Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL on a CUBE issue

Hello everybody!

There is a CUBE (Cisco 2821 witch IOS 12.4 (13)T) which is provided connections H323-to-SIP and vice versa between CCM 7.1 working on H323 and SIP softswitch of provider. As the CUBE is located between different subnets it has two different interfaces for CCM and SIP softswitch. There is no problem with voice unless putting an ACL on the inside interface of the CUBE (to the provider side) permitting traffic from SIP softswitch to the CUBE only. After putting the ACL there is no problem with signalling but RTP from provider is blocked. In the logs I see blocking traffic from the CUBE to CCM (from LAN interface to private address of CCM) on the interface with public addresses and therefore after adding neccessary string RTP is going through. The situation was the same with binding interfaces and without. Is that a normal behaviour? How can I avoid adding public addresses to the ACL on the Inernet interface?

Here is the config of the CUBE.

voice call send-alert
!
voice service voip
address-hiding
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
h323
  emptycapability
  no h225 timeout keepalive
sip
!
!
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729r8
!
!
!
voice class h323 1
h225 timeout tcp establish 5

voice translation-rule 9
rule 1 /^9\([0-9]*\)/ /\1/
!
!
voice translation-profile Test
translate called 9

interface GigabitEthernet0/0
description -- LAN Connection --
ip address 172.16.22.2 255.255.255.0
no ip redirects
no ip proxy-arp
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address x.x.x.x x.x.x.x
ip access-group Test-in in
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no cdp enable

ip route 0.0.0.0 0.0.0.0 172.16.22.1
ip route y.y.y.y y.y.y.y x.x.x.x.x
!
!
no ip http server
no ip http secure-server
!
ip access-list extended Test-in
permit ip host y.y.y.y host x.x.x.x
permit ip host 172.16.22.2 host 172.16.22.3
permit ip host 172.16.22.2 host 172.16.22.4
deny   ip any any log

!

dial-peer voice 1 pots
incoming called-number .
direct-inward-dial
!
dial-peer voice 20 voip
answer-address ....
voice-class codec 1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 21 voip
destination-pattern 5880201
voice-class codec 1
voice-class h323 1
session target ipv4:172.16.22.4
no vad
!
dial-peer voice 22 voip
preference 1
destination-pattern 5880202
voice-class codec 1
voice-class h323 1
session target ipv4:172.16.22.3
no vad
!

dial-peer voice 2000 voip
tone ringback alert-no-PI
destination-pattern 311125425
session target ipv4:172.16.22.3
dtmf-relay rtp-nte
codec g711alaw
no vad
!
dial-peer voice 2003 pots
!
dial-peer voice 3002 voip
description local calls
translation-profile outgoing Test
preference 1
max-conn 20
destination-pattern 9[12345679]......
translate-outgoing calling 9
max-redirects 10
session protocol sipv2
session target ipv4:y.y.y.y
dtmf-relay rtp-nte
codec g711alaw
!
!
dial-peer voice 3005 voip
description Long distance calls
translation-profile outgoing Test
preference 1
max-conn 20
destination-pattern 98[12345678].........
redirect ip2ip
translate-outgoing calling 9
session protocol sipv2
session target ipv4:y.y.y.y
dtmf-relay rtp-nte sip-notify h245-alphanumeric
codec g711alaw
no vad

dial-peer voice 3007 voip
description international calls
translation-profile outgoing Test
preference 1
max-conn 20
destination-pattern 9810.T
redirect ip2ip
translate-outgoing calling 9
max-redirects 10
session protocol sipv2
session target ipv4:y.y.y.y
dtmf-relay rtp-nte sip-notify h245-alphanumeric
codec g711alaw

dial-peer voice 3010 voip
description Emergency calls
translation-profile outgoing Test
preference 1
max-conn 20
destination-pattern 0.
redirect ip2ip
translate-outgoing calling 9
max-redirects 10
session protocol sipv2
session target ipv4:y.y.y.y
dtmf-relay rtp-nte sip-notify h245-alphanumeric
codec g711alaw
!
!
dial-peer voice 25 voip
session protocol sipv2
session target ipv4:y.y.y.y
session transport udp
incoming called-number 9T
dtmf-relay rtp-nte
codec g711alaw
!
!
gateway
timer receive-rtp 1200
!
sip-ua
nat symmetric check-media-src
sip-server ipv4:y.y.y.y
no transport tcp

1 REPLY
New Member

Re: ACL on a CUBE issue

There is a debug of call setup in the attachment if it helps.

744
Views
0
Helpful
1
Replies
CreatePlease to create content