RTP/SIP and NAT is a pain…they never thought about NAT when SIP was designed.
The problem is that the private IP address will be visible in the SDP (Session Description Protocol) of SIP, and the device on the other end won’t be unable to send RTP packets to your end.
On your ASA, you can try to play with the inspect sip command. This inspects the SIP header and makes required changes…sometimes it works, other times you have to disable SIP inspection and use some access-list to accept the return traffic.
For static NAT, does it matter if the direction of the nat is from low to high or high to low.
What I mean is say for example:
nat (inside,outside) static – 100 to 0
nat (outside,inside) static – 0 to 100
Because to me static nat is bi directional it shouldnt matter which direction traffic is initated. Do you agree or should snat be from High to low in the config?
Normally it should work as Rene has previously explained because the direction doesn’t matter for the ASA, the only thing that matters is what to translate. If you want that the request is sourced from the inside, you can specify “unidirectional” by end of the command of nat(inside,outside) static so the destination addresses cannot initiate traffic to the source addresses.
Hope this can help.
shantel
(Shantel - Networklessons.com)
split this topic
#22
Make sure that all of the commands you have entered are as described in the lesson. Keep in mind also that you will require the use of an access list to allow the traffic to go through, otherwise it will be dropped. Specifically, for ASA versions before 8.3, you will need to issue the following command:
ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.1.1
For version 8.3 and later, you will have to substitute the “real” IP address for the “NAT translated” address. So the command would look like this:
ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.2.200
Depending on the version you have, you should put in the appropriate command.
We are translating 192.168.2.200 to 192.168.1.1 to reach the same…normally as explained is translating adress is equal to the webserver ip… in am confused
This is not bi-directional NAT since we only translate one address here. If you use static NAT then you have a 1:1 relation, you can’t use the IP address for any other devices. If that’s what you want, you need to use PAT instead.
As to why we translate like this. Imagine the outside IP address is not 192.168.2.254 but some public IP address. If you want the web server to be reachable from the outside world, you’ll have to use NAT since the web server is using a private IP address.