Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: ASA vs. IOS Default PAT Behavior Issue

ASA vs. IOS Default PAT Behavior Issue 9 years 5 months ago #29492

  • Runic
  • Runic's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 2
  • Thank you received: 0
Hi team - long time lurker, first time poster here.

I have been banging my head for some time now over this particular problem I'm experiencing with an Avaya IP phone behind EasyVPN client on an ASA5505 (8.0(4)). Here is what I'm experiencing.

My Avaya IP phone using H.323 is failing as a result of PAT on the ASA, however it works fine through my 871W when the 871 is used as my EasyVPN client device to connect to the corporate network. On the 871W when the phone registers successfully, I'm seeing the following NAT translations:

[code:1]
irtr#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.20.20.8:2471 172.25.3.12:2471 10.75.50.3:1720 10.75.50.3:1720
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.50.3:1719 10.75.50.3:1719
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.60.33:1719 10.75.60.33:1719
irtr#
[/code:1]


According to Cisco, this is the default behavior of PAT ( www.cisco.com/en/US/tech/tk648/tk361/tec...0800e523b.shtml#qa14 )

#4 If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example).
...
#5 If the requested source port is available, PAT assigns the source port, and the session continues.


This does not appear to be the default behavior for PAT on my ASA5505 when I use it as my VPN client device to connect to the corporate network. For the phone's registration attempt, my inside local source port does not match the outside source port on my global VPN IP address even though the port is available. The phone throws a NAPT Error. I am only able to obtain a single IP on the office network so doing straight NAT is out of the question if I intend to put a PC on the network as well. I'm pretty much stuck doing PAT. Again, its not an issue with IOS PAT, just on the ASA. My ASA config is practically default and i've tried both with and without the inspect rules for h323/h225.

Has anyone run into similar situations and perhaps have any advice or suggestions?

Thank you kindly in advance!

Re: ASA vs. IOS Default PAT Behavior Issue 9 years 5 months ago #29501

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0
Sorry but not had experience of H.323 (well a consultant came in to install but it wouldn't work correctly).

The only thing i would say is, why are you NAT/PAT the VPN traffic ? I wouldnt bother.

Re: ASA vs. IOS Default PAT Behavior Issue 9 years 5 months ago #29506

  • Runic
  • Runic's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 2
  • Thank you received: 0
I do not have a choice but to PAT the VPN traffic as I only get a single IP address assigned to my device.

Re: ASA vs. IOS Default PAT Behavior Issue 9 years 5 months ago #29511

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0

I do not have a choice but to PAT the VPN traffic as I only get a single IP address assigned to my device.


Do you mean your PublicIP ?

With the VPN's, you can assign a Private IP Address to your clients and then setup the ASA to route these through the box, providing you turn NAT off for the Private IP Subnet you are assigning to your clients (unless i am missing something) ?

If i am not quite understanding your setup then please update the post and if possible give a diagram with some bogus IPs

Thanks
  • Page:
  • 1
Time to create page: 0.142 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup