Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing VOIP traffic on FWSM

Hi.. We are having FWSM between a

Avaya voip phone and call manager server. We are using NAT and access lists for allowing the traffic. Our calls rings both ways but not able to hear the voice. Our observation is as below :

When the IP telephony handset on the abc network calls an extension attached to an IP telephony handset on the xyz network the calls establishes, but the audio is either unidirectional or does not establish in either direction. Analysis of this traffic shows that the handset on the SPE network is sending the RTP stream to a UDP port below 2048. According to the Avaya documentation 2048 is the minimum value.

This indicates that there is an issue with the NAT configuration on the fwsm.

Can any one suggest any typical config which is required for allowing Voice traffic on FWSM when we are hiding the actual IPs on both interfaces.

Thanks and Regards

Yogesh Kelkar

2 REPLIES
New Member

Re: Allowing VOIP traffic on FWSM

Hi.. We are having FWSM between a

Avaya voip phone and call manager server. We are using NAT and access lists for allowing the traffic. Our calls rings both ways but not able to hear the voice. Our observation is as below :

When the IP telephony handset on the abc network calls an extension attached to an IP telephony handset on the xyz network the calls establishes, but the audio is either unidirectional or does not establish in either direction. Analysis of this traffic shows that the handset on the SPE network is sending the RTP stream to a UDP port below 2048. According to the Avaya documentation 2048 is the minimum value.

This indicates that there is an issue with the NAT configuration on the fwsm.

From the low UDP destination port it looks to me as if the dynamic NAT is currently set to translate to a single IP address (i.e. a PAT, NAT overload, or Hide NAT depending on which firewall vendor you ask). This explains why the inspection policy is translating the UDP destination port to 1024 and above. However, even if UDP traffic at this level were permitted through the SPE firewall the PAT translation isn't going to work. Avaya IP telephony doesn't support PAT, only NAT.

Can any one suggest any typical config which is required for allowing Voice traffic on FWSM when we are hiding the actual IPs on both interfaces.

Thanks and Regards

Yogesh Kelkar

Cisco Employee

Re: Allowing VOIP traffic on FWSM

Yogesh,

FWSM should perform DPI on SIP/skinny packets (provided those inspection engines are enabled  and no non-default ports are being used).

the FWSm with inspection enabled the payload of SIP/skinny packets should be rewritten and dynamically connection/xlates and ACL entries created.

sooo have a look here:

http://isamology.blogspot.com/2010/06/troubleshooting-voip-issues-over.html

If you're already running failrly recent FWSM version and have inspection engines enabled.

Try manaully opening access-lists for all traffic from phones or call manager (depending on call flow).

If that does not work - open a TAC case.

Marcin

863
Views
0
Helpful
2
Replies