SIP trunk and NAT

ercanelibol · ‎03-27-2007

Hi all,

I have a cisco 2811 router with a NAT configuration and Call Manager 4.1.3. I have setup the SIP trunk to an outside company. When I call an outside number using this SIP trunk it rings the phone but after that there is just silence. No one can hear a thing. Here is my router's config. I appreciate any help.

ip inspect name SIP_INSPECT sip

ip inspect name SIP_INSPECT udp router-traffic

ip inspect name SIP_INSPECT sip-tls

ip inspect name SIP_INSPECT rtsp

!

voice-card 0

no dspfarm

!

voice call send-alert

voice rtp send-recv

!

interface FastEthernet0/0

description NAT_TRANSLATION_TO_SIP_TRUNK

ip address 10.18.21.11 255.255.255.0

ip nat inside

ip inspect SIP_INSPECT in

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description DEAD_INTERFACE

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/2/0

description USLEC_SIP_TRUNK

ip address 10.64.122.62 255.255.255.252

ip nat outside

ip inspect SIP_INSPECT out

ip virtual-reassembly

encapsulation ppp

!

ip route 10.18.10.0 255.255.255.0 10.168.21.128

ip route 10.18.11.0 255.255.255.0 10.168.21.128

ip route 27.x.x.196 255.255.255.255 Serial0/2/0

ip route 27.x.x.33 255.255.255.255 Serial0/2/0

ip route 10.64.122.61 255.255.255.255 Serial0/2/0

!

ip nat pool pool1 13.43.117.209 13.43.117.209 prefix-length 30

ip nat inside source route-map NAT_SIP pool pool1 overload

!

access-list 10 permit 10.168.10.1

access-list 10 permit 10.168.10.2

!

route-map NAT_SIP permit 10

match ip address 10

set interface Serial0/2/0

jgolia · ‎03-28-2007

Hello,

May be an IP routing issue to your nat pool (13.43.117.209/30). Check out this link, which details NAT support for SIP

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d43.html

Since you are on a 2811 I am quite sure that you are running an IOS supporting this, as it was implemented in 12.2T. Just the same, turn on the debug

debug ip nat sip

as listed in the doc and test your call again.

You should see the embedded addresses being translated. then a Show IP Nat Trans. All this is to verify your NAT.

Then let's verify the IP routing issue that I suspect may be you problem. Go to the gateway that the call exits on. Issue

Show Ip Route 13.43.117.209

If you see "network not in table" then this gateway will send those packets to his Default Gateway, so then issue Show Ip Route 0.0.0.0

You will then need to go to that gateway and issue the same show commands. If you receive Network Not In Table and there is no default the packets are dropped.

The call setup occurs correctly between CM & 2811. But payload data is obviously not flowing.

Please rate helpful posts.

Thanks,

Jeff

ercanelibol · ‎03-28-2007

Hello Jeff,

thank you very much for your response. I checked out the link you posted in your response and did all those debugging, but it still is same.

I do not understand something: "13.43.117.209" is used just to do NAT, when the packets are routed inside network, they will have their new private destination IP, right?So why should I have a routing for 13.43.117.209?

And if I add a route for "13.43.117.209" it would point to the outside NAT interface anyway since I do not have this IP in my network.

thank you

Ercan

kelvin.blair · ‎03-29-2007

It sounds like you're having a firewall issue. Make sure you don't have an issue with RTP. It sounds like the signalling is working but not voice. Voice=RTP

jgolia · ‎03-29-2007

Ercan,

Wanted to run earlier debug to ensure that SIP NAT was working correctly. *IF* you do not have active sip calls flowing through system, capture debug ccsip all and attach to your next post as an attachment. Turn on the debug and attempt a call.

If you do have active sip calls flowing through system you should wait until off-hours to do isolated test with debug.

Thanks,

Jeff

ercanelibol · ‎03-30-2007

I was not able to capture any packets using "debug ccsip all". for some reason it did not debug anything. but I will post debugs from command "debug ip nat sip" if it is helpful. thanks for your help.

jgolia · ‎03-30-2007

Ercan,

As I wrote above, your SIP Call Control traffic is flowing as expected but your RTP is not. How will your router examine the SIP conversations being negotiated including the RTP? The RTP endpoints will also need to NAT Accordingly. Don't see this happening in your debug. Although it would not be shown in that debug anyway.

You also have this router acting as a firewall (CBAC). Therefore take that into consideration also. The firewall will need to allow the incoming SIP Signalling (already OK), and the incoming RTP (N-OK), then NAT & Route accordingly.

Here's a suggestion. In testing disable the firewall by removing the IP Inspect commands. That can stop this from working, so best to keep it off while trying to configure the solution.

Related to that, another idea is to offload the firewall function alltogether. A pix may have features such as fixup to better accomodate your needs. Any security IE reading this add comments...

Now back to making your current solution work. On further research this is a IP-to-IP Gateway feature available in 12.4(9)T. The feature is called SIP Session Border control. Your 2811 will actually terminate the originating call from CCM. It will then originate another towards your SIP Service Provider, with the correct public IP. Your router now has complete end-to-end knowledge of the voip conversations occuring, and uses the correct IP for each portion on top of that. The first link below is a white paper on the feature. The second discusses actual config. I'd need further info on your setup to determine where this fits in. Although after reading both docs you should be able to head in the right direction. Note that the config also discusses VRF which you are not using, so you can omit that part.

Service Provider PAT Port Allocation Enhancement for RTP and RTC

http://www.cisco.com/en/US/products/ps6640/products_white_paper0900aecd80597bc7.shtml

Discusses NATing RTP Traffic using a Sip Session Border COntrol

Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller

http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a008071c4ba.html

Please rate helpful posts.

Jeff

ercanelibol · ‎04-07-2007

Jeff,

thanks so much for your help. So far I have upgraded to new IOS 12.4(11)T1 and tried to configure NAT Traversal for Session Border Controller as you sent me information. I still do not have any luck with this. Call setup is successfull but voice traffic does not flow. I am posting my routers config again and debug from a test SIP call.

call managers IPs are 10.18.10.1 and 10.18.10.2

thanks

Ercan

jgolia · ‎04-08-2007

Ercan,

In order to test further I will have to lab this up. However one thing does stand out. I suggest you try expanding access-list 10 to include the range of your IP Phones. Try that, post back to let me know if that helps.

Other than that I'll have to lab it, which could take a few days.

ercanelibol · ‎04-10-2007

Jeff,

I added the phone IP range to the access-list, but it did not help.

thanks

Ercan

ercanelibol · ‎04-17-2007

it is working now.

I have tried to use "ip nat sip-sbc" but it did not work for some reason. I am using NAT now and I had to arrange routing and ACLs little bit as well.

thanks for your help.

shzhang · ‎04-24-2008

Hi Jeff,

I saw this message so I would like to ask you some questions regarding to SBC configuration. Is it required to have phone registered to SBC in order to use SIP NAT. In my configuration, I have SIP phones registered with SIP proxy and these devices are inside SBC with all private IP addresses. the SBC outside interface connect to Internet, then connected to PIX for remote site. behind the pix, I have phones registered back to same proxy behind SBC. How to configre SBC NAT traversal to make this works. Any helps would be very appreciated. Thanks!

Steve