Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
6
Replies

Pix 501 w/ Vonage

bkaren1278
Level 1
Level 1

‎11-23-2005 05:20 AM - edited ‎02-21-2020 12:32 AM

I have a 501 off a comcast cable connection. I currently have 1 NAT only for FTP to a single server.

Vonage specifies that i must open the following to its phone device:

SIP ports 5060 through 5061 using UDP protocol

NTP port 123 using UDP protocol

TFTP port 69 using UDP protocol

DNS port 53 using UDP protocol

RTP ports 10,000 through 20,000 using UDP protocol

What is the simplest way to nat port ranges (i.e. rtp 10,000 -20,000) surely i cannot create 10,000 static entries.

0 Helpful
6 Replies 6

nkhawaja
Cisco Employee
Cisco Employee

‎11-23-2005 10:25 AM

range cant be specified in static. so we need to see if a workaround can be applied.

do you have the IP address of vonage servers?

i think we can use policy static

e.g.

access-list 100 deny tcp host yourftpserver any eq ftp

access-list 100 permit udp host yourvonage range 5050 5061 any

access-list 100 permit udp host yourvonage range 10000 20000 any

access-list 100 permit udp host eq 69 yourvonage any

access-list 100 permit udp host yourvonage eq 123 any

access-list 100 permit udp host yourvonage eq 53 any

static (inside,outside) publicip privateip access-list 100

thanks

Nadeem

0 Helpful

bkaren1278
Level 1
Level 1
In response to nkhawaja

‎11-23-2005 11:42 AM

thanks for the reply.

how come udp 69 is on the source rather than the target like the rest of them?

also this is on a cable modem so its a dynamic outside ip, should i just add the remaining access-list entries to the exsiting acl?

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to bkaren1278

‎11-23-2005 12:46 PM

this access-list is for static translation not for acess-group application.

i think it should work as it is.

0 Helpful

bkaren1278
Level 1
Level 1
In response to nkhawaja

‎11-23-2005 01:34 PM

since the pix is behind a cable modem it was have to nat to the outside interface addres..

how do i make this change?

currently i have this for my ftp server:

static (inside,outside) tcp interface ftp 192.168.151.10 ftp netmask 255.255.255.255 0 0

which would be easy to replicate if i didnt have large port ranges.

any advice?

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to bkaren1278

‎11-23-2005 02:08 PM

leave the first static as it is and add the other static like this

static (inside,outside) interface access-list 100

0 Helpful

bkaren1278
Level 1
Level 1
In response to nkhawaja

‎11-23-2005 02:15 PM

Causes this message which disables my connectivity as well

WARNING: mapped-address conflict with existing static

tcp from inside:192.168.151.10/21 to outside:192.168.15.100/21 netmask 255.2

55.255.255

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card