Router 857w SIP, RTP issue

Unanswered Question
May 19th, 2009

Hi Guys,

I have a cisco 857 router, and i have 2 Cisco SPA 962 sitting behind it. The router is using has a static ip and NATing over to a private ip. I am having the issue with that the SIP signalling is getting through the router NAT, but the RTP isn't working.

I have tried a couple of ways, one way by configuring CBAC, but i get the issue of no RTP at all.

But if i manually configure ACLs, SIP singalling works, RTP works for outbound calls, but when i make an inbound call i only get one-way audio. The outside phone can hear the audio, but the phone inside can't hear anything.

I have attached my show run (minus passwords, etc)

When i usually have this kind of issue, i disable SIP ALG. Can you disable SIP ALG? Is so, how?

Thanks you,

Liam

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
patrickvanham Tue, 05/19/2009 - 02:56

You do allow inbound SIP to pass, but not the RTP streams. The port used varies per session. To allow RTP to pass you'll have to modify the named accesslist to allow the incoming RTP stream. Since the port is dynamic you'll have to allow most if not all udp ports and make use of other tools to block unwanted traffic.

busaussie Tue, 05/19/2009 - 03:49

I have added. UDP and TCP RTP ports (1024 to 65535) and disabled CBAC, and i am still having issues.

*I am just surpised that no one else has come across the same problems i have. Is there something i am missing?

config:

interface Vlan1

description Internal Interface$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer1

description ISP Interface$FW_OUTSIDE$

ip address negotiated

ip access-group internet in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp

ppp

ppp

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer1 overload

!

ip access-list extended internet

permit tcp any any range 1024 65535

remark SDM_ACL Category=16

permit udp any any range 1024 65535

permit udp any any eq 5060

deny ip any any log

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

busaussie Tue, 05/19/2009 - 07:47

I already got symeetic up and running already.

I found the issue, the issue was that the IOS SIP AlG wasn't good. ( 12.4(6)T) Anything before, 12.4(6)T, you should upgrade to the lastest IOS image. I used this image: c850-advsecurityk9-mz.124-15.T1.bin.

Thanks for everyones help.

Actions

This Discussion