Unable to add ports to forward SIP UDP and RTP 10000-20000

rlaf · ‎10-15-2014

This is what I am trying to add...

object network voice-sip-tcp
host 192.168.1.65
nat (inside,outside) static interface service tcp sip sip

^^^ this was succesful!

object network voice_sip_udp
host 192.168.1.65
nat (inside,outside) static interface service udp sip sip

^^^ this resulted in....ERROR: NAT unable to reserve ports.

object service rtp_ports
service udp source range 10000 20000
object network voice_inside
host 192.168.1.65

^^^ Success!

nat (inside,outside) source static voice_inside interface service rtp_ports rtp_ports

^^^ this resulted in ....ERROR: NAT unable to reserve ports.

here is the full config...

: Saved
:
ASA Version 8.4(5)
!
hostname xxx-gw
domain-name office.xxx.local
enable password xxx encrypted
passwd xxx encrypted
names
name 192.168.1.9 thunder
name 192.168.1.21 carol
name 192.168.1.55 konica
name 192.168.1.23 dannielle
name 192.168.1.25 brittany
name 192.168.1.24 jeanie
name 192.168.1.65 phonesystem
name 192.168.1.2 wifirouter
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx 255.255.255.248

!
interface Vlan3
description dmz
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server thunder
name-server xxx
name-server xxx
domain-name office.xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1
subnet 192.168.1.0 255.255.255.0
object network xxx_PHONE_SERVER
host 192.168.1.65
object service TCP_TO_xxx
service tcp destination eq 44
object service UDP_TO_xxx
service udp destination eq 44
object service xxx_SSH
service tcp source eq ssh
object service tcp_44
service tcp source eq 44
object network voice-sip-tcp
host 192.168.1.65
object network voice_sip_udp
host 192.168.1.65
object network voice_inside
host 192.168.1.65
object service rtp_ports
service udp source range 10000 20000
object-group network VPN-POOLS
network-object 192.168.100.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list FROM-INTERNET extended permit icmp any any echo
access-list FROM-INTERNET extended permit icmp any any echo-reply
access-list FROM-INTERNET extended permit icmp any any time-exceeded
access-list FROM-INTERNET extended permit icmp any any unreachable
access-list FROM-INTERNET extended permit udp any eq domain any log
access-list FROM-INTERNET extended permit ip any any log
access-list FROM-INTERNET extended permit tcp any object xxx_PHONE_SERVER eq ssh
access-list FROM-INTERNET extended permit udp any any eq sip
access-list FROM-INTERNET extended permit tcp any any eq sip
access-list FROM-INTERNET extended permit udp any any range 10000 20000
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN-SPLIT remark Corporate LAN
access-list VPN-SPLIT standard permit 192.168.1.0 255.255.255.0
access-list VPN-CAP extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN-CAP extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL 192.168.100.240-192.168.100.250
ip local pool SSLVPN-POOL 192.168.101.240-192.168.101.250
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS
!
object network obj_any
nat (inside,outside) dynamic interface
object network AYS_PHONE_SERVER
nat (inside,outside) static interface service tcp ssh 44
object network voice-sip-tcp
nat (inside,outside) static interface service tcp sip sip
access-group FROM-INTERNET in interface outside
route outside 0.0.0.0 0.0.0.0 23.31.109.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location tele-closet
snmp-server contact itadmin@xxx.com
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set WINMAC-VPN esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set WINMAC-VPN mode transport
crypto ipsec ikev1 transform-set IPSEC-VPN esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map OUTSIDE_VPN_MAP 20 set ikev1 transform-set WINMAC-VPN IPSEC-VPN
crypto map VPN-TUNNEL 65535 ipsec-isakmp dynamic OUTSIDE_VPN_MAP
crypto map VPN-TUNNEL interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.xxx.com
subject-name CN=sslvpn.xxx.com
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
xxxxxx
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 45
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd dns xxxxx
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxxx
ssl trust-point localtrust outside
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value xxxxx
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
dns-server value xxxxxx
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT
username asa password DFQtD4MVvSnK9rG3 encrypted privilege 15
username carol.mccauley password xxxxxx nt-encrypted privilege 15
username carol.mccauley attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
username dannielle.shifflett password xxxxxx nt-encrypted privilege 15
username dannielle.shifflett attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
username pete.akey password xxxxx nt-encrypted privilege 15
username pete.akey attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool VPN-POOL
default-group-policy IPSEC-VPN
tunnel-group IPSEC-VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group IPSEC-VPN ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
no dns-guard
no protocol-enforcement
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:xxxxxx
: end

Vibhor Amrodia · ‎10-15-2014

Hi,

I think these ports must be used already on the translations on the ASA device for the Interface IP using this statement:-

object network obj_any
nat (inside,outside) dynamic interface

If you would like to forward all these ports on the ASA from the interface IP , you might have to clear the xlate table first and then apply this Static NAT statement.

This should be same for the UDP port 5060.

You can use these commands to check:-

show xlate global <Outside interface IP>

show conn port 5060-5061

Thanks and Regards,

Vibhor Amrodia

rlaf · ‎10-16-2014

ok thanks!...this was very helpful, I could get the sip UDP port to work by...

- turning off the phone server

- clear xlate

- object network voice_sip_udp
nat (inside,outside) static interface service udp sip sip

however, I cannot clear the xlates and connections fast enough to apply this....

- nat (inside,outside) source static voice_inside interface service rtp_ports rtp_ports

I still get the "ERROR: NAT unable to reserve ports."

Vibhor Amrodia · ‎10-17-2014

Hi,

This would be difficult to implement on the ASA device as you would already have a lot of xlate already using the range 10000-20000.

I think the best way to apply this would be to break this range into smaller parts.. For ex:-

10000 15000 and see if that works. But still would be difficult.

Is there any specific reason for doing this on the ASA device ?

Thanks and Regards,

Vibhor Amrodia