Promblems with SIP, UC520 behind a Cisco 828 router

Answered Question
May 20th, 2009
User Badges:
  • Silver, 250 points or more

Hi,


I have a customer who has a cisco 828 router delivered from his ISP. Behind that router I've connected the UC520 with a global IP adress. We are supposed to use  a SIP trunk ftom a ITSP on the UC520 but are not able to get it up and running. I think it may be a NAT issue since the 828 is in front of the UC520. I'm not very good with NAT at all so any suggestions on how to make it work is appreciated.


Regards

Eivind

Correct Answer by Marcos Hernandez about 8 years 1 month ago

Hi Eivind,


The c800 router will be able to perform the necessary Application Layer Gateway (ALG) functions necessary in this case. Check the following document for some general considerations and theory:


https://supportforums.cisco.com/docs/DOC-9476


Thanks,


Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Eivind Jonassen Wed, 05/20/2009 - 07:12
User Badges:
  • Silver, 250 points or more

Marcos,


If I disable NAT on the UC520, the problem is resolved???

I'm not able to configure anything on the 828 router since this is managed by the SP. They told me that there is no firewall configured on the 828 router so everything should be correct configured on their side.

The setup is like this:


Internet -> Cisco828 (global IP x.x.x.x) -> UC520 (global IP x.x.x.x)


Thanks,

Eivind

Steven Smith Wed, 05/20/2009 - 07:17
User Badges:
  • Gold, 750 points or more

If the ISP has this setup as you describe, disabling NAT won't fix the problem.  Are you getting the SIP trunk to register?  If not, you might want to try a debug ccsip messages to see why it isn't registering.  You could use the same debug if you are having problems getting the calls established.

Eivind Jonassen Wed, 05/20/2009 - 07:28
User Badges:
  • Silver, 250 points or more

Steven,


The sip lines are regsitered


UC520#sh sip reg st
Line          peer           expires(sec)  registered
============  =============  ============  ===========
XXXXXXXX      20003            654           yes
XXXXXXXX      20005            2635          yes


If i try to make a call to the registered number, I get a busy tone, no SIP debug messages on the UC.

Just for the fun of it, I removed the SIP-UA config and reconfigured it to check the register messages, after sending a REGISTER i get a 200 OK in return, so there is no trouble with the registration


Regards

Eivind

Marcos Hernandez Wed, 05/20/2009 - 07:35
User Badges:
  • Blue, 1500 points or more

What about outbound calls? Do those work?


Can you ask your Service Provider what is the registered contact (IP address) that they see on their side?


Marcos

Eivind Jonassen Wed, 05/20/2009 - 07:39
User Badges:
  • Silver, 250 points or more

Marcos,


Not able to make outbound or "outside to inside" calls. I'll check with the SP later on, it's public holiday here until next week.




Regards

Eivind

John Platts Wed, 05/20/2009 - 08:55
User Badges:
  • Silver, 250 points or more

The Cisco 828 router has been replaced by the Cisco 888 router. The Cisco 888 router has SIP ALG capabilities and can be placed in front of the UC520. The 888 router also supports up to 20 IPsec tunnels, has support for Easy VPN server, and has support for AES encryption.


Can you replace your Cisco 828 router with a Cisco 888 router?


Replacing your Cisco 828 router with a Cisco 888 router and configuring the SIP ALG on the Cisco 888 router should solve your problem.

Eivind Jonassen Wed, 05/20/2009 - 09:16
User Badges:
  • Silver, 250 points or more

John,


Actually I want the customer to change provider since the support from the existing provider is not good. We are not able to change the router since this is owned by the SP.


regards

Eivind

exonetinf1nity Thu, 05/21/2009 - 03:21
User Badges:

Could you run the following commands on the UC520 and post the output please


  • "Sh run int F0/0"
  • "Sh run | include ip nat"


Could you also post the "SIP-UA" config please.


Do you know how the ISP has configured NAT on their router, if they have simply configured it for PAT ie: NAT Overload on the outside IP Address yes the UC520 wont work with SIP, they will need to create a static NAT entry referancing the IP Address of the UC520 on the inside network and add an access list permitting SIP UDP/TCP Port 5060 from the IP Address of your SIP provider. It would also help if they applied traffic inspection for SIP using CBACS in an outbound direction.


Ideally you want control of the router.


Regards

Eivind Jonassen Thu, 05/21/2009 - 23:40
User Badges:
  • Silver, 250 points or more

Mark,


UC520#sh run int fa0/0
Building configuration...


Current configuration : 331 bytes
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address x.x.x.x 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
snmp trap ip verify drop-rate


UC520#sh run | i ip nat
ip nat inside
ip nat outside
ip nat inside
ip nat inside
ip nat inside
ip nat inside source list 1 interface FastEthernet0/0 overload



sip-ua
authentication username X password 7 X

nat symmetric role active
no remote-party-id
retry invite 2
retry register 10
timers connect 100
registrar dns:X expires 3600
sip-server dns:X

  host-registrar


I don't know how the 828 router is configured, the respons from the SP was that others before me have resolved this issue. (OK, thanks for the SUPPORT, LOL)


Regards

Eivind

exonetinf1nity Fri, 05/22/2009 - 02:03
User Badges:

Right ok, well if the ISP has configured NAT on there router you need to disable NAT on your UC520 and just use RFC1918 addressing.


On the following interfaces you will have the statement IP NAT INSIDE


"Vlan 1"

"Vlan 100"

"LoopBack0"

"Integrated-Service-Engine0/0"


On the following interfaces you will have the statement IP NAT OUTSIDE


"FastEthernet0/0"


IP address x.x.x.x 255.255.255.252 - Is this a public facing address ie: 180.190.170.1/30


Effectively what is happening at the moment is that traffic is being NATed twice, once by your UC520 and once by the ISP router which is very bad for VoIP traffic.


Try the following:


  • Backup the current config to flash
  • Remove the NAT statements from the interfaces listed above


Let me know how you get on. If you ISP isnt NATing traffic on there router and simply has it in bridging mode there could be something else at fault.


Regards


Eivind Jonassen Fri, 05/22/2009 - 02:23
User Badges:
  • Silver, 250 points or more

Hi Mark,


the x.x.x.x address i public.

OK, removed the NAT configuration, this didn't solve anything, still won't get calls through to the UC.


Regards,

Eivind

exonetinf1nity Fri, 05/22/2009 - 06:16
User Badges:

Right ok, if you want PM over the config id be happy to look at it for you, after running it through my mind if you have been allocated a /30 address i doubt the 828 will be doing anything but terminating the internet connection.


Regards

Eivind Jonassen Fri, 05/22/2009 - 09:54
User Badges:
  • Silver, 250 points or more

That´s my thoughts as well. PM? what´s that?


Regards

Eivind

Moderator Tue, 05/26/2009 - 12:24
User Badges:

Hi Eivind,


PM stands for Private Message. You can send someone a message through the community by going to the "Your Stuff" button at the top of the page and clicking on "Private Messages." You can then send a message just like an email by typing in the member's username that you would like to send it to. You can check for private messages that have been sent to you by other members as well.


If you have any questions, please let me know.


Thank you,


Cisco Moderation Team

Eivind Jonassen Fri, 06/19/2009 - 01:31
User Badges:
  • Silver, 250 points or more

The 828 router had wrong config from SP


Thanks,

Eivind

Correct Answer
Marcos Hernandez Wed, 05/20/2009 - 06:45
User Badges:
  • Blue, 1500 points or more

Hi Eivind,


The c800 router will be able to perform the necessary Application Layer Gateway (ALG) functions necessary in this case. Check the following document for some general considerations and theory:


https://supportforums.cisco.com/docs/DOC-9476


Thanks,


Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.

Actions

This Discussion

Related Content