05-19-2009 01:51 AM - edited 03-04-2019 04:48 AM
Hi Guys,
I have a cisco 857 router, and i have 2 Cisco SPA 962 sitting behind it. The router is using has a static ip and NATing over to a private ip. I am having the issue with that the SIP signalling is getting through the router NAT, but the RTP isn't working.
I have tried a couple of ways, one way by configuring CBAC, but i get the issue of no RTP at all.
But if i manually configure ACLs, SIP singalling works, RTP works for outbound calls, but when i make an inbound call i only get one-way audio. The outside phone can hear the audio, but the phone inside can't hear anything.
I have attached my show run (minus passwords, etc)
When i usually have this kind of issue, i disable SIP ALG. Can you disable SIP ALG? Is so, how?
Thanks you,
Liam
05-19-2009 02:56 AM
You do allow inbound SIP to pass, but not the RTP streams. The port used varies per session. To allow RTP to pass you'll have to modify the named accesslist to allow the incoming RTP stream. Since the port is dynamic you'll have to allow most if not all udp ports and make use of other tools to block unwanted traffic.
05-19-2009 03:49 AM
I have added. UDP and TCP RTP ports (1024 to 65535) and disabled CBAC, and i am still having issues.
*I am just surpised that no one else has come across the same problems i have. Is there something i am missing?
config:
interface Vlan1
description Internal Interface$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
description ISP Interface$FW_OUTSIDE$
ip address negotiated
ip access-group internet in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp
ppp
ppp
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended internet
permit tcp any any range 1024 65535
remark SDM_ACL Category=16
permit udp any any range 1024 65535
permit udp any any eq 5060
deny ip any any log
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
05-19-2009 04:42 AM
In addition to this you'd need to use symmetric RTP since you're NATing. Below is some information on how to use RTP in a NATed scenario
http://www.voip-info.org/wiki/view/RTP+Symmetric
http://ag-projects.com/docs/PressArticles/NATtraversal-BestPractices.pdf
05-19-2009 07:47 AM
I already got symeetic up and running already.
I found the issue, the issue was that the IOS SIP AlG wasn't good. ( 12.4(6)T) Anything before, 12.4(6)T, you should upgrade to the lastest IOS image. I used this image: c850-advsecurityk9-mz.124-15.T1.bin.
Thanks for everyones help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: