Cisco 1841 VOIP Issue

Unanswered Question

Hi,


   I am bit confused. We have 2mbps leased line and have Cisco 1841 which is managed by our ISP. I have hooked up another 1841 (please find basic config below, it will get more complex lateron) Now when I connect my laptop I am able to browse Internet. But when I conect VOIP phone, it is not able to contact it's Hosted Server on Internet.


   VOIP phone is Polycom SoundPoint 550 and I get URL call disabed message.  If I try netgear Firewall everything seems to work.


   Just for your info, that the voip provider needs following ports UDP Range 16384 - 32766, TCP 5060 & UDP 5060. But in my config all outbound traffic is allowed.


   Please help.


Regards,

Sidd.




--------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)

--------------------------------------------------------------------------------------------------------------------------------------------------------------

TEST1841#show run
Building configuration...


Current configuration : 1054 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST1841
!
boot-start-marker
boot-end-marker
!
no aaa new-model
dot11 syslog
ip cef
!
multilink bundle-name authenticated
!
username z1 privilege 15 secret 5 $1$XO33$uDZbO3/75dYk.UcJy7DiL.
archive
log config
  hidekeys
!
interface FastEthernet0/0
description WAN
ip address 94.185.xxx.235 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address 192.168.235.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 94.185.xxx.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
!
access-list 102 permit ip 192.168.235.0 0.0.0.255 any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
!
scheduler allocate 20000 1000
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Aaron Harrison Sat, 03/13/2010 - 02:15
User Badges:
  • Super Bronze, 10000 points or more
  • Community Spotlight Award,

    Member's Choice, May 2015

Hi


Your problem will be that while you are permitting SIP traffic outbound, the SIP INVITE etc will carry your internal private IP addresses accross the internet to the SIP server. The SIP server will then set up media streams to the private IP address, to which it will have no reachability.


You need a firewall that will not only NAT the IP headers, but also fix up the addresses at layer 7 in the SIP protocol. I believe that the IOS firewall can do this, perhaps someone else can point at a good example?


Some general info about the firewall feature:


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml


Regards


Aaron


Please rate helpful posts..

Paolo Bevilacqua Sat, 03/13/2010 - 05:27
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

IOS NAT ALG for SIP  is supposed to be automatic and need no configuration.


One should have an hands one session to find out what's going on.

Hello,


   It looks like the problem is resolved. have tested 2 VOIP phones. Basically I disabled SIP ALG on Cisco 1841, using following commands.


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

no ip nat service sip tcp port 5060

no ip nat service sip udp port 5060


Thanks for your help.

Sidd.

acjosetranscom Sun, 10/31/2010 - 02:12
User Badges:

Hi Everyone,


I need assistance on a similar issue :

We have a Cisco 1841 currently running image :c1841-ipbase-mz.124-1c.bin

We upgraded the image to c1841-advsecurityk9-mz.124-1a.bin and having issues with One way audio


Our PBX server is located at on the WAN and the phones register with it .

Please find below , the running config attached . Any help in diagnosing /resolving the issue will be greatly appreciated :


Test_Router#sh ver
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 25-Oct-05 17:10 by evmiller

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Pune_Router uptime is 47 minutes
System returned to ROM by reload at 07:54:19 UTC Sun Oct 31 2010
System image file is "flash:c1841-ipbase-mz.124-1c.bin"

Cisco 1841 (revision 6.0) with 114688K/16384K bytes of memory.
Processor board ID FHK105016KA
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Test_Router#sh run
Building configuration...

Current configuration : 2180 bytes
!
version 12.4
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Test_Router
!
boot-start-marker
boot system flash c1841-ipbase-mz.124-1c.bin
boot-end-marker
!
no logging buffered
enable secret 5 $1$LTRI$WbGDs0E610wlT0d/bJsMK/
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip name-server 202.54.10.2
ip name-server 203.197.12.42
ip name-server 121.242.190.180
ip name-server 121.242.190.211
!
!
!
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0 secondary
ip address 59.X.X.X 255.255.255.240
ip flow ingress
ip flow egress
ip nat inside
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 59.X.X.X 255.255.255.252
ip nat outside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.10.101 2055
ip flow-export destination 192.168.10.145 800
!
no ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
logging trap warnings
access-list 1 permit 192.168.10.0 0.0.0.255
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
session-limit 5
login local
transport input telnet
!
end

Test_Router#

Hello,


   Apart from,

no ip nat service sip tcp port 5060

no ip nat service sip udp port 5060


   is there any way to disable SPI on Cisco 1841.


   Basically we are just using it for hosted VOIP Phones (no data traffic), which connect to hosted phone provider. We only want NAT and no other inspection going on. This way 1841 will not inspect VOIP packet and alter it.


    In past I have come across issues with other firewalls, where when call is forwarded to another phone, you can hear a person, but then can't hear you.


Thanks,

Sidd.

We know of a similar issue with the Cisco 1841. What IOS are you running? This was a bug in CIsco 12.x IOS Mainline related to RTP port changes and the ALG being enabled. I would try upgrading to at least a later 15.x code as Cisco says they have resolved this in that version (I have had many discussions with Cisco regarding this over the last 7 years); we have had some success without adding the above commnads.


The caveat is that this may not fix the problem depending on how your hosted provider has configured their SBC and what type of SBC it is. We found that while the upgrade fixed the issue on some hosted providers, others are running higher versions of SBC hardware/patch software that will not work.


If you look at a packet capture on the OWA(one-way-audio) calls you speak of, I am almost positive you will see the 1841 changing RTP ports. Although your endpoint through the 1841 has advertised that it would like to recieve RTP on port say 5000, it will SEND its actual media on port 5001 due to the ALG. Thus the OWA.


I assume when you are talking hosted, you are likely communicating with and ACME SBC.


M

Actions

This Discussion