cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10538
Views
0
Helpful
17
Replies

SIP NAT problem

ferhann.khan
Level 1
Level 1

Hello,

We are using a cisco router with IOS version 12.4. Its purpose is to perform basic connectivity with ISP's SIP server. I have done NATing and it seems to be working fine. I can ping the ISP's SIP server and though portforwading the PBX is able to receive SIP packets from ISP which are sent towards the WAN port of router. 

But the router is not forwarding SIP packets towards the ISP on its WAN port. Packet capture shows only incomming SIP packets on WAN port and no packets leaving the interface. I can see in debug log that incomming packets on LAN interface are correctly translated but they are never forwarded out through WAN interface if the packets belong to SIP protocol. 

Here is the relevant config portion :

!
interface GigabitEthernet0/0
description  "SIP TRUNK"
ip address x.x.x.142 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

interface GigabitEthernet0/1.53
encapsulation dot1Q 53
ip address x.y.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!

ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static udp x.z.1.20 5060 interface GigabitEthernet0/0 5060

ip route 0.0.0.0 0.0.0.0 x.x.x.141
ip route x.z.0.0 255.255.0.0 x.y.1.10

access-list 10 permit x.0.0.0 0.63.255.255

17 Replies 17

Gordon Ross
Level 9
Level 9

You don't want to NAT SIP (Unless you know what you are doing...)

NAT only translates the IP packet header details. SIP has the nasty habit of including IP addresses inside of packets.

To "NAT" SIP, you need something a bit more complex than a basic IOS NAT. (e.g. an ASA doing traffic inspection or a full-blow CUBE)

GTG

Please rate all helpful posts.

I am aware of that. On pbx I can see that packet headers are correctly being replaced by the cisco router with destination IP set to that of pbx. What I dont understant is why is the cisco router dropping outbound packets after NATing if the port is 5060. 

Would love to help or atleast try to but the version of your ios code is too old its scary :). My honest advise is to upgrade the ios first, before thinking of anything else..Once you have done that we can begin to troubleshoot..

Please rate all useful posts

hello.. i tried the code first on version 15.0..
I am working remotely and the team on site replaced the router to see if the problem was specific to that router. We can still put it back if a working solution turns up.

OK, what is the full picture? What call control system are you using? CUCM? CCME?

We will need the config on the gateway (sh run)--You can sanitize your config, but we neeed all the sip related config and ips..so might be better to just send everything...masking your public ip etc

Please rate all useful posts

The VoIP gateway is from Mitel. Cisco router was provided by the ISP with basic license i guess. As i mentioned before that any packet  going through the router destined for ISP is being dropped by it if the port is 5060 over udp. I generated  dummy udp packets on port 5060 and they were also dropped by the router. 
I am not intrested any any addition voip features on the router as all of that is already being handled by the pabx. My only concern is that the router should allow the traffic towards WAN. i.e it should act as a proxy server with minimum configuration required. 

here is the config: 
Current configuration : 1765 bytes
!
! Last configuration change at 19:24:44 UTC Sat Oct 31 2015 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
interface GigabitEthernet0/0
description "SIP TRUNK"
ip address A.A.A.142 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!1.53 interface is towards VoIP lan
interface GigabitEthernet0/1.53
encapsulation dot1Q 53
ip address B.B.B.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
!C.C.C.20 is pbx
ip nat inside source static udp C.C.C.20 5060 interface GigabitEthernet0/0 5060
ip route 0.0.0.0 0.0.0.0 A.A.A.141
!B.B.1.10 is LAN firewall behind which pbx resides
ip route C.C.0.0 255.255.0.0 B.B.1.10
!
ip access-list extended Monitored-Host
permit ip any any
!
access-list 10 permit C.C.0.0 0.0.255.255

Guessing widely... would you like to change the systems default SIP port (which is 5060) in your router to some other value and then check again...

- Vivek

Guessing widely... would you like to change the systems default SIP port (which is 5060) in your router to some other value and then check again...

- Vivek

i did try that before and it enabled traffic forwarding behind NAT but it disable sip packet inspection for NAT and because of that the embedded address translation feature got disabled (obviously) which we require for NATing to work correctly. 

I dont see any dial-peer to match the inbound call from Mitel. I also done see any dial-peer to route the call to your ITSP.

You also need to configure this device as a CUBE. This is an IP to IP call and hence this device needs to be configured as a CUBE. So you seem to be mnissing a few things here

Please rate all useful posts

I copied the config from another router provided by another ISP and they didnt do any additional voip configuration either? Any guess how that router is working fine? 

Perhaps you didnt copy the full configuration, the other possibility might be black magic :)

Cisco routers router route calls based on dial-peer matching. Additionally when you want to route a call between two IP legs, you need CUBE functionality. Aside from this you might have to invoke some Harry Porter spell.. :)

Please rate all useful posts

actually i did copy the relevant config and that is not the original issue.

The router is not license for CUBE or any other VoIP functionality (besides nat sip service and sip-sbc) and its the one provided by the ISP to all the other customers where it is working fine with NATing.
The issue here is that i can see through "debug ip nat sip"  that all the embedded addresses whether incomming our outgoing are being correctly replaced by the router with corresponding destination address. But only incomming packets from WAN port make it out of router towards the voip pbx and the one destined for ISP dont make out of the WAN interface.
The purpose of this router is not do call routing so dial-peer etc are not available. Its purpose is to provide basic routing and do the neccessary NATing. 

OK I get the picture now. I am sorry, I cant help you, perhaps others can. You may want to post this in the routing and switching or firewall section.

Please rate all useful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: