-VPN-POOL1

object network SSL-VPN-NET1

subnet 192.168.10.0 255.255.255.240

object network outside_to_inside_VoIP

host 192.168.1.8

object-group network PRIVATE-LAN

network-object 192.168.1.0 255.255.255.0

object-group network SSL-VPN-NETWORKS

description SSL VPN NETWORKS

object-group network VPN-NETWORK

network-object object SSL-VPN-NET1

access-list OUTSIDE-IN extended permit udp any object STATIC-PAT eq ntp

access-list ECSSLVPN remark Allow VPN Access to LAN

access-list ECSSLVPN standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 1000000

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool VPN-Pool 192.168.10.1-192.168.10.12 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static PRIVATE-LAN PRIVATE-LAN destination static VPN-NETWORK VPN-NETWORK

!

object network STATIC-PAT

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 x.x.x.x1

route inside 192.168.10.0 255.255.255.255 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

email security@hostedatandvoice.com

subject-name CN=ESCASA-5505

ip-address x.x.x.x

keypair ECS-KP

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 59203f51

    308202a8 30820211 a0030201 02020459 203f5130 0d06092a 864886f7 0d010105

    05003066 31143012 06035504 03130b45 53434153 412d3535 3035314e 301b0609

    2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138 35302f06 092a8648

    86f70d01 09021622 45534341 53412d35 3530352e 686f7374 65646174 616e6476

    6f696365 2e6c6f63 616c301e 170d3133 30333132 31333233 34375a17 0d323330

    33313031 33323334 375a3066 31143012 06035504 03130b45 53434153 412d3535

    3035314e 301b0609 2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138

    35302f06 092a8648 86f70d01 09021622 45534341 53412d35 3530352e 686f7374

    65646174 616e6476 6f696365 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01

    01010500 03818d00 30818902 818100dd 432f3bbc 24f0329f 81f0faea 27555dd6

    972dfcc0 697dd74b 8ebdfe7a b7adb611 a97b3881 baef9373 d6442571 7da6d0b1

    f74e9ff9 6602d832 6a092719 2460ecb1 0088a4f0 fbf0c2b0 13586c87 c23d69b2

    08525422 f66e735c 46f3b3c8 d3f41c21 5a204fea cd798c7b e15c018a 6f6d344d

    de24ac87 12cc69a7 b07023a4 302a0702 03010001 a3633061 300f0603 551d1301

    01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23

    04183016 80149724 66a81b45 e402da6f f9e47a87 6c01af08 5476301d 0603551d

    0e041604 14972466 a81b45e4 02da6ff9 e47a876c 01af0854 76300d06 092a8648

    86f70d01 01050500 03818100 517b691a 285b035e 5e4ffaba 02467a5a 45d1d4fd

    0e39838d caf77bf1 4cc2f5a6 2fefb926 d0a2fdc4 ebabc75a 28380c06 60df23ee

    8be72ddc b3587956 1eb1df89 d7b4293a ad0db500 bf651885 0a44ba2c 4b94f8ce

    e27b8242 4abead6b a1af0468 5ed4a8ef 013f2d08 59df2f2e e6afcc21 2df6bbd0

    a1f15a01 4ba8960a ec9771bb

  quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 4.2.2.2 8.8.1.1

dhcpd domain hostedatandvoice.local

!

dhcpd address 192.168.1.12-192.168.1.130 inside

dhcpd dns 4.2.2.2 8.8.1.1 interface inside

dhcpd domain hostedatandvoice.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 199.249.224.123 source outside prefer

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-3.0.11042-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2

svc enable

group-policy DfltGrpPolicy attributes

dns-server value 4.2.2.2

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ECSSLVPN

default-domain value hostedatandvoice.local

split-dns value hostedatandvoice.com

address-pools value VPN-Pool

webvpn

  svc ask enable default webvpn

username khayes password <removed> privilege 15

username mharrell password <removed> privilege 15

username bdillard password <removed> privilege 15

username skonti password <removed> privilege 15

tunnel-group ECSSLVPN type remote-access

tunnel-group ECSSLVPN general-attributes

address-pool VPN-Pool

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:977f2a92875a8c744753124c94adbb09

: end

Labels:
0 Helpful
8 Replies 8

khayes1984
Level 1
Level 1

‎03-19-2013 09:56 AM

Anyone?

0 Helpful

julomban
Level 3
Level 3

‎03-19-2013 10:17 AM

Hey Kenneth,

Please include more details such as where is your SIP provider, what is the traffic flow.

By default, there is an implicit permit from a  higher security interface (100) to a lower security interface (outbound).  Hosts on the higher security interface can access any host on a lower  security interface.

From lower to higher you need access list and NAT (which in that case you need ACL opening SIP port and range).

Regards,

Juan Lombana

Please rate helpful posts.

0 Helpful

khayes1984
Level 1
Level 1
In response to julomban

‎03-19-2013 10:20 AM

Traffic Flow as follows:

ITSP->Comcast->ASA 5505->CUBE->CUCM

0 Helpful

julomban
Level 3
Level 3
In response to khayes1984

‎03-19-2013 10:35 AM

Kenneth,

You need to allow inbound traffic through the ASA. For this since you are coming from the Internet (lower to higher) you need a NAT one to one and access list:

object network

host x.x.x.x

nat (inside,outside) static y.y.y.y

!

access-list outside_access_in permit tcp any host y.y.y.y eq 5060

access-list outside_access_in permit tcp any host y.y.y.y eq 5061

access-list outside_access_in permit tcp any host y.y.y.y range 1024 65535

Replace the x.x.x.x with the CUCM manager IP address and the y.y.y.y with a public IP on your outside interface.

Please be aware that you need a public IP but not your outside interface, it must be another on the same range of the outside.

Regards,

Juan Lombana

0 Helpful

khayes1984
Level 1
Level 1
In response to khayes1984

‎03-19-2013 10:36 AM

I have one public IP.

0 Helpful

khayes1984
Level 1
Level 1
In response to khayes1984

‎03-19-2013 10:45 AM

The public IP of the carrier or my static IP?

0 Helpful

julomban
Level 3
Level 3
In response to khayes1984

‎03-19-2013 11:31 AM

Kenneth,

If that's the case you can use a range of port and create a NAT using your outside interface IP.

object network CUCM_Private

  host 10.10.10.10

!

object service Range_1024_65535

service udp source range 1024 65535

object service SIP_range

service tcp source range 5060 5061

!

nat (inside,outside) source static CUCM_Private interface service Range_1024_65535 Range_1024_65535

nat (inside,outside) source static CUCM_Private interface service SIP_range SIP_range

!

access-list outside_access_in permit tcp any object CUCM_Private eq 5060

access-list outside_access_in permit tcp any object CUCM_Private eq 5061

access-list outside_access_in permit tcp any object CUCM_Private range 1024 65535

Take in consideration that I am using different IP address, please use the correponding IP's.

Hope it helps,

Juan Lombana

0 Helpful

khayes1984
Level 1
Level 1
In response to julomban

‎03-19-2013 03:17 PM

ERROR: NAT unable to reserve ports.

that's what I got.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card