Teleworker 1:1NAT through Cisco ASA5505

[SteAnnesIT]

I've tried and tried and I just can't seem to get teleworker, working.  My provider 'provided' the ports to have open and that's as far as they would go to help me.  I asked them to contact Mitel for assistance with giving me/us a 'basic default' ASA config that would work and I could go from there with configuring the Cisco ASA5505 but they returned to me saying Mitel has no experience with a Cisco ASA and Teleworker.  I find this kind of hard to believe they've never ran across a Cisco ASA before....  Anywho.

I've gone as far as opening *ALL* ports to the PBX in the ASA.  No firewall, just 1:1NAT.   The thing with the Cisco ASA stuff is you have to have your configuration specifically set for it to pass all data wanted.  For instance, you can't even trace route correctly out of the box, you have to fiddle with packet inspection etc.  The very best I've been able to achieve is Teleworker connection to our PBX, and audio out from our PBX to the Teleworker, but *no* audio back in from the Teleworker to the PBX.  Logically, It leads me to believe it is the Cisco ASA but I just can not get any further.

Any help would be greatly appreciated!

[Tech Electronics]

SteAnnesIT,

Sorry to be a pain here, but when you say Teleworker do you mean that you are using the Mitel Border Gateway (MBG) to allow for secure connections back to the 5000 or do you just have a person with a phone outside of your LAN trying to connect to the 5000 directly?

Thanks,

TE

[SteAnnesIT]

I have a Mitel 5330 IP Handset configured to connect via teleworker.  Holding down the down arrow when the phone is booting..  "Configure Teleworker"  Yes..  Enter the IP address (the public IP address in our public subnet that is 1:1 NATed to the private IP address of our Mitel 5000 "PBX A").   And then there is an extension configured specifically to allow NAT for that 5330 or something to that extent which is assigned to that phone.  Provider doesn't exactly explain it all clearly.

[sarond]

1:1 NAT is not required for the 5000.
Standard port forwarding will suffice. There are plenty of existing threads on here that specify what ports are needed.

Like
http://mitelforums.com/forum/index.php/topic,4031.msg17040.html#msg17040

[Tech Electronics]

SteAnnesIT,

Since you already have the 1:1 NAT set up in your ASA you can start with that, but I suggest locking it down to only use the ports needed for the phones to work. As for the 5000 programming that needs to be in place.

System > Devices and Feature Codes > IP Connection > {any PXXX connection that doesn't have a red X through it} > NAT IP Address [change this from 255.255.255.255 to your Public IP]

Note: Make sure that if you have more than one that you do both of them or it make only work intermittently. Also depending on whether you are using Differentiates Services or IP Precedence you may want to change the Audio RTP Type of Service and Data Type of Service. By default they are set for IP Precedence : 0, but if you are using Differentiates Services then you will want to set both to 184.

Now you will want to make sure the remote phone (teleworker) is set for NAT instead of Native. Go to System > Devices and Feature Codes > Phones > Ext {xxxx} > IP Settings and make sure the NAT Address Type is set to NAT; by default it is Native.

Once you get it working then lock down the ASA utilizing these ports which is also shown on the link that Sarond provided in his post.

UDP: 69, 20001, 6004-6261, 50098-50508

TCP: 3998-3999, 6800-6802

Oh, you may have noticed that I did not send you to System > IP Settings > System NAT IP Address to make the change there. This is for SIP Gateways and Trunks and is not needed for the 5330 to work, but it doesn't hurt to change it if you do or will have SIP devices out there at a future date, but you will then need to add Port 5060 to your ASA. If you are having trouble with your SIP Device staying connected then also setup Port 5061 as well.

Hope that helps,

TE

[SteAnnesIT]

Okay I've looked through your instructions. 

We have two PBXs,  PBX A and PBX B.   PBX A is where our IP sets connect as well as any Teleworker sets should connect.   It has a dedicated public IP address 1:1NATed to it's internal IP address.  While following your instructions.

System > Devices and Feature Codes > IP Connection > {any PXXX connection that doesn't have a red X through it} > NAT IP Address [change this from 255.255.255.255 to your Public IP]

It was indeed 255.255.255.255 and I changed it to the public IP address for which it has 1:1NAT. 

I checked.

System > IP Settings > System NAT IP Address

And it seems our provider had already configured his to be the public IP address of our PBX A.

Question:  If our Teleworker phones are configured to be connected to PBX A,  do I need to alter these settings on PBX B as well?  I am confused about where you say.

Note: Make sure that if you have more than one that you do both of them or it may only work intermittently.

Thank you.

[Tech Electronics]

SteAnnesIT,

PBX B will have to have its own Public IP address or use another set of ports, which would have to be programmed in both your ASA and the PBX B controller to work properly. So, in other words no you would not programmed the public IP address for PBX A into PBX B.

What I was referring to is that the controller can have multiple IP Connections as well as internal IP addresses based on whether or not the system has a PEC-1 or a PS-1 attached to it.

As for where your vendor put the Public IP Address it would not have worked for you regardless of how you set up the ASA since that location [System > IP Settings > NAT IP Address] is for SIP Gateways and Trunks and not IP Phones.

Hopefully that clears it up a little for you.

Thanks,

TE

[SteAnnesIT]

Our PBXs use only 1 single network connection each, so I can disregard the "Note: Make sure that if you have more than one that you do both of them or it may only work intermittently." part then.   

Thank you.   Still working on it!

[Tech Electronics]

SteAnnesIT,

Here is a picture of what I am talking about so there is no more confusion here. There is only one connection on a Mitel 5000 if it is a base system or one with a PEC-1.

Base = 1 Connection and 1 IP Address
PEC-1 = 1 Connection and 2 IP Addresses
PS-1 = 2 Connections and 3 IP Addresses <- This is actually a seperate server

So in this picture you will see P6000 and P6001. If yours has a second connection here and it does not have a RED X through it then it is in use and needs to have the Public IP Address setup on it.

Thanks,

TE

[SteAnnesIT]

Right mine look like that picture, other than the fact that there is 2 5000s in our phone system so I have to first select local device then I see the P6001, and the P6101 below it with a big red X through it.

[Tech Electronics]

SteAnnesIT,

Then you are on the right track with the phone system programming, as far as the ASA goes you may need to eliminate it from the equation to verify that the phone system programming is correct. Then you know that the problem is in the ASA. Hopefully you have another Layer 3 device to do the routing.

Thanks,

TE

[Tech Electronics]

SteAnnesIT,

I know you said you set up a 1:1 NAT, but can you put up a copy of your Cisco ASA config so I can see if there is something wrong with it? That is if you don't have it working yet.

Thanks,

TE

[SteAnnesIT]

IPs have been changed but here it is:

Code: [Select]

ASA Version 9.1(2)
!
hostname SteAnnesASA
domain-name steannes.local
enable password ************** encrypted
passwd ************* encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport trunk allowed vlan 1,15,35
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.36.1 255.255.252.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.18 255.255.255.240
!
interface Vlan15
 nameif guestnet
 security-level 50
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan35
 nameif phonesys
 security-level 100
 ip address 192.168.35.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name steannes.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network guest_net
 subnet 0.0.0.0 0.0.0.0
object network phone_sys
 subnet 0.0.0.0 0.0.0.0
object network mailserver_in
 host 192.168.37.14
object network webserv1_in
 host 192.168.37.17
object network webserv2_in
 host 192.168.37.24
object network telework_in
 host 192.168.35.11
object network uca_in
 host 192.168.35.13
object network mailserver_out
 host 10.10.10.20
object network webserv1_out
 host 10.10.10.21
object network webserv2_out
 host 10.10.10.22
object network telework_out
 host 10.10.10.23
object network uca_out
 host 10.10.10.24
object network dns_primary
 host 192.168.37.16
object network dns_secondary
 host 192.168.37.11
access-list outside_in extended permit tcp any object mailserver_in eq smtp
access-list outside_in extended permit tcp any object mailserver_in eq 465
access-list outside_in extended permit tcp any object mailserver_in eq 993
access-list outside_in extended permit tcp any object webserv2_in eq www
access-list outside_in extended permit tcp any object webserv2_in eq https
access-list outside_in extended permit tcp any object webserv1_in eq www
access-list outside_in extended permit tcp any object webserv1_in eq https
access-list outside_in extended permit ip any object uca_in
access-list outside_in extended permit ip any object telework_in
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list guestnet_in extended permit udp 192.168.15.0 255.255.255.0 object dns_primary eq domain
access-list guestnet_in extended permit udp 192.168.15.0 255.255.255.0 object dns_secondary eq domain
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object mailserver_in eq smtp
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object mailserver_in eq 465
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object mailserver_in eq 993
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv2_in eq www
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv2_in eq https
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv1_in eq www
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv1_in eq https
access-list guestnet_in extended deny ip any 192.168.36.0 255.255.252.0
access-list guestnet_in extended deny ip any 192.168.35.0 255.255.255.0
access-list guestnet_in extended permit ip 192.168.15.0 255.255.255.0 any
access-list phonesys_in extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
mtu guestnet 1500
mtu phonesys 1500
no failover
icmp unreachable rate-limit 10 burst-size 5
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network guest_net
 nat (guestnet,outside) dynamic interface
object network phone_sys
 nat (phonesys,outside) dynamic interface
object network mailserver_in
 nat (inside,outside) static mailserver_out
object network webserv2_in
 nat (inside,outside) static webserv2_out
object network webserv1_in
 nat (inside,outside) static webserv1_out
object network telework_in
 nat (phonesys,outside) static telework_out
object network uca_in
 nat (phonesys,outside) static uca_out
access-group outside_in in interface outside
access-group guestnet_in in interface guestnet
access-group phonesys_in in interface phonesys
route outside 0.0.0.0 0.0.0.0 10.10.10.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.36.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.36.0 255.255.252.0 inside
telnet timeout 60
ssh 192.168.36.0 255.255.252.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.37.16 192.168.37.11
dhcpd lease 43200
dhcpd domain steannes.guest
!
dhcpd address 192.168.15.50-192.168.15.250 guestnet
dhcpd enable guestnet
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.37.16 source inside prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect mgcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
  inspect icmp
  inspect icmp error
 class class-default
  set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d2f615b5981c3848ed429facf7e29405
: end

(Yes, we have Unlimited Hosts and Security+ Licenses for this ASA)

[Tech Electronics]

SteAnnesIT,

I am going to go out on a limb here and say that you used the GUI to program this so I am not sure how to explain what I would normally see, but here it goes.

First off I would make a static route between your Public IP Address and the Phone System. I see you have a Teleworker_In and Teleworker_Out, but I assume that is for actual workers and not the IP Endpoint.

The only NAT that I do see is this:
object network telework_in
 nat (phonesys,outside) static telework_out

Now normally I only create and inside and outside object, but it looks as though you wanted to segregate your network a little more than I normally do for mine so take what I am showing you that works for me and find the path you need to take with your NAT setup.

Anyway this is how my static NAT would look.
static (inside,outside) {Public IP} {Phone System IP} netmask 255.255.255.255

Public IP: 97.90.122.70
Phone System IP: 192.168.101.1/24

This would be my actually static NAT.
static (inside,outside) 97.90.122.70 192.168.101.1 netmask 255.255.255.255

I am not sure how well you understand the different types of NAT in a Cisco ASA, but here is an address you can go to that should help you finish out your configuration.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Thanks,

TE

[SteAnnesIT]

No I learned and created the config all in CLI not the GUI interface.

You've linked to  .../asa80/...  which is a much older CLI version than we're using.  After 8.3 there were a lot of syntax changes. 

We're using ASA Version 9.1.2

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html#wp1106703