Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT support for VoIP calls

Hi Team,

We have a customer who uses NAT extensively in their network. All their locations have a NAT traversal. They are using their proprietary linux based firewall. The NAT is happening on the firewall. Firewall is the end device. All the IP's are going natted regardless of the traffic. The IP address is natted when it leaves the location 'A' and again it is natted at the remote location 'B' when it enters the remote firewall. Now they want to implement cisco IP Telephony into their network!!!

1. The CUCM is kept at the Head Office.

2. Asked them to open all the necessary ports mentioned in the cisco doc.

3. Registered the Head Office IP Phone.

4. Registered the remote location's IP Phone to the Head Office CUCM server.

But there is no audio flowing through when the call is established. Dead Air!! I know its a tough one. But I beleive there will be a work around solution for this. I have read some doc mentioning to keep a router. But I do not know how the router would help us here. We cannot change the firewall and also its not possible to disable IP NATTING.

Kindly Help!!! Thanks in advance!!

Hall of Fame Super Gold

NAT support for VoIP calls

NAT + VoIP = trouble.

You can keep banging your head, or do the proper way: remove NAT.

Cisco Employee

NAT support for VoIP calls

Here's a nice guide for SCCPv17 NAT support:

Hall of Fame Super Gold

Re: NAT support for VoIP calls

From linked document:

functionality will be impacted if a network device that lacks SCCPv17

OP has non-cisco NAT and FW devices. These do not support SCCP NAT no matter the version used. That's why it's like fighting windmills.

New Member

Re: NAT support for VoIP calls


In cisco CUCM 8.X SRND I read that DNS should be installed for the proper mapping of the natted ip address. Does this work on my voice setup? Or how to do this?

Kindly Help

Hall of Fame Super Gold

NAT support for VoIP calls

No, DNS in itself does not solve NAT and FW hindrances to VoIP.

New Member

NAT support for VoIP calls

Thanks for replying.

Today What I have done is installed cisco vpn client on all the systems and created tunnel between all. And I was successful in doing the voip calls between far remote places also.

Yes I know this is not the real solution!!! As we had a competition with avaya, we had to show the customer something. Even avaya was also doing the same way..

I have got the information that NAT will be supported in cisco voice setup. Do not know how. Guys we have a real challenge here.

We cannot disable NAT. Also we cannot change the firewall to a cisco one. We have to show them running the cisco voice in the present scenario. Additionally we can add one router if it is necessary.

Any inputs would be appreciated. Thanks in advance.

Hall of Fame Super Gold

Re: NAT support for VoIP calls

If you cannot make a proper network, you cannot make a proper IP telephony system.

Customer is responsible for the mistakes made.

He can either fix them, or accept a poor solution, or do nothing at all.


Re: NAT support for VoIP calls

The big issue here is not IP telephony, it is the customer's device that is performing NAT (in this case their firewall).

Some protocols are easier to NAT than others, For example, TFTP is pretty easy. SIP, H.323 and SCCP are much harder because the "real" IP address of the endpoint is not just carried in the layer 3 packet, but it is also carried in higher level protocols further up the stack. A firewall that just can do layer 3 NAT will break protocols that do this as the IP addresses in the higher layer protocol packets are not converted and you end up with a mismatch. There are plenty of other non voice protocols  that also get broken by simple layer 3 NAT devices.

The reason SCCP, SIP and H.323 are more difficult is that the real IP addresses are carried in the call control messages handled further up the stack. A firewall performing NAT should also be capable of performing "application inspection", finding these IP addresses and NATing them as well. Simply performing NAT at layer 3 is NOT enough.

Various vendors call application inspection different things, however most firewalls are capable of performing it at some level or other. I've tested SCCP traffic through both Cisco ASA/PIX and Checkpoint and have got it to work. I also seem to remember getting it to work with Sonicwall but I had to create custom rules as it didn't work out of the box. Your mileage will vary with other firewall vendors. SIP and H.323 are more commonly supported on 3rd party vendors than SCCP, however if your CUCM is being NATd then you must have a firewall that supports SCCP NAT at the application layer.

In summary; Cisco telephony can absolutely be made to work over a NAT environment, however they key is that the device that is performing NAT MUST be able to perform in depth packet inspection of the protocol you are running. This is true of Cisco, Avaya, Mitel, Nortel, Asterix etc etc. SIP is another protocol where you must perform application inspection as it works pretty much the same way as SCCP from a NAT perspective.

A Cisco router running IOS firewall can perform application inspection for SCCP. You might be able to look at putting a router in parallel to the firewall and using it to NAT the CUCM server instead. You will however have to be careful with routing to ensure you don't get asymetric traffic flows.

HTH. Barry

CreatePlease login to create content