NAT Trans/ Firewall Settings for VOIP ATA186/ 877W combo

admin_2 · ‎03-17-2007

Good Day Gentlemen,

Firstly....please accept my apologies for the double posting in your forum...there seem to be constant problems with this server.

I have just purchased an ATA186 (analogue VOIP adapter) and an 877W integrated ADSL/router.

I have successfully configured both devices using SDM with the exception of the 877W NAT

translation/ Firewall in respect of VOIP packet transmission. I am new to both these devices

and have spent a good couple of days with the Cisco configuration manual, but with no

success, as something always seems to go wrong in the config process usually wrecking havoc

with the primary WAN interface connection itself. I always copy the running config off

somewhere safe before attempting the latest NAT/ Firewall config attempt

Is there anyone out there with experience of VOIP over a similar setup who can answer the

following questions:

1. Just what do I need to 'open' on the NAT or Firewall (the actual port numbers are no

problem) it's the stepped procedure I need to know.

2. Does anyone have or can anyone produce a 'monkey see monkey do' config script that I could

tailor/ import into my existing config. LAN is 192.168.3.0/24 Gateway 192.168.3.1, ATA

192.168.3.7 Ports (SIP) 5060 Outbound Proxy (5065). I would be prepared to pay for the time

spent in creating such a facility, and then study it afterwards. Just need to get my VOIP up

and running.

Running Config is 50% listed below....and continues in the next post due to attachment upload

problems with this server...

Building configuration...

Current configuration : 7728 bytes

!

! Last configuration change at 20:41:19 PCTime Fri Mar 16 2007 by jdep

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CISCO877W

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret xxx

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 0

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.1 192.168.3.10

!

ip dhcp pool sdm-pool1

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

dns-server 194.x.x.114 62.6.40.162

!

ip dhcp pool NETGEAR65362A

host 192.168.3.2 255.255.255.0

hardware-address 0018.4d65.362a

client-name NETGEAR65362A

!

ip dhcp pool NETGEAR65358E

host 192.168.3.3 255.255.255.0

hardware-address 0018.4d65.358e

client-name NETGEAR65358E

!

ip dhcp pool FAT-MAN

host 192.168.3.4 255.255.255.0

hardware-address 000d.56c7.75db

client-name FAT-MAN

!

ip dhcp pool JDEP-PHTW5CYNHC

host 192.168.3.5 255.255.255.0

hardware-address 000f.1fe5.10ec

client-name JDEP-PHTW5CYNHC

!

ip dhcp pool ATA186I2-A

host 192.168.3.7 255.255.255.0

hardware-address 001a.6dca.a698

client-name ATA186I2-A

!

ip dhcp pool JDEP-24105145

host 192.168.3.10 255.255.255.0

hardware-address 0012.793f.61ac

client-name JDEP-24105145

!

Thank you all in advance

Report Inappropriate Content · ‎03-17-2007

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip domain name de-pulford.com

ip name-server 194.72.0.114

ip name-server 62.6.40.162

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto pki trustpoint TP-self-signed-3702453916

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3702453916

revocation-check none

rsakeypair TP-self-signed-3702453916

!

crypto pki certificate chain TP-self-signed-3702453916

certificate self-signed 01

30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33373032 34353339 3136301E 170D3032 30333031 30303231

30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37303234

35333931 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CF2F 1D5B83C3 A751D899 0FCEDE57 6E571AE6 15068DEB 5CEB1087 CF5DB01E

2132ADED AB07CC25 6FD89701 7D8F98F7 C13A7C7A 0D107300 67B4FAE1 B0D68194

3439A0A0 F46CABF6 2C998738 EE939714 FFF289EB 1CF46D4C 319F24B8 DE718EF1

006B4128 51A3082D C9D81AA2 4183F1C2 C958DEC4 62883FEA 5EA46E36 735D3F0E

E1AD0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

551D1104 1C301A82 18434953 434F3837 37572E64 652D7075 6C666F72 642E636F

6D301F06 03551D23 04183016 80145BD9 5F53ED32 DF72168B 7974E6AE 55791904

2579301D 0603551D 0E041604 145BD95F 53ED32DF 72168B79 74E6AE55 79190425

79300D06 092A8648 86F70D01 01040500 03818100 91DABE4A 1669FE66 9EC47F10

B6678ABB 6E6652A6 21EA12E3 E0FDC073 B0D9FF9B B3217511 5CD07626 ED9E61D7

A28B658B 1DCB4CAB 3DC3973D 27C2F085 302AC657 BF6FDEFB A160B5B7 77095FEF

F68876EA 258D14FA C3FF7FC2 376B65F2 D8B7D3C1 4C8A0CF7 BB849239 600B815C

D19581B9 7C42C971 2CE05E55 86D8A0A5 D1C219BA

quit

username JdeP privilege 15 secret 5 $1$TGpn$RSSTMg3P2rrPZSmBtET0Z1

!

bridge irb

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

encryption key 1 size 128bit 7 3C6A3709FD19C30AE82824731307 transmit-key

encryption mode wep mandatory

!

ssid WIRELESS_LAN

authentication open

guest-mode

infrastructure-ssid optional

wpa-psk ascii 7 106C050A5F42450F4736202C7E71

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

Report Inappropriate Content · ‎03-17-2007

interface Dialer0

description $FW_OUTSIDE$

ip address 217.36.210.59 255.255.0.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname A639590@hg40.btclick.com

ppp chap password 7 020C005E1B545B701C1B

ppp pap sent-username A639590@hg40.btclick.com password 7 020C005E1B545B701C1B

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 217.36.0.0 0.0.255.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 62.6.40.162 eq domain host 217.36.210.59

access-list 101 permit udp host 194.72.0.114 eq domain host 217.36.210.59

access-list 101 deny ip 192.168.3.0 0.0.0.255 any

access-list 101 permit icmp any host 217.36.210.59 echo-reply

access-list 101 permit icmp any host 217.36.210.59 time-exceeded

access-list 101 permit icmp any host 217.36.210.59 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Report Inappropriate Content · ‎03-19-2007

Report Inappropriate Content · ‎03-25-2007