Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA vs. IOS Default PAT Behavior Issue

ASA vs. IOS Default PAT Behavior Issue 7 years 9 months ago #29492

  • Runic
  • Runic's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Hi team - long time lurker, first time poster here.

I have been banging my head for some time now over this particular problem I'm experiencing with an Avaya IP phone behind EasyVPN client on an ASA5505 (8.0(4)). Here is what I'm experiencing.

My Avaya IP phone using H.323 is failing as a result of PAT on the ASA, however it works fine through my 871W when the 871 is used as my EasyVPN client device to connect to the corporate network. On the 871W when the phone registers successfully, I'm seeing the following NAT translations:

[code:1]
irtr#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.20.20.8:2471 172.25.3.12:2471 10.75.50.3:1720 10.75.50.3:1720
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.50.3:1719 10.75.50.3:1719
udp 10.20.20.8:49301 172.25.3.12:49301 10.75.60.33:1719 10.75.60.33:1719
irtr#
[/code:1]


According to Cisco, this is the default behavior of PAT ( www.cisco.com/en/US/tech/tk648/tk361/tec...0800e523b.shtml#qa14 )
#4 If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example).
...
#5 If the requested source port is available, PAT assigns the source port, and the session continues.

This does not appear to be the default behavior for PAT on my ASA5505 when I use it as my VPN client device to connect to the corporate network. For the phone's registration attempt, my inside local source port does not match the outside source port on my global VPN IP address even though the port is available. The phone throws a NAPT Error. I am only able to obtain a single IP on the office network so doing straight NAT is out of the question if I intend to put a PC on the network as well. I'm pretty much stuck doing PAT. Again, its not an issue with IOS PAT, just on the ASA. My ASA config is practically default and i've tried both with and without the inspect rules for h323/h225.

Has anyone run into similar situations and perhaps have any advice or suggestions?

Thank you kindly in advance!
The administrator has disabled public write access.

Re: ASA vs. IOS Default PAT Behavior Issue 7 years 9 months ago #29501

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Sorry but not had experience of H.323 (well a consultant came in to install but it wouldn't work correctly).

The only thing i would say is, why are you NAT/PAT the VPN traffic ? I wouldnt bother.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: ASA vs. IOS Default PAT Behavior Issue 7 years 9 months ago #29506

  • Runic
  • Runic's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
I do not have a choice but to PAT the VPN traffic as I only get a single IP address assigned to my device.
The administrator has disabled public write access.

Re: ASA vs. IOS Default PAT Behavior Issue 7 years 9 months ago #29511

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I do not have a choice but to PAT the VPN traffic as I only get a single IP address assigned to my device.

Do you mean your PublicIP ?

With the VPN's, you can assign a Private IP Address to your clients and then setup the ASA to route these through the box, providing you turn NAT off for the Private IP Subnet you are assigning to your clients (unless i am missing something) ?

If i am not quite understanding your setup then please update the post and if possible give a diagram with some bogus IPs

Thanks
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.078 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup