kdcasey
join:2009-04-24
Novato, CA
| [Equipment] Vonage RTP (Voice) Traffic port forwarding on ASA 55
I signed up for Vonage thinking I will install the V-Portal adapter behind my Cisco ASA 5505. I subsequently discovered Vonage requires inbound access to the V-Portal on UDP ports 10000-20000. Because I have Comcast consumer high-speed internet I only get the one dynamic IP with which to NAT the inbound traffic. This wouldn't be a problem if I only need to forward a few ports but I need to forward 10,000 of them. As far as I can tell this is going to require 10,000 NAT rules to be added to the configuration. I don't even know if the ASA can handle that many instructions. Group Objects can only be used in access lists so I am at a loss as to how to do this. Right now I have a single 1:1 static NAT defined between the V-Portal on the dmz and the outside interface with no ports mapped (all inbound traffic is forwarded). In this configuration I can host no other services. Does anybody know of a workaround? Is there any way to forward a range of ports instead? |
|
snolsen
join:2004-01-10
Hanford, CA | Re: [Equipment] Vonage RTP (Voice) Traffic port forwarding on AS
Did you Google ? I found quite a few hits. |
|
garys_2k
join:2004-05-07
Farmington, MI
 ·Future Nine Corpor..
·Vonage
1 edit | reply to kdcasey
Did you try it without any port forwarding? If your router is working properly and you're not behind a symmetric NAT, there should be no need to forward any ports.
If it won't work without port forwarding, try just forwarding the SIP ports (5060 - 5080). If that still doesn't work, additionally forward 10,000 - 10,010. |
|
kdcasey
join:2009-04-24
Novato, CA
| reply to kdcasey
I have not taken delivery of the V-Portal as of this writing. I am configuring my firewall based on the Vonage published instructions titled Advanced Installation with Port Forwarding. According to this document "If your Vonage adapter is located behind a routing device that has firewall capabilities, and you do not wish to reconfigure your network, then that routing device must be configured for port forwarding for Vonage service to operate". The instructions require the V-Portal to be configured with a fixed IP address, lists the outbound ports that must be permitted (I don't block any outbound ports) then state "The following ports are needed for INCOMING and OUTGOING Internet communications from and to Vonage devices and servers. RTP (Voice) Traffic: Ports 10000-20000 UDP". The requirement is pretty explicit. I can't imagine why Vonage would publish such a document if it weren't necessary. Am I missing something? |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| I very much doubt you'll have to forward any ports for Vonage to work. It deals well with NAT in most cases without any special accommodations. Just give it a try before worrying about it, odds are excellent it will work just fine. If you do have to forward some ports, that whole 10,000 port range for RTP traffic is NOT needed. I'd Wireshark'd a lot of Vonage calls and never saw it go past port 10,002. |
|
snolsen
join:2004-01-10
Hanford, CA | reply to kdcasey
I have my adapter behind a Buffalo running DD-WRT. I didn't do anything to my router, except giving the adapter a static IP. |
|
priller
join:2000-10-20
Gainesville, VA
·voip.ms
·Callcentric
·Vonage
·callwithus
| reply to kdcasey
said by kdcasey  :I signed up for Vonage thinking I will install the V-Portal adapter behind my Cisco ASA 5505. I subsequently discovered Vonage requires inbound access to the V-Portal on UDP ports 10000-20000. I have an ASA 5505 and have used it with Vonage and numerous other VoIP providers. DO NOT configure port forwarding. The ASA does SIP Inspection perfectly and will permit any required SIP/RTP flows. |
|
FLengineer
Premium
join:2007-06-26
Leesburg, FL | reply to kdcasey
This is in the Cisco forum FAQ...
»Cisco Forum FAQ »How do I NAT a TCP port range without entering a seperate NAT for each port? |
|
kdcasey
join:2009-04-24
Novato, CA
| reply to kdcasey
These have been great responses. I will remove the port forwarding rules and test the service as is. I can imagine that the forwarding rules might be required by less sophisticated firewalls whereas the ASA 5505 is intelligent enough to allow the return traffic required by the application. And if not then perhaps forwarding just the first 10 or so ports would suffice. Thank you everyone who contributed here. |
|
kdcasey
join:2009-04-24
Novato, CA
| reply to kdcasey
Final update, (for anyone who faces this issue) my phone number ported to Vonage on June 18th so I have been using the service for four days now with very few problems, and none that I would attribute to the firewall configuration. To review, I have configured the V-Portal with a static private IP address on a DMZ interface behind a Cisco ASA 5505. No port forwarding is operating on the firewall so Vonage instructions requiring forwarding of UDP ports 10000-20000 can be safely ignored at least as far as the ASA 5505 is concerned. |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| Yeah, I'd say most people can ignore the port forwarding issue entirely. All traffic is initiated from the ATA out to the SIP and RTP servers, so any decent router should be able to maintain the connections without forwarding.
Glad it's working out for you. |
|
