Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
5
Helpful
1
Replies

FWSM SIP NAT : Please Help

Sonugnair_2
Level 1
Level 1

‎12-15-2008 10:36 PM - edited ‎03-11-2019 07:26 AM

Hi All,

I have a scenario wherein SIP sessions need to be established across FWSM. The following is the scenario:-

On the FWSM there is a DMZ on which all voice devices reside which includes cal manager, voice routers and ip phones.The voice routers are on HSRP with 192.168.3.254 as virtual ip address.SIP sesison will be initiaied by the Voice router to a public IP address of the provider say A.A.A.A. i.e. the SRC=B.B.B.B DEST=A.A.A.A (Outgoing). Here B.B.B.B is a public IP address in our range. We will get incoming calls as SRC=A.A.A.A DEST=B.B.B.B.

A.A.A.A = Provider SIP Public Ip address

B.B.B.B = Our SIP Public IP address

Outgoing Call SRC=B.B.B.B ----~ DEST=A.A.A.A

(Session initiated by dmz Voice router)

Incoming Call SRC=A.A.A.A ----~ DEST=B.B.B.B

This means that there is one public IP (B.B.B.B) from our side that is used for all SIP transactions (Incoming and Outgoing).Also one public IP (A.A.A.A) used by the ISP for all SIP transactions. (Incoming and Outgoing).

The following is the configuration that i tried out:-

nat (dmzVOICE) 2 access-list UDP-SIP

global (OUTSIDE) 2 B.B.B.B

access-list FR_OUTSIDE extended permit udp host A.A.A.A host B.B.B.B eq sip

access-list FR_dmzVOICE extended permit ip any any log

access-list UDP-SIP extended permit udp host 192.168.3.254 A.A.A.A eq sip

access-group FR_OUTSIDE in interface OUTSIDE

access-group FR_dmzVOICE in interface dmzVOICE

static (dmzVOICE,OUTSIDE) udp B.B.B.B sip 192.168.3.254 sip netmask 255.255.255.255

The following are the results with this configuration:-

Incoming call

%FWSM-3-106011 Deny inbound (No xlate) tcp src OUTSIDE:A.A.A.A/54073 dst OUTSIDE:B.B.B.B/5060

I have allowed access from provder IP A.A.A.A to our IP B.B.B.B on udp 5060 and applied in on OUTSIDE in inbound direction

Then i have an static for our IP B.B.B.B to 192.168.3.254.

Outgoing Call

One way speech.

Plese help. Any suggestins or documentations/best practises on SIP through FWSM would be welcome.

Regards

Sonu.

Labels:
0 Helpful
1 Reply 1

Farrukh Haroon
VIP Alumni
VIP Alumni

‎12-15-2008 11:08 PM

You are doing a translation for UDP but the error message indicates that the ISP is sending 'TCP' data. Why don't you just do a simple one to one static mapping? And do any access-control required using ACLs. Using port rediction for voice is not that advisable anyway.

static (dmzVOICE,OUTSIDE) B.B.B.B 192.168.3.254 netmask 255.255.255.255

Also the nat/global commands are not required, the static command is bi-directional. As in it will allow both dmz >> outside and outside >> dmz translation.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card