Anticisco https://www.anticisco.ru/forum/ |
|
Cisco 5505 ASA 8.4(4)1. NAT. Port range для sip server. https://www.anticisco.ru/forum/viewtopic.php?f=2&t=4792 |
Страница 1 из 1 |
Автор: | IgorKH2013 [ 08 фев 2013, 17:06 ] |
Заголовок сообщения: | Cisco 5505 ASA 8.4(4)1. NAT. Port range для sip server. |
ASA Version 8.4(4)1 ! hostname ciscoasa enable password xxxxx encrypted passwd xxxxx encrypted names ! interface Ethernet0/0 switchport access vlan 100 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 switchport access vlan 103 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan100 nameif outside security-level 0 ip address dhcp ! interface Vlan103 nameif inside security-level 100 ip address 192.xx.xx.xx 255.255.255.0 ! ftp mode passive dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server xx.xx.xx.250 name-server xx.xx.xx.250 object network obj_any subnet 0.0.0.0 0.0.0.0 ! object network obj_sip host 192.xx.xx.200 ! object service objg_sip_tcp2_4050 service tcp source eq 4050 object service objg_sip_tcp2_4054 service tcp source eq 4054 ! object service objg_sip_udp2_4003 service udp source range 4003 4005 object service objg_sip_udp2_5060 service udp source eq sip object service objg_sip_udp2_9000 service udp source range 9000 19000 ! object-group service objg_sip_tcp tcp port-object eq 4050 port-object eq 4054 ! object-group service objg_sip_udp udp port-object range 4003 4005 port-object eq sip port-object range 9000 19000 ! access-list i-to-o extended permit tcp 192.xx.xx.0 255.255.255.0 any access-list i-to-o extended permit icmp 192.xx.xx.0 255.255.255.0 any access-list i-to-o extended permit udp 192.xx.xx.0 255.255.255.0 any ! access-list o-to-i extended permit tcp any object obj_sip object-group objg_sip_tcp access-list o-to-i extended permit udp any object obj_sip object-group objg_sip_udp ! logging asdm informational mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4050 objg_sip_tcp2_4050 nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4054 objg_sip_tcp2_4054 nat (inside,outside) source static obj_sip interface service objg_sip_udp2_4003 objg_sip_udp2_4003 ! object network obj_any nat (inside,outside) dynamic interface ! access-group o-to-i in interface outside access-group i-to-o in interface inside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 ! timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.xx.xx.xx 255.255.255.255 inside telnet timeout 30 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept username igor password xxx encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect rsh inspect netbios inspect tftp inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:ec0d658a23cfaa327a78ca2847a57c07 : end Ошибка: "NAT unable to reserve ports" для этих строк nat (inside,outside) source static obj_sip interface service objg_sip_udp2_5060 objg_sip_udp2_5060 и nat (inside,outside) source static obj_sip interface service objg_sip_udp2_9000 objg_sip_udp2_900 Но почему? порты свободны!!! |
Автор: | crash [ 08 фев 2013, 17:11 ] |
Заголовок сообщения: | Re: Cisco 5505 ASA 8.4(4)1. NAT. Port range для sip server. |
вообще в версии 8.4 настраивается по другому NAT. А чего вы inspect sip не включили? |
Автор: | IgorKH2013 [ 08 фев 2013, 17:23 ] |
Заголовок сообщения: | Re: Cisco 5505 ASA 8.4(4)1. NAT. Port range для sip server. |
inspect sip наоборот убрал, думал он порты резервирует! но с ним таже беда! |
Страница 1 из 1 | Часовой пояс: UTC + 3 часа |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |