05-06-2011 04:08 PM - edited 03-21-2019 04:03 AM
Hi,
Is there a command I can send in SIP-UA (UC520) to spoof the IP presented to the ITSP, currently it is presenting the first IP on the next nat device, as the UC is behind two NAT firewalls and not using the WAN interface.
The ITSP is seeing the firt NAT address (RFC1918) and inbound registration is not working. I would like to present the outside NAT IP (Public) to them in the SIP messages.
Thanks,
Bob James
05-09-2011 10:33 PM
If your internet facing router is a Cisco. Turn on IP inspect for SIP and apply it to the internal interface of that router. For example if your router's internal interface is VLAN1 the following should work:
Router# conf t
Router(config)# ip inspect name LAN-WAN sip
Router(config)# interface vlan1
Router(config-inf)# ip inspect LAN-WAN in
IP inspect is application layer aware and will make the necessary IP address translations in the SIP headers as the packets go to leave your network and will translate them on the way back in.
05-10-2011 08:27 PM
Thanks,
Well I got the registration working and outbound calling works. I had to add the (inspect) SIP proxy to both the ISR and ASA that are in path outbound. The issue I'm having now is the SIP invite is "to" the publically NAT'd address of the ASA, and the UC rejects the message with Invalid Host message.
It's almost like the SIP proxy is not changng the IP address back to the internal IP of the UC for it to accept it.
I'm going to keep playing and see what I can find out.
Bob James
05-10-2011 09:07 PM
I dont understand why you are natting a second time if the ASA has a public IP address.
Double NAT is a definite pain in the backside, always avoid it if you can.
05-11-2011 07:10 PM
Security is like an onion....
05-11-2011 07:27 PM
... and double nat is not a good practice.
06-01-2011 04:27 PM
OK so the Issue is the SIP inspect on the ASA, I upgraded twice to try to fix the issue, but it's still there. I have been working with TAC on this and they sent me a link to their documents stating not to run PAT with SIP, so I moved it to a NAT address but still have the same issue.
I'm going back to my ITSP and work with them as I am not confident in the TAC engineers answers.
There were bugs in the ASA inspect for SIP that were suppose to be fixed in the version we are now running (not).
The document in reference said SIP does not work with NAT, so I called BS on him.
Will post when I get it fixed
Bob James
06-01-2011 08:27 PM
Hi Bob,
The document in reference said SIP does not work with NAT, so I called BS on him.
In the last organization I worked for we had a CCIE engineer on tap and we faced a similar situation, IF only I could speak to him now to get from him the config he implemented so I could supply this to you, but I don't have contact details for him now
I know your problem can be resolved, but alas I am useless when it comes to an ASA and relied on him heavily to resolve problems like this, but I know your situation can be resolved, I am certain of it.
Please keep us posted mate when you resolve it
Cheers,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide