cme behind nat

anthonyfear · ‎07-28-2007

Hi All

My CME system is behind a cisco 857 running nat. I'm only getting 1 way audio when connecting to my sip provider.

I'm guessing the rtp stream is not getting through my nat?

Does anyone know which ports to forward and how to forward the ranges on my cisco nat device?

Or is there a way of faking the source ip address of my cme system (currently on 192.168.x.x range) so it send it's public ip instead (I've configured PAT on nat device to give cme a public ip) and thus bypassing the nat all together?

Thanks in advance

paolo bevilacqua · ‎07-28-2007

hi,

cisco nat should make the call work fine. Please send nat config to begin with.

anthonyfear · ‎07-28-2007

Here is the nat config: (Note CME is 192.168.4.253)

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.4.1 25 interface Dialer0 25

ip nat inside source static tcp 192.168.4.1 80 interface Dialer0 80

ip nat inside source static tcp 192.168.4.1 1723 interface Dialer0 1723

ip nat inside source static tcp 192.168.4.1 443 interface Dialer0 443

ip nat inside source static tcp 192.168.4.1 21 interface Dialer0 21

ip nat inside source static tcp 192.168.4.8 5500 interface Dialer0 5500

ip nat inside source static 192.168.4.11 212.115.49.75 extendable

ip nat inside source static 192.168.4.253 212.115.49.76 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.4.0 0.0.0.255 any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

paolo bevilacqua · ‎07-28-2007

Looks fine. Do a call capturing "debug ccsip message", and let's see if the proper translatio n has been build using "show ip nat translation udp detail".

anthonyfear · ‎07-28-2007

OK, here is the debug and ip output

paolo bevilacqua · ‎07-28-2007

Translation is created OK:

udp 212.115.52.107:17108 192.168.4.253:17108 217.14.138.126:16212 217.14.138.126

:16212

create 00:01:17, use 00:01:09 timeout:300000, left 00:03:50,

Pro Inside global Inside local Outside local Outside global

flags:

extended, use_count: 0, entry-id: 62078, lc_entries: 0

Do you have access list, firewall, ip inspect or anything like that on the 857 ?

What IOS on the 857 ?

anthonyfear · ‎07-28-2007

access list yes - as per previous nat config

firewall - no

ip inspect - not that i know of

ios is 12.4(6)T5

I've tried using 837 with 12.3 instead and that does same thing!

paolo bevilacqua · ‎07-28-2007

When the call is in place, can you observe (via show interface) the flow of 50 pps going out the ADSL router and coming in the CME ?

And what "show rtp call" on CME shows ?

anthonyfear · ‎07-29-2007

OK I Place a call.

show rtp call produces:

No Active Calls Found

throughout the duration of the call.

and show interface from nat router is attached - but doesn't look like it's getting 50pps (packets per second?) on any interface.

paolo bevilacqua · ‎07-29-2007

Hi,

with the default 5 minutes-load interval, it takes a while to get to the statistics. You can reduce to 30 seconds to see the info quicker.

You said you have the call setup but 1-way audio, still "show rtp call" comes empty ?

anthonyfear · ‎07-29-2007

yes show rtp call always displays 'no active calls found'.

I've made some test calls to pstn and other sccp handsets and show rtp calls never displays anything!

paolo bevilacqua · ‎07-29-2007

My bad, it is normal because the RTP stream is actually terminated on the phone, not on the router.

Basically, I'm trying to ascertain if the adsl and in turn, the cme router are receiving RTP packets. Another easy way to do that is if you press ? twice on the phone, it should give you RTP statistics.

The problem may have something to do with the source address used by the ITSP gateway, that is different to the translation created. Under sip-ua, there are nat settings that deal with that, but in first place the packets should get to the cme router, thing that we don;t know for sure is happening. So it is kind of long troubleshooting process that you have to take.

EDIT: If you remove pppoe client from the ADSL router, configure it for bridging, then configure PPPoE/ dialer on the CME, it should get public IP. This way you would check the call is working and is a NAT problem.

anthonyfear · ‎07-29-2007

No problem

Hitting ? twice shows codec is g729 and lots of transmit count packets (igoing up 50 at a time) but none received.

I don't know how to do the bridging config that you suggest - do you have a config I could look at?

paolo bevilacqua · ‎07-29-2007

Assume you have pppoe (not pppoa) on 857:

no ip routing

int atm0.1

pvc 8/35

bridge-group 1

int vlan1

bridge-group 1

bridge 1 protocol ieee

On cme:

interface fa0

no ip address

pppoe enable

ppoe-client dialer-pool-number

And copy the dialer config from 857 to cme.

anthonyfear · ‎07-29-2007

sorry if i'm being a bit thick - this stuff is new to me.

This is my 857 adsl config (edited for security) is it going to work with the config you suggest?

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

no cdp enable

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.4.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname username@isp

ppp chap password blah

ppp pap sent-username username@isp password blah

50

!

ip route 0.0.0.0 0.0.0.0 Dialer0

thanks again for your help