Need assistance with ports for Softphones

General Help
1

Greetings,

I was force to replace my firewall last week because it went belly up. I tried to configure the new one (Cisco ASA 5500) as closely as possible to the old one. I am running into a few issues. One of which is that I have two users with soft phones. The Cisco will not allow me to translate two disparate outside ports to the same inside IP and port. It balks at the duplicate IP and port. The old firewall apparently was able to handle this task.

The old rules looked like this:

from any ip using udp 9901 to my outside IP, translate to Asterisk server IP UDP port 4569.
from any ip using udp 9970 to my outside IP, translate to Asterisk server IP UDP port 4569.

Is there a way to set this up in the asterisk box? Obvoiusly it’s already set up for port 4569. Is this hard coded? Can I have more than one?

I need to get both of my soft phones to work with the asterisk box. (and probably a few more)

Any help you can provide would be much appreciated.

Thanks

P…

2

I’ve worked with many firewalls (Cisco Pix, Cisco ASA, Checkpoint, etc) and NEVER seen one that will allow a many to one PAT translation, reasoning has more to do with tracking packets and sequencing traffic properly then anything else. More important WHY have more then one when you can have both external sources hit the same port to begin with since you decided to use non-standard ports.

3

Hi fskrotzki (again). Thanks for the reply.

The old firewall was Smoothwall Express 3.0. I have a screen shot of the rules in question. But it is not my intent to argue or defend. I was thrown into the sys admin position without any warning or knowledge transfer so I am learning as I go. I am in a quandary and need to get my other users with softphones connected to the asterisk system via the ASA. The only thing I have to go by is what the previous firewall rules were (because I know they worked). That said, do you have another solution I could use with the ASA to allow more than one softphone access the asterisk system ? I do not have a large understanding of the asterisk system.

Slightly off topic, last weekend I had both days free and was going to load the current version of trixbox on an old server I had laying around at home to get a little more familiar with the systems. Before the install, the box powered up to ubunto fine, then 5 minutes later died. Bad power supply. I never got around to loading trixbox. I have a power supply being shipped to me as we speak. As soon as it comes in I am going to load up trixbox and see if I can’t get a better grasp of how the systems work.

In the meantime, I could certainly use some help and advice in getting my other soft phones to work via the ASA. I’m no Cisco guru, but I can get around in the ASA ok. Some of the items were set up in the ASA before I got here… In the ASA I have a few objects and an access list and a static NAT rule. They look like this.

object-group service Asterisk_UDP udp
description Sip & Trunk UDP Ports
port-object eq 4569
port-object eq sip
port-object range 10000 20000

access-list outside_access_in remark Sip & Trunk UDP Ports to Asterisk1
access-list outside_access_in extended permit udp any host 74.220.230.142 object-group Asterisk_UDP
access-list outside_access_in remark Asterisk1 SSH
access-list outside_access_in extended permit tcp any host 74.220.230.142 eq 25550
access-list outside_access_in remark Asterisk1 Signal port
access-list outside_access_in extended permit tcp any host 74.220.230.142 eq sip

access-list outside_access_in remark Don M Softphone
access-list outside_access_in extended permit udp any host 74.220.230.142 eq 9901

access-list outside_access_in remark Maury Soft Phone
access-list outside_access_in extended permit udp any host 74.220.230.142 eq 9970

access-list outside_access_in remark Sip & Trunk UDP Ports to Asterisk1
access-list outside_access_in remark Asterisk1 SSH
access-list outside_access_in remark Asterisk1 Signal port

nat (inside) 10 Asterisk1 255.255.255.255

static (inside,outside) udp interface sip Asterisk1 sip netmask 255.255.255.255
static (inside,outside) udp interface 9901 Asterisk1 4569 netmask 255.255.255.255

static (inside,outside) tcp interface 2567 Asterisk1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 8088 Asterisk1 www netmask 255.255.255.255

static (inside,outside) udp interface 9970 Asterisk1 4569 netmask 255.255.255.255

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

I realize this is not a Cisco forum, but where these entries pertain to my asterisk machine, I thought it would be ok to post them.

Thanks for any help you can provide.

P…

4

you should be able to combine all the connections using IAX externally to one port. The only reason I can see for using two ports would be different configuration settings for a given connection. If that were the case you’d have to have two IAX ports on the server setup.

Id figure out which one is getting the most connections, and re-configure all the external ones using the other port to use the other instead. (i hate that sentence but you get what I mean). Tracing could be a nightmare otherwise. If it was me I’d reconfigure all externals to use the default port (4569) instead as it’s less management in the end and re-configure the ASA to just do streight NAT instead of NAT and PAT.

It looks like your previous admin thought that picking random ports was a good hiding technique, which used to work but these days really doesn’t (your port 8088 to port 80 is another common example, other common ones for that are 8080,and 8888) Commonly called security by obscurity.

You don’t say what you softphone client you are using, But the IAX/IAX2 protocol (just like the SIP protocol) can support multiple connections from different remote sources using just one port.So since you can’t do what the old firewall did you’ll have to do some conversion anyway.

At the same time this line is useless: access-list outside_access_in extended permit tcp any host 74.220.230.142 eq sip
did you mean: access-list outside_access_in extended permit udp any host 74.220.230.142 eq sip instead (it should be UDP not TCP)?

If not then all the rest of the lines refering to SIP are useless as SIP is not going to come in as the current rule set has you you allowing TCP in but allowing the bridging between interfaces of UDP instead. The SIP protocol runs on UDP not TCP. So opening the TCP port can be a security risk the moment anything opens up on TCP port 5060 (you can verify this by doing a netstat -rn|grep 5060 at the linus prompt).

5

fskrotzki,

You da man.

I changed one of my NAT statements from UDP9970 to UDP4569, to be UDP4569 to UDP4569. Both phones are functional. Not sure why my predecessor set them up on different ports to begin with.

Now I have to look at the ASA config and see what I can delete to clean it up. Any thoughts?

Thanks.

P.

6

I addressed most of that above.

If you want send me a private message via the my inbox on the left hand side with the current config and I can go over it again. one issue I saw was your sip rules. the hole in the firewall was configured for TCP but the traversal and rest was UDP which is correct.