Re: SIP-UA IP Presentation to ITSP behind NAT

bjames · ‎05-06-2011

Hi,

Is there a command I can send in SIP-UA (UC520) to spoof the IP presented to the ITSP, currently it is presenting the first IP on the next nat device, as the UC is behind two NAT firewalls and not using the WAN interface.

The ITSP is seeing the firt NAT address (RFC1918) and inbound registration is not working. I would like to present the outside NAT IP (Public) to them in the SIP messages.

Thanks,

Bob James

ai.solutions · ‎05-09-2011

If your internet facing router is a Cisco. Turn on IP inspect for SIP and apply it to the internal interface of that router. For example if your router's internal interface is VLAN1 the following should work:

Router# conf t

Router(config)# ip inspect name LAN-WAN sip

Router(config)# interface vlan1

Router(config-inf)# ip inspect LAN-WAN in

IP inspect is application layer aware and will make the necessary IP address translations in the SIP headers as the packets go to leave your network and will translate them on the way back in.

bjames · ‎05-10-2011

Thanks,

Well I got the registration working and outbound calling works. I had to add the (inspect) SIP proxy to both the ISR and ASA that are in path outbound. The issue I'm having now is the SIP invite is "to" the publically NAT'd address of the ASA, and the UC rejects the message with Invalid Host message.

It's almost like the SIP proxy is not changng the IP address back to the internal IP of the UC for it to accept it.

I'm going to keep playing and see what I can find out.

Bob James

ai.solutions · ‎05-10-2011

I dont understand why you are natting a second time if the ASA has a public IP address.

Double NAT is a definite pain in the backside, always avoid it if you can.

bjames · ‎05-11-2011

Security is like an onion....

office.info · ‎05-11-2011

... and double nat is not a good practice.

bjames · ‎06-01-2011

OK so the Issue is the SIP inspect on the ASA, I upgraded twice to try to fix the issue, but it's still there. I have been working with TAC on this and they sent me a link to their documents stating not to run PAT with SIP, so I moved it to a NAT address but still have the same issue.

I'm going back to my ITSP and work with them as I am not confident in the TAC engineers answers.

There were bugs in the ASA inspect for SIP that were suppose to be fixed in the version we are now running (not).

The document in reference said SIP does not work with NAT, so I called BS on him.

Will post when I get it fixed

Bob James

David Trad · ‎06-01-2011

Hi Bob,

The document in reference said SIP does not work with NAT, so I called BS on him.

In the last organization I worked for we had a CCIE engineer on tap and we faced a similar situation, IF only I could speak to him now to get from him the config he implemented so I could supply this to you, but I don't have contact details for him now

I know your problem can be resolved, but alas I am useless when it comes to an ASA and relied on him heavily to resolve problems like this, but I know your situation can be resolved, I am certain of it.

Please keep us posted mate when you resolve it

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *