Cisco ASA Pre 8.3 Port Foward

i am trying to port forward port 5060 on ip 1.2.3.4 to internal ip 192.168.0.6

I have tried everything with no luck

static (inside,outside) udp 192.168.0.6 5060 1.2.3.4 5060

then i tried adding to the access-list cap

access-list cap extended permit udp any host 1.2.3.4 eq sip

did wr m and

nothing cannot get the port opened.

This is a 5505 ASA with base license.


Thanks
desiredforsomeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
So your static is backwards..

static (inside,outside) udp 1.2.3.4 5060 192.168.0.6 5060

So that is what i see is not right at the moment.

Make sure you issue clear xlate after entering this command.
0
desiredforsomeAuthor Commented:
I get ERROR: STatic PAT using the interface requires the use of te 'interface' keyword instead of the itnerface IP address
0
Ken BooneNetwork ConsultantCommented:
Yea didn't know it was the interface ip.. in that case you would do this:

static (inside,outside) udp interface 5060 192.168.0.6 5060
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

desiredforsomeAuthor Commented:
So I have 1 public Ip that i need to map to multiple internal ips

for instance port 80 goes to 5.6.7.8
port 5060 goes o 7.8.9.9

all from when ip 1.2.3.4 gets hit.
0
desiredforsomeAuthor Commented:
Does the ASA with pre 8.3 support mapping 1 public ip to multiple internal hosts?
0
Ken BooneNetwork ConsultantCommented:
Yes you can do that with port mapping


So you could have:
static (inside,outside) udp interface 5060 192.168.0.6 5060
static (inside,outside) tcp interface 80 192.168.0.7 80
static (inside,outside) tcp interface 22 192.168.0.200 22
0
desiredforsomeAuthor Commented:
I put it in my port still shows closed. I have access-list set up but still no go.


access-list cap extended permit udp any host 1.2.3.4 eq sip
0
Ken BooneNetwork ConsultantCommented:
Well SIP is a special protocol and there might be a application inspection rule in your default policy map at the bottom of your config.  As long as your access-list is applied to the outside interface it looks right.  Test something going to a different port first before you worry about SIP.
0
desiredforsomeAuthor Commented:
It is working where is only open when using it looks like.

Is there a way to open a range?

I have RTP ports I need to open.
0
Ken BooneNetwork ConsultantCommented:
Look at the bottom of your config  - do you see something like this?

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect icmp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp

If yes do you have an "inspect sip" rule?  If not add it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
>>Is there a way to open a range?

Not if you are port forwarding.


Pete
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.