Task:
Server on the server's VLAN must connect to the SIP server on ISP side.
ISP give SIP trunk behind VLAN. SIP server on ISP side permit traffic only from 10.60.122.2, ISP side of that VLAN have address 10.60.122.1. Because ASA don't have Policy based routing i create Policy NAT rule for this task,
I terminate this VLAN on cisco ASA 5555-x
interface Port-channel2.193
vlan 193
nameif mts_sip_int
security-level 100
ip address 10.60.122.2 255.255.255.0
and add static route
route mts_sip_int 212.248.28.* 255.255.255.255 10.60.122.1 1
SIP server is available.
dat2-fw1# ping 212.248.28.*
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.248.28.*, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/20 ms
now i can create policy NAT that translate only server(10.0.151.16 signaling tcp 5060 and udp range 49152 65535 for VOICE)
create server object
object network srv-dat2-medvx1_for_mts_sip
host 10.0.151.116
create SIP server object
object network mts_sip_gateway
host 212.248.28.*
and NAT translation
nat (inside,mts_sip_int) source static srv-dat2-medvx1_for_mts_sip interface destination static mts_sip_gateway mts_sip_gateway
and add lines to inside ACL
access-list internal_in extended permit udp object srv-dat2-medvx1_for_mts_sip object mts_sip_gateway range 49152 65535
access-list internal_in extended permit udp object srv-dat2-medvx1_for_mts_sip object mts_sip_gateway eq sip
Server on the server's VLAN must connect to the SIP server on ISP side.
ISP give SIP trunk behind VLAN. SIP server on ISP side permit traffic only from 10.60.122.2, ISP side of that VLAN have address 10.60.122.1. Because ASA don't have Policy based routing i create Policy NAT rule for this task,
I terminate this VLAN on cisco ASA 5555-x
interface Port-channel2.193
vlan 193
nameif mts_sip_int
security-level 100
ip address 10.60.122.2 255.255.255.0
and add static route
route mts_sip_int 212.248.28.* 255.255.255.255 10.60.122.1 1
SIP server is available.
dat2-fw1# ping 212.248.28.*
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.248.28.*, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/20 ms
now i can create policy NAT that translate only server(10.0.151.16 signaling tcp 5060 and udp range 49152 65535 for VOICE)
create server object
object network srv-dat2-medvx1_for_mts_sip
host 10.0.151.116
create SIP server object
object network mts_sip_gateway
host 212.248.28.*
and NAT translation
nat (inside,mts_sip_int) source static srv-dat2-medvx1_for_mts_sip interface destination static mts_sip_gateway mts_sip_gateway
and add lines to inside ACL
access-list internal_in extended permit udp object srv-dat2-medvx1_for_mts_sip object mts_sip_gateway range 49152 65535
access-list internal_in extended permit udp object srv-dat2-medvx1_for_mts_sip object mts_sip_gateway eq sip
Комментариев нет:
Отправить комментарий