05-31-2012 06:52 AM - edited 03-11-2019 04:13 PM
Hello,
We have a Session border controller for VOIP calls in our network which sites behind ASA firewall on a DMZ. We also have a global pool for this DMZ. What i have observed is that the SBC IP address which is on the DMZ, gets natted to one of the IPs in the global pool for its own DMZ.
Below is the relevant IP information and NAT configuration:
DMZ4
SBC IP: 10.103.11.51
NAT on ASA:
global (dmz4) 1 10.103.11.16-10.103.11.19 netmask 255.255.255.252
10.103.11.51 gets natted to 10.103.11.17 and for some reason the SBC sends the SIP packets to 10.103.11.17, instead of sending it to a destination IP address which resides on the inside interface of the ASA. I am not able to understand why SBC gets Natted to global nat pool of its own DMZ, and how does it knows about 10.103.11.17 IP??
Any help is appreciated.
Thank you.
05-31-2012 07:21 AM
"instead of sending it to a destination IP address which resides on the inside interface of the ASA."
In order to send traffic in between inside and dmz4, you must create static-nat as shown below.
static (inside,dmz4) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
-----------------------------------------------------------------------------------
"global (dmz4) 1 10.103.11.16-10.103.11.19 netmask 255.255.255.252"
the above is dynamic-nat.
Hope this has been anyhelp.
thanks
Rizwan Rafeek
05-31-2012 08:48 AM
Hello Rizwan,
I do have a nat for inside host to DMZ4. What I dont understand is why 10.103.11.51 is getting natted to 10.103.11.17? Should'nt that pool be the NAT for traffic coming to DMZ4?
static(inside,dmz4) 10.103.1.88 10.103.1.88 netmask 255.255.255.255
Thank you.
05-31-2012 09:43 AM
"Should'nt that pool be the NAT for traffic coming to DMZ4?"
It is natting based on the ip range you have defined on the global-pool "10.103.11.16 - 10.103.11.19"
"why 10.103.11.51 is getting natted to 10.103.11.17?" that is because your global poot on the dmz4 interface as shown below.
global (dmz4) 1 10.103.11.16-10.103.11.19
"Should'nt that pool be the NAT for traffic coming to DMZ4?",
it is natting to one of the IP available from the range you provided when traffic coming in to dmz4.
So, it is natting, what you have set to nat.
Thanks
Rizwan Rafeek
05-31-2012 10:08 AM
I still dont understand.
What I understand is that any traffic which is going into DMZ4 must be natted to one of the DMZ4 Global pool IPs to communicate with the hosts on DMZ4. But it seems like its happening the other way round. An IP address which is already on DMZ4 and trying to communicate with inside(or any other interface) is getting natted to an IP from this pool.
05-31-2012 11:07 AM
"going into DMZ4" It is not going into but rather natted to, as a result you will see the below, your confusion.
"why 10.103.11.51 is getting natted to 10.103.11.17? "
going into and natted to, are two different things.
I hope that helps.
thanks
Rizwan Rafeek
Please rate helful post.
05-31-2012 12:05 PM
So do you mean the NAT is for DMZ4 IPs communicating with any other IP outside DMZ4 and also for any IP which is trying to communicate with DMZ4 hosts??
05-31-2012 12:47 PM
"So do you mean the NAT is for DMZ4 IPs communicating with any other IP outside DMZ4"
no but rather inside or outside host trying to reach the DMZ4 hosts, will be dynamic-nat to 10.103.11.16-10.103.11.19.
"also for any IP which is trying to communicate with DMZ4 hosts??"
will be dynamic-natted to the range 10.103.11.16-10.103.11.19..
You have not posted your nat but only the global config part alone I see.
Hope that answers your question.
Thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide