ā05-20-2009 01:51 AM - last edited on ā03-25-2019 10:36 PM by ciscomoderator
Hi,
I have a customer who has a cisco 828 router delivered from his ISP. Behind that router I've connected the UC520 with a global IP adress. We are supposed to use a SIP trunk ftom a ITSP on the UC520 but are not able to get it up and running. I think it may be a NAT issue since the 828 is in front of the UC520. I'm not very good with NAT at all so any suggestions on how to make it work is appreciated.
Regards
Eivind
Solved! Go to Solution.
ā05-20-2009 06:45 AM
Hi Eivind,
The c800 router will be able to perform the necessary Application Layer Gateway (ALG) functions necessary in this case. Check the following document for some general considerations and theory:
https://supportforums.cisco.com/docs/DOC-9476
Thanks,
Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.
ā05-20-2009 06:45 AM
Hi Eivind,
The c800 router will be able to perform the necessary Application Layer Gateway (ALG) functions necessary in this case. Check the following document for some general considerations and theory:
https://supportforums.cisco.com/docs/DOC-9476
Thanks,
Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.
ā05-20-2009 07:12 AM
Marcos,
If I disable NAT on the UC520, the problem is resolved???
I'm not able to configure anything on the 828 router since this is managed by the SP. They told me that there is no firewall configured on the 828 router so everything should be correct configured on their side.
The setup is like this:
Internet -> Cisco828 (global IP x.x.x.x) -> UC520 (global IP x.x.x.x)
Thanks,
Eivind
ā05-20-2009 07:17 AM
If the ISP has this setup as you describe, disabling NAT won't fix the problem. Are you getting the SIP trunk to register? If not, you might want to try a debug ccsip messages to see why it isn't registering. You could use the same debug if you are having problems getting the calls established.
ā05-20-2009 07:28 AM
Steven,
The sip lines are regsitered
UC520#sh sip reg st
Line peer expires(sec) registered
============ ============= ============ ===========
XXXXXXXX 20003 654 yes
XXXXXXXX 20005 2635 yes
If i try to make a call to the registered number, I get a busy tone, no SIP debug messages on the UC.
Just for the fun of it, I removed the SIP-UA config and reconfigured it to check the register messages, after sending a REGISTER i get a 200 OK in return, so there is no trouble with the registration
Regards
Eivind
ā05-20-2009 07:35 AM
What about outbound calls? Do those work?
Can you ask your Service Provider what is the registered contact (IP address) that they see on their side?
Marcos
ā05-20-2009 07:39 AM
Marcos,
Not able to make outbound or "outside to inside" calls. I'll check with the SP later on, it's public holiday here until next week.
Regards
Eivind
ā05-20-2009 08:55 AM
The Cisco 828 router has been replaced by the Cisco 888 router. The Cisco 888 router has SIP ALG capabilities and can be placed in front of the UC520. The 888 router also supports up to 20 IPsec tunnels, has support for Easy VPN server, and has support for AES encryption.
Can you replace your Cisco 828 router with a Cisco 888 router?
Replacing your Cisco 828 router with a Cisco 888 router and configuring the SIP ALG on the Cisco 888 router should solve your problem.
ā05-20-2009 09:16 AM
John,
Actually I want the customer to change provider since the support from the existing provider is not good. We are not able to change the router since this is owned by the SP.
regards
Eivind
ā05-21-2009 03:21 AM
Could you run the following commands on the UC520 and post the output please
Could you also post the "SIP-UA" config please.
Do you know how the ISP has configured NAT on their router, if they have simply configured it for PAT ie: NAT Overload on the outside IP Address yes the UC520 wont work with SIP, they will need to create a static NAT entry referancing the IP Address of the UC520 on the inside network and add an access list permitting SIP UDP/TCP Port 5060 from the IP Address of your SIP provider. It would also help if they applied traffic inspection for SIP using CBACS in an outbound direction.
Ideally you want control of the router.
Regards
ā05-21-2009 11:40 PM
Mark,
UC520#sh run int fa0/0
Building configuration...
Current configuration : 331 bytes
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address x.x.x.x 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
snmp trap ip verify drop-rate
UC520#sh run | i ip nat
ip nat inside
ip nat outside
ip nat inside
ip nat inside
ip nat inside
ip nat inside source list 1 interface FastEthernet0/0 overload
sip-ua
authentication username X password 7 X
nat symmetric role active
no remote-party-id
retry invite 2
retry register 10
timers connect 100
registrar dns:X expires 3600
sip-server dns:X
host-registrar
I don't know how the 828 router is configured, the respons from the SP was that others before me have resolved this issue. (OK, thanks for the SUPPORT, LOL)
Regards
Eivind
ā05-22-2009 02:03 AM
Right ok, well if the ISP has configured NAT on there router you need to disable NAT on your UC520 and just use RFC1918 addressing.
On the following interfaces you will have the statement IP NAT INSIDE
"Vlan 1"
"Vlan 100"
"LoopBack0"
"Integrated-Service-Engine0/0"
On the following interfaces you will have the statement IP NAT OUTSIDE
"FastEthernet0/0"
IP address x.x.x.x 255.255.255.252 - Is this a public facing address ie: 180.190.170.1/30
Effectively what is happening at the moment is that traffic is being NATed twice, once by your UC520 and once by the ISP router which is very bad for VoIP traffic.
Try the following:
Let me know how you get on. If you ISP isnt NATing traffic on there router and simply has it in bridging mode there could be something else at fault.
Regards
ā05-22-2009 02:23 AM
Hi Mark,
the x.x.x.x address i public.
OK, removed the NAT configuration, this didn't solve anything, still won't get calls through to the UC.
Regards,
Eivind
ā05-22-2009 06:16 AM
Right ok, if you want PM over the config id be happy to look at it for you, after running it through my mind if you have been allocated a /30 address i doubt the 828 will be doing anything but terminating the internet connection.
Regards
ā05-22-2009 09:54 AM
ThatĀ“s my thoughts as well. PM? whatĀ“s that?
Regards
Eivind
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: