[c-nsp] NAT and PAT on ASA

Oddiraju, Kiran @ London SMC Kiran.Oddiraju at cbre.com
Thu Jul 23 11:39:49 EDT 2009 

Hi Guys,

With your help I was able to register my SIP phones with Cisco
CallManager but I have a problem here. When the externally registered
SIP phone calls an internal phone and when I press the answer button the
call immediately gets disconnected. I have the below config on my ASA
5505:

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any host
80.90.100.116 echo
access-list outside_access_in extended permit tcp any host 80.90.100.116
eq www
access-list outside_access_in extended permit tcp any host 80.90.100.116
eq https
access-list outside_access_in extended permit tcp any host 80.90.100.116
eq sip
access-list outside_access_in extended permit icmp any host
80.90.100.115 echo
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq www
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq https
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq sip
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq 2749
access-list outside_access_in extended permit tcp any host 80.90.100.114
eq ldap
access-list outside_access_in extended permit icmp any host
80.90.100.114 echo
access-list outside_access_in extended permit udp any host 80.90.100.116
eq sip
access-list outside_access_in extended permit udp any host 80.90.100.115
eq sip
access-list outside_access_in extended permit udp any host 80.90.100.115
eq tftp
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq 69
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq ctiqbe
access-list outside_access_in extended permit tcp any host 80.90.100.116
eq 5061
access-list outside_access_in extended permit tcp any host 80.90.100.116
eq 5062
access-list outside_access_in extended permit tcp any host 80.90.100.116
eq 5070
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq 5070
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq 5061
access-list outside_access_in extended permit tcp any host 80.90.100.115
eq 5062
access-list outside_access_in extended permit udp any host 80.90.100.115
eq 5062
access-list outside_access_in extended permit udp any host 80.90.100.116
eq 5062
access-list outside_access_in extended permit udp any host 80.90.100.116
eq 5061
access-list outside_access_in extended permit udp any host 80.90.100.115
eq 5061
access-list inside_access_in extended permit ip any any

global (outside) 2 interface
global (outside) 1 80.90.100.116
nat (inside) 1 192.168.0.130 255.255.255.255
nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) 80.90.100.116 192.168.0.130 netmask
255.255.255.255
static (inside,outside) 80.90.100.115 192.168.0.125 netmask
255.255.255.255
static (inside,outside) 80.90.100.114 192.168.0.250 netmask
255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.90.100.118 1

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0e1ff8af778c5350ccc07a401427687c
: end

Thanks,
Kiran

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran
@ London SMC
Sent: 22 July 2009 12:24
To: Ryan West
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT and PAT on ASA

Hi Ryan,

I have the below config in the protocol inspection rules, do you think
this is enough?

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!


Many thanks,
Kiran

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: 22 July 2009 09:47
To: Oddiraju, Kiran @ London SMC
Cc: cisco-nsp at puck.nether.net
Subject: RE: NAT and PAT on ASA

Kiran,

That's right.  If you run into issues trying to pass SIP through your
firewall, you may need to look at the default service policy.  There are
some protocol inspection rules enabled by default that might affect the
passing of SIP traffic.

-ryan

-----Original Message-----
From: Oddiraju, Kiran @ London SMC [mailto:Kiran.Oddiraju at cbre.com] 
Sent: Wednesday, July 22, 2009 4:38 AM
To: Ryan West
Cc: cisco-nsp at puck.nether.net
Subject: RE: NAT and PAT on ASA

Hey Ryan,

That seems to be working, thanks. So if I want to allow more ports we do
it the same way right?

access-list myaccesslist ext permit tcp any host 58.66.76.88 eq SIP
access-list myaccesslist ext permit upd any host 58.66.76.88 eq SIP

Thanks,
Kiran


-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: 21 July 2009 19:48
To: Oddiraju, Kiran @ London SMC; cisco-nsp at puck.nether.net
Subject: RE: NAT and PAT on ASA

static (inside,outside) 58.66.76.88 192.168.0.100
show run access-group
take note of the acl to the outside interface, ACLs are on the ASA are
inbound.
access-list <myaccesslist> ext permit icmp any host 58.66.76.88 echo
access-list <myaccesslist> ext permit tcp any host 58.66.76.88 eq www

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran
@ London SMC
Sent: Tuesday, July 21, 2009 2:09 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT and PAT on ASA

Guys,

 

I am new to the ASA world, I have a bunch of external IP's from the ISP
and I have an inside host that I want to access externally. How do I
translate an inside ip (192.168.0.100) to an outside address
(58.66.76.88) on the ASA? I should be able to ping and www from outside
world to my inside host. Please let me know how to accomplish this.

 

Many thanks,

K


CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales
No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis 
Indirect Investment Services Limited which is authorised and regulated
by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information

which is confidential and may be privileged. If you are not the intended
recipient, 
please contact the sender immediately. Any use of its contents is
strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in
any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from
computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary 
companies and the recipient should carry out any appropriate virus
checks.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales
No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis 
Indirect Investment Services Limited which is authorised and regulated
by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information

which is confidential and may be privileged. If you are not the intended
recipient, 
please contact the sender immediately. Any use of its contents is
strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in
any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from
computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary 
companies and the recipient should carry out any appropriate virus
checks.


CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales
No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis 
Indirect Investment Services Limited which is authorised and regulated
by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information

which is confidential and may be privileged. If you are not the intended
recipient, 
please contact the sender immediately. Any use of its contents is
strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in
any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from
computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary 
companies and the recipient should carry out any appropriate virus
checks.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard Ellis 
Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information 
which is confidential and may be privileged. If you are not the intended recipient, 
please contact the sender immediately. Any use of its contents is strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary 
companies and the recipient should carry out any appropriate virus checks.

More information about the cisco-nsp mailing list