cme behind nat

Unanswered Question
Jul 28th, 2007
User Badges:

Hi All


My CME system is behind a cisco 857 running nat. I'm only getting 1 way audio when connecting to my sip provider.


I'm guessing the rtp stream is not getting through my nat?


Does anyone know which ports to forward and how to forward the ranges on my cisco nat device?


Or is there a way of faking the source ip address of my cme system (currently on 192.168.x.x range) so it send it's public ip instead (I've configured PAT on nat device to give cme a public ip) and thus bypassing the nat all together?



Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
paolo bevilacqua Sat, 07/28/2007 - 07:38
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

hi,


cisco nat should make the call work fine. Please send nat config to begin with.

anthonyfear Sat, 07/28/2007 - 08:04
User Badges:

Here is the nat config: (Note CME is 192.168.4.253)


ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.4.1 25 interface Dialer0 25

ip nat inside source static tcp 192.168.4.1 80 interface Dialer0 80

ip nat inside source static tcp 192.168.4.1 1723 interface Dialer0 1723

ip nat inside source static tcp 192.168.4.1 443 interface Dialer0 443

ip nat inside source static tcp 192.168.4.1 21 interface Dialer0 21

ip nat inside source static tcp 192.168.4.8 5500 interface Dialer0 5500

ip nat inside source static 192.168.4.11 212.115.49.75 extendable

ip nat inside source static 192.168.4.253 212.115.49.76 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.4.0 0.0.0.255 any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

paolo bevilacqua Sat, 07/28/2007 - 10:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Looks fine. Do a call capturing "debug ccsip message", and let's see if the proper translatio n has been build using "show ip nat translation udp detail".

paolo bevilacqua Sat, 07/28/2007 - 12:45
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Translation is created OK:

udp 212.115.52.107:17108 192.168.4.253:17108 217.14.138.126:16212 217.14.138.126

:16212

create 00:01:17, use 00:01:09 timeout:300000, left 00:03:50,

Pro Inside global Inside local Outside local Outside global

flags:

extended, use_count: 0, entry-id: 62078, lc_entries: 0


Do you have access list, firewall, ip inspect or anything like that on the 857 ?

What IOS on the 857 ?


anthonyfear Sat, 07/28/2007 - 14:09
User Badges:

access list yes - as per previous nat config

firewall - no

ip inspect - not that i know of


ios is 12.4(6)T5


I've tried using 837 with 12.3 instead and that does same thing!



paolo bevilacqua Sat, 07/28/2007 - 14:13
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

When the call is in place, can you observe (via show interface) the flow of 50 pps going out the ADSL router and coming in the CME ?


And what "show rtp call" on CME shows ?

anthonyfear Sun, 07/29/2007 - 00:43
User Badges:

OK I Place a call.


show rtp call produces:


No Active Calls Found


throughout the duration of the call.


and show interface from nat router is attached - but doesn't look like it's getting 50pps (packets per second?) on any interface.




paolo bevilacqua Sun, 07/29/2007 - 03:01
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


with the default 5 minutes-load interval, it takes a while to get to the statistics. You can reduce to 30 seconds to see the info quicker.

You said you have the call setup but 1-way audio, still "show rtp call" comes empty ?

anthonyfear Sun, 07/29/2007 - 05:37
User Badges:

yes show rtp call always displays 'no active calls found'.


I've made some test calls to pstn and other sccp handsets and show rtp calls never displays anything!


paolo bevilacqua Sun, 07/29/2007 - 05:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

My bad, it is normal because the RTP stream is actually terminated on the phone, not on the router.

Basically, I'm trying to ascertain if the adsl and in turn, the cme router are receiving RTP packets. Another easy way to do that is if you press ? twice on the phone, it should give you RTP statistics.

The problem may have something to do with the source address used by the ITSP gateway, that is different to the translation created. Under sip-ua, there are nat settings that deal with that, but in first place the packets should get to the cme router, thing that we don;t know for sure is happening. So it is kind of long troubleshooting process that you have to take.


EDIT: If you remove pppoe client from the ADSL router, configure it for bridging, then configure PPPoE/ dialer on the CME, it should get public IP. This way you would check the call is working and is a NAT problem.

anthonyfear Sun, 07/29/2007 - 06:03
User Badges:

No problem


Hitting ? twice shows codec is g729 and lots of transmit count packets (igoing up 50 at a time) but none received.


I don't know how to do the bridging config that you suggest - do you have a config I could look at?

paolo bevilacqua Sun, 07/29/2007 - 06:16
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Assume you have pppoe (not pppoa) on 857:


no ip routing

int atm0.1

pvc 8/35

bridge-group 1


int vlan1

bridge-group 1


bridge 1 protocol ieee


On cme:


interface fa0

no ip address

pppoe enable

ppoe-client dialer-pool-number


And copy the dialer config from 857 to cme.



anthonyfear Sun, 07/29/2007 - 08:24
User Badges:

sorry if i'm being a bit thick - this stuff is new to me.


This is my 857 adsl config (edited for security) is it going to work with the config you suggest?


interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet0

no cdp enable

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.4.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname [email protected]

ppp chap password blah

ppp pap sent-username [email protected] password blah

50

!

ip route 0.0.0.0 0.0.0.0 Dialer0



thanks again for your help

paolo bevilacqua Sun, 07/29/2007 - 08:31
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Sorry it won't work. The ADSL provider is using PPPoA that is not bridgeable. Either they change to bridged 1483, or PPPoE, or you need a WIC-1ADSL to terminate the circuit directly on the 1751.


At this point, I'm not sure what to suggest. It may be very possible that the RTP is coming with a different source-address hence 857 NAT fails to route to CME. You can try the NAT configs to forward a range of ports as I've seen you asked about in another forum.


anthonyfear Sun, 07/29/2007 - 08:35
User Badges:

Darn - I was afraid you were going to say that!


Thanks very much for your help anyway. I did rate you earlier post.

paolo bevilacqua Sun, 07/29/2007 - 08:46
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I'm launching (pre-production phase) a small ITSP aimed to niche market of demanding users.


Contact me to the address in my profile if you want to try it out.

Rob Huffman Sun, 07/29/2007 - 07:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hey Paolo,


Your work here continues to amaze me! My 5 point vote for you and the support you always offer to our fellow NetPros :)


Great stuff!


Rob

paolo bevilacqua Sun, 07/29/2007 - 07:29
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Thank you as always Rob. Actually it's just because having no current insurance on my bike, I dared not to ride it on this beautiful summer Sunday.


Rob Huffman Sun, 07/29/2007 - 07:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Paolo,


That is a bummer! It is absolutly beautiful here as well and with so many frigid snowy months in our area I better head outside and enjoy :)


Take care man!

Rob

Actions

This Discussion