FWSM SIP NAT : Please Help

Unanswered Question
Dec 15th, 2008

Hi All,

I have a scenario wherein SIP sessions need to be established across FWSM. The following is the scenario:-

On the FWSM there is a DMZ on which all voice devices reside which includes cal manager, voice routers and ip phones.The voice routers are on HSRP with as virtual ip address.SIP sesison will be initiaied by the Voice router to a public IP address of the provider say A.A.A.A. i.e. the SRC=B.B.B.B DEST=A.A.A.A (Outgoing). Here B.B.B.B is a public IP address in our range. We will get incoming calls as SRC=A.A.A.A DEST=B.B.B.B.

A.A.A.A = Provider SIP Public Ip address

B.B.B.B = Our SIP Public IP address

Outgoing Call SRC=B.B.B.B ----~ DEST=A.A.A.A

(Session initiated by dmz Voice router)

Incoming Call SRC=A.A.A.A ----~ DEST=B.B.B.B

This means that there is one public IP (B.B.B.B) from our side that is used for all SIP transactions (Incoming and Outgoing).Also one public IP (A.A.A.A) used by the ISP for all SIP transactions. (Incoming and Outgoing).

The following is the configuration that i tried out:-

nat (dmzVOICE) 2 access-list UDP-SIP

global (OUTSIDE) 2 B.B.B.B

access-list FR_OUTSIDE extended permit udp host A.A.A.A host B.B.B.B eq sip

access-list FR_dmzVOICE extended permit ip any any log

access-list UDP-SIP extended permit udp host A.A.A.A eq sip

access-group FR_OUTSIDE in interface OUTSIDE

access-group FR_dmzVOICE in interface dmzVOICE

static (dmzVOICE,OUTSIDE) udp B.B.B.B sip sip netmask

The following are the results with this configuration:-

Incoming call

%FWSM-3-106011 Deny inbound (No xlate) tcp src OUTSIDE:A.A.A.A/54073 dst OUTSIDE:B.B.B.B/5060

I have allowed access from provder IP A.A.A.A to our IP B.B.B.B on udp 5060 and applied in on OUTSIDE in inbound direction

Then i have an static for our IP B.B.B.B to

Outgoing Call

One way speech.

Plese help. Any suggestins or documentations/best practises on SIP through FWSM would be welcome.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Farrukh Haroon Mon, 12/15/2008 - 23:08

You are doing a translation for UDP but the error message indicates that the ISP is sending 'TCP' data. Why don't you just do a simple one to one static mapping? And do any access-control required using ACLs. Using port rediction for voice is not that advisable anyway.

static (dmzVOICE,OUTSIDE) B.B.B.B netmask

Also the nat/global commands are not required, the static command is bi-directional. As in it will allow both dmz >> outside and outside >> dmz translation.




This Discussion