- Posts: 2
- Thank you received: 0
ASA vs. IOS Default PAT Behavior Issue
15 years 8 months ago #29492
by Runic
ASA vs. IOS Default PAT Behavior Issue was created by Runic
Hi team - long time lurker, first time poster here.
I have been banging my head for some time now over this particular problem I'm experiencing with an Avaya IP phone behind EasyVPN client on an ASA5505 (8.0(4)). Here is what I'm experiencing.
My Avaya IP phone using H.323 is failing as a result of PAT on the ASA, however it works fine through my 871W when the 871 is used as my EasyVPN client device to connect to the corporate network. On the 871W when the phone registers successfully, I'm seeing the following NAT translations:
[code:1]
irtr#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.20.20.8:2471 172.25.3.12:2471 10.75.50.3:1720 10.75.50.3:1720
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.50.3:1719 10.75.50.3:1719
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.60.33:1719 10.75.60.33:1719
irtr#
[/code:1]
According to Cisco, this is the default behavior of PAT ( www.cisco.com/en/US/tech/tk648/tk361/tec...0800e523b.shtml#qa14 )
This does not appear to be the default behavior for PAT on my ASA5505 when I use it as my VPN client device to connect to the corporate network. For the phone's registration attempt, my inside local source port does not match the outside source port on my global VPN IP address even though the port is available. The phone throws a NAPT Error. I am only able to obtain a single IP on the office network so doing straight NAT is out of the question if I intend to put a PC on the network as well. I'm pretty much stuck doing PAT. Again, its not an issue with IOS PAT, just on the ASA. My ASA config is practically default and i've tried both with and without the inspect rules for h323/h225.
Has anyone run into similar situations and perhaps have any advice or suggestions?
Thank you kindly in advance!
I have been banging my head for some time now over this particular problem I'm experiencing with an Avaya IP phone behind EasyVPN client on an ASA5505 (8.0(4)). Here is what I'm experiencing.
My Avaya IP phone using H.323 is failing as a result of PAT on the ASA, however it works fine through my 871W when the 871 is used as my EasyVPN client device to connect to the corporate network. On the 871W when the phone registers successfully, I'm seeing the following NAT translations:
[code:1]
irtr#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.20.20.8:2471 172.25.3.12:2471 10.75.50.3:1720 10.75.50.3:1720
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.50.3:1719 10.75.50.3:1719
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.60.33:1719 10.75.60.33:1719
irtr#
[/code:1]
According to Cisco, this is the default behavior of PAT ( www.cisco.com/en/US/tech/tk648/tk361/tec...0800e523b.shtml#qa14 )
#4 If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example).
...
#5 If the requested source port is available, PAT assigns the source port, and the session continues.
This does not appear to be the default behavior for PAT on my ASA5505 when I use it as my VPN client device to connect to the corporate network. For the phone's registration attempt, my inside local source port does not match the outside source port on my global VPN IP address even though the port is available. The phone throws a NAPT Error. I am only able to obtain a single IP on the office network so doing straight NAT is out of the question if I intend to put a PC on the network as well. I'm pretty much stuck doing PAT. Again, its not an issue with IOS PAT, just on the ASA. My ASA config is practically default and i've tried both with and without the inspect rules for h323/h225.
Has anyone run into similar situations and perhaps have any advice or suggestions?
Thank you kindly in advance!
15 years 8 months ago #29501
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: ASA vs. IOS Default PAT Behavior Issue
Sorry but not had experience of H.323 (well a consultant came in to install but it wouldn't work correctly).
The only thing i would say is, why are you NAT/PAT the VPN traffic ? I wouldnt bother.
The only thing i would say is, why are you NAT/PAT the VPN traffic ? I wouldnt bother.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
15 years 8 months ago #29506
by Runic
Replied by Runic on topic Re: ASA vs. IOS Default PAT Behavior Issue
I do not have a choice but to PAT the VPN traffic as I only get a single IP address assigned to my device.
15 years 8 months ago #29511
by Smurf
Do you mean your PublicIP ?
With the VPN's, you can assign a Private IP Address to your clients and then setup the ASA to route these through the box, providing you turn NAT off for the Private IP Subnet you are assigning to your clients (unless i am missing something) ?
If i am not quite understanding your setup then please update the post and if possible give a diagram with some bogus IPs
Thanks
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: ASA vs. IOS Default PAT Behavior Issue
I do not have a choice but to PAT the VPN traffic as I only get a single IP address assigned to my device.
Do you mean your PublicIP ?
With the VPN's, you can assign a Private IP Address to your clients and then setup the ASA to route these through the box, providing you turn NAT off for the Private IP Subnet you are assigning to your clients (unless i am missing something) ?
If i am not quite understanding your setup then please update the post and if possible give a diagram with some bogus IPs
Thanks
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.128 seconds