ASA Port Forwarding a Range
Why does it seem that Cisco makes it so difficult to forward a range of ports? Or why can't I make a static NAT translation where the incoming port is dynamic, but the destination port is fixed? Then again, maybe it can be done, but I haven't found a way. Other firewall vendors make port forwarding a range a piece of cake. Why not for Cisco? I'm using an ASA5505.
Regards,
Scott
Regards,
Scott
>> where the incoming port is dynamic, but the destination port is fixed
Cisco firewall OSes don't care what the source port is, all the PAT is concerned about is the destination port. For example, your server may generate a web request on a source port of 38299, but as long as the destination port is 80 you can write a PAT for it.
If you explain what you're trying to do I'm pretty sure someone can help you.
Cisco firewall OSes don't care what the source port is, all the PAT is concerned about is the destination port. For example, your server may generate a web request on a source port of 38299, but as long as the destination port is 80 you can write a PAT for it.
If you explain what you're trying to do I'm pretty sure someone can help you.
ASKER
I am trying to expose the necessary voice ports for my phone system [Allworx] to a static outside public IP. I tried performing a static one-to-one NAT with ACLs to permit traffic, but that didn't forward ports. This is how it worked with my Netscreen firewall, and I thought a similar concept would apply to the ASA. For example, my phone system needs ports 15000-15511 open in order to register to the SIP proxy. I could not get it to register using the static one-to-one NAT with ACLs, but once I performed static NAT statements for each port individually, it worked. Following that, I was not able to get a dial tone, and I may need to troubleshoot further with my VoIP proxy, but I figured with those ports open, as well as 5060 for call setup/tear down, I expected to at least get a dial tone. Again, there is a list of ports that need to be open for this to work:
Outside - 66.162.x.x
Inside - 192.168.x.x
Forward ports:
UDP 5060
UDP 2088
UDP 15000-15511
UDP 16384-32767
TCP 8081
If anyone wants config posted, just let me know.
Regards,
Scott
Outside - 66.162.x.x
Inside - 192.168.x.x
Forward ports:
UDP 5060
UDP 2088
UDP 15000-15511
UDP 16384-32767
TCP 8081
If anyone wants config posted, just let me know.
Regards,
Scott
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Pete -
I have a public Class C, so no problems with enough addresses. However, in order to get this to work, would I then have to put a router in front of my ASA and use private addressing on my outside and inside interfaces and then route my Class C addresses through the firewall to their private internal destinations? If that will work, I believe I'm all set.
I have a public Class C, so no problems with enough addresses. However, in order to get this to work, would I then have to put a router in front of my ASA and use private addressing on my outside and inside interfaces and then route my Class C addresses through the firewall to their private internal destinations? If that will work, I believe I'm all set.
No - Im assuming you have one of those IP addresses on the outside of the ASA already? in that case, the code I piosted above will work fine :)
ASKER
Pete -
The outside interface is the .1 address of that public Class C, and the public address being used for the Allworx box is the first available (.2) on that same subnet. If I am understanding that this is ok, I had already tried the static NAT with ACL and it didn't work. I think I need to try again. I have to wait until downtime tomorrow. Can't futz with it during the week.
The outside interface is the .1 address of that public Class C, and the public address being used for the Allworx box is the first available (.2) on that same subnet. If I am understanding that this is ok, I had already tried the static NAT with ACL and it didn't work. I think I need to try again. I have to wait until downtime tomorrow. Can't futz with it during the week.
>>. If I am understanding that this is ok,
Yes :)
Yes :)
ASKER
Still working at it ...
ASKER
Commands didn't translate 100% to the ASA, but that's what IOS help is for. Thanks Pete.
ThanQ
The whole statefull algorythm that ASA is built on revolves around Port Address Translation - port forwarding requires a single PAT entry and one needs doing for each port.