Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SIP profiles when using NAT

Hi all,

 

We have a CUBE behind a firewall, and unfortunately we cannot run SIP INSPECT on the firewall. I am trying to modify the SIP headers so that we are correctly sending the external IP in the header information to the ITSP and the correct internal address to the CUCM

 

Relevant Config:

 

voice class sip-profiles 100
 request ANY sip-header From modify "192.168.46.18" "36.11.22.33"
 request ANY sip-header Via modify "192.168.46.18" "36.11.22.33"
 request ANY sip-header Remote-Party-ID modify "192.168.46.18" "36.11.22.33"
 request ANY sip-header Contact modify "192.168.46.18" "36.11.22.33"
 response ANY sip-header Contact modify "192.168.46.18" "36.11.22.33"
 response ANY sip-header Remote-Party-ID modify "192.168.46.18" "36.11.22.33"
 request ANY sdp-header Audio-Connection-Info modify "192.168.46.18" "36.11.22.33"
 request ANY sdp-header Connection-Info modify "192.168.46.18" "36.11.22.33"
 request ANY sdp-header Session-Owner modify "192.168.46.18" "36.11.22.33"
 response ANY sdp-header Session-Owner modify "192.168.46.18" "36.11.22.33"
 response ANY sdp-header Connection-Info modify "192.168.46.18" "36.11.22.33"
 response ANY sdp-header Audio-Connection-Info modify "192.168.46.18" "36.11.22.33"  
voice class sip-profiles 101
 request ANY sip-header From modify "36.11.22.33" "192.168.46.18"
 request ANY sip-header Via modify "36.11.22.33" "192.168.46.18"
 request ANY sip-header Remote-Party-ID modify "36.11.22.33" "192.168.46.18"
 request ANY sip-header Contact modify "36.11.22.33" "192.168.46.18"
 response ANY sip-header Contact modify "36.11.22.33" "192.168.46.18"
 response ANY sip-header Remote-Party-ID modify "36.11.22.33" "192.168.46.18"
 request ANY sdp-header Audio-Connection-Info modify "36.11.22.33" "192.168.46.18"
 request ANY sdp-header Connection-Info modify "36.11.22.33" "192.168.46.18"
 request ANY sdp-header Session-Owner modify "36.11.22.33" "192.168.46.18"
 response ANY sdp-header Session-Owner modify "36.11.22.33" "192.168.46.18"
 response ANY sdp-header Connection-Info modify "36.11.22.33" "192.168.46.18"
 response ANY sdp-header Audio-Connection-Info modify "36.11.22.33" "192.168.46.18"
!         
voice service voip
 sip
 sip-profiles 100
!
dial-peer voice 3000 voip
 description ***** To CUCM ***
 voice-class sip profiles 101
!
dial-peer voice 2000 voip
 description ***OUTBOUND PSTN***
voice-class sip profiles 100

 

IP Info:

 

192.168.46.18 - CUBE internal address

192.168.46.14 - CUCM Address

36.11.22.33 - CUBE External

88.11.22.33 - ITSP

 

What I have seen is:

 

- When I am not using SIP profiles, the invites are being sent to the ITSP using the CUBE internal address and being rejected by the ITSP

 

019844: Aug 26 14:12:43.841: //10096/000000000000/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 403 Forbidden-Source Endpoint Lookup Failed

Via: SIP/2.0/UDP 192.168.46.18:5060;received=31.221.99.51;branch=z9hG4bK5102CF

From: <sip:192.168.46.18>;tag=43BD9550-1013

Call-ID: E1B88EF8-2C6111E4-ACF4FA6E-8F1CB832@192.168.46.18

CSeq: 101 OPTIONS

To: <sip:88.11.22.33>;tag=3618051230-117031

Content-Length: 0

 

- When I add a SIP profile to the outgoing dialpeer to the ITSP, the messages are sent correctly, but we get a problem because the SIP messages going to Call Manager show the external address as the contact and the RTP stream goes to the wrong place.

 

So, what I have now done is, created two SIP profiles. One on the outgoing dial-peer to the ITSP, to modify the internal address to the external address, and one on the outgoing dialpeer to the CUCM to modify the external interface to the internal interface.

 

For incoming calls, this is fine, I can see the SIP messages coming from 88.11.22.33 to 36.11.22.33 and then the CUBE is sending to the CUCM on 192.168.46.14 with the correct contact address of 192.168.46.14 and audio works.

 

However, what I can see with outgoing calls, is that initially all the signalling traffic is fine:

 

068357: Aug 29 10:13:17.468: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:07714123456@192.168.46.18:5060 SIP/2.0

Via: SIP/2.0/TCP 192.168.46.14:5060;branch=z9hG4bKc2cf5ab70534

From: "TCC Phone7" <sip:+442031234567@192.168.46.14>;tag=73591~5cec2a93-537f-40cd-bf17-e7b4de1fe86e-29863481

To: <sip:07714123456@192.168.46.18>

Date: Fri, 29 Aug 2014 10:14:26 GMT

Call-ID: 3ffab280-40015282-bdf4-e2ea8c0@192.168.46.14

Supported: timer,resource-priority,replaces

Min-SE:  1800

User-Agent: Cisco-CUCM10.5

Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY

CSeq: 101 INVITE

Expires: 180

Allow-Events: presence, kpml

Supported: X-cisco-srtp-fallback,X-cisco-original-called

Call-Info: <sip:192.168.46.14:5060>;method="NOTIFY;Event=telephone-event;Duration=500"

Call-Info: <urn:x-cisco-remotecc:callinfo>;x-cisco-video-traffic-class=DESKTOP

Cisco-Guid: 1073394304-0000065536-0000000295-0237938880

Session-Expires:  1800

P-Asserted-Identity: "TCC Phone7" <sip:+442031234567@192.168.46.14>

Remote-Party-ID: "TCC Phone7" <sip:+442031234567@192.168.46.14>;party=calling;screen=yes;privacy=off

Contact: <sip:+442031234567@192.168.46.14:5060;transport=tcp>

Max-Forwards: 69

Content-Length: 0

 

068358: Aug 29 10:13:17.476: //27351/3FFAB2800000/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:07714123456@88.11.22.33:5060 SIP/2.0

Via: SIP/2.0/UDP 36.11.22.33:5060;branch=z9hG4bK39121292

Remote-Party-ID: "TCC Phone7" <sip:02031234567@36.11.22.33>;party=calling;screen=yes;privacy=off

From: "TCC Phone7" <sip:02031234567@36.11.22.33>;tag=525572C8-1895

To: <sip:07714123456@88.11.22.33>

Date: Fri, 29 Aug 2014 10:13:17 GMT

Call-ID: EDF11C33-2E9B11E4-B5ADFA6E-8F1CB832@192.168.46.18

Supported: 100rel,timer,resource-priority,replaces,sdp-anat

Min-SE:  1800

Cisco-Guid: 1073394304-0000065536-0000000295-0237938880

User-Agent: Cisco-SIPGateway/IOS-15.2.4.M6

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

CSeq: 101 INVITE

Timestamp: 1409307197

Contact: <sip:02031234567@36.11.22.33:5060>

Expires: 180

Allow-Events: telephone-event

Max-Forwards: 68

Session-Expires:  1800

Content-Type: application/sdp

Content-Disposition: session;handling=required

Content-Length: 259

 

v=0

o=CiscoSystemsSIP-GW-UserAgent 4541 1686 IN IP4 36.11.22.33

s=SIP Call

c=IN IP4 36.11.22.33

t=0 0

m=audio 19242 RTP/AVP 8 0 101

c=IN IP4 36.11.22.33

a=rtpmap:8 PCMA/8000

a=rtpmap:0 PCMU/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

 

The INVITE is sent from CUCM on .14 to the CUBE at .18, the CUBE is then sending an INVITE to the ITSP with the correct address information, however, when the ITSP sends back the SIP 183 response, the CUBE sends a 183 to the CUCM, but with a Contact of the external address:

 

068363: Aug 29 10:13:17.904: //27350/3FFAB2800000/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 183 Session Progress

Via: SIP/2.0/TCP 192.168.46.14:5060;branch=z9hG4bKc2cf5ab70534

From: "TCC Phone7" <sip:+442031234567@192.168.46.14>;tag=73591~5cec2a93-537f-40cd-bf17-e7b4de1fe86e-29863481

To: <sip:07714123456@192.168.46.18>;tag=52557470-1338

Date: Fri, 29 Aug 2014 10:13:17 GMT

Call-ID: 3ffab280-40015282-bdf4-e2ea8c0@192.168.46.14

CSeq: 101 INVITE

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

Allow-Events: telephone-event

Contact: <sip:07714123456@36.11.22.33:5060;transport=tcp>

Supported: sdp-anat

Server: Cisco-SIPGateway/IOS-15.2.4.M6

Content-Type: application/sdp

Content-Disposition: session;handling=required

Content-Length: 247

 

And then when the call connects:

 

068370: Aug 29 10:13:25.388: //27350/3FFAB2800000/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 200 OK

Via: SIP/2.0/TCP 192.168.46.14:5060;branch=z9hG4bKc2cf5ab70534

From: "TCC Phone7" <sip:+442031234567@192.168.46.14>;tag=73591~5cec2a93-537f-40cd-bf17-e7b4de1fe86e-29863481

To: <sip:07714123456@192.168.46.18>;tag=52557470-1338

Date: Fri, 29 Aug 2014 10:13:17 GMT

Call-ID: 3ffab280-40015282-bdf4-e2ea8c0@192.168.46.14

CSeq: 101 INVITE

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

Allow-Events: telephone-event

Remote-Party-ID: <sip:07714123456@36.11.22.33>;party=called;screen=no;privacy=off

Contact: <sip:07714123456@36.11.22.33:5060;transport=tcp>

Supported: replaces

Supported: sdp-anat

Server: Cisco-SIPGateway/IOS-15.2.4.M6

Session-Expires:  1800;refresher=uas

Require: timer

Supported: timer

Content-Type: application/sdp

Content-Disposition: session;handling=required

Content-Length: 247

 

v=0

o=CiscoSystemsSIP-GW-UserAgent 1290 7090 IN IP4 36.11.22.33

s=SIP Call

c=IN IP4 36.11.22.33

t=0 0

m=audio 19240 RTP/AVP 8 101

c=IN IP4 36.11.22.33

a=rtpmap:8 PCMA/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-15

a=ptime:20

 

This would suggest to me that the profile is not being used in this case and the RTP stream is then being sent to this external address (the firewall) and being dropped.

 

Is this something that I am doing wrong, or is there a better way to achieve this?

2 REPLIES

What you can do rather than

What you can do rather than using sip profiles is to bind source and media address on the inbound and outbound dial-peer.  Here is the link.

Bronze

Hi all, I was also facing the

Hi all,

 

I was also facing the:

SIP/2.0 403 Forbidden-Source Endpoint Lookup Failed

 

My CUBE is only configured with a single LAN side address and I’m using NAT forwarding from the firewall, so I can’t use the bind media method.

 

However the above configuration using the ‘voice class sip-profile’ worked for me, but I only needed the config on the peer going towards the ITSP.

 

Thanks!

 

Matty

2212
Views
0
Helpful
2
Replies