I've an issue with incoming calls to my UC500 that is behind an SA520 firewall and a Cisco 877.
The topology is like that:
Internet (SIP Provider) <---- ADSL (POTS)----> (NAT Public Static IP Address) Cisco 877 LAN(192.168.1.1) <---> (192.168.1.2 - WAN) SA520 (VLAN1 192.168.75.1) <--> 192.168.75.254 (WAN) UC540 (VLAN1 192.168.200.1) <--> INSIDE LAN (switches, phones, etc)..
The 877 simply forward all incoming traffic from the outside network to the SA520 firewall and all inside traffic to the outside with the static NAT entry:
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.1.2 MY_PUBLIC_IP_ADDRESS
(Access-list 1 permit inside LAN traffic)
On the SA520 configuration I've installed two firewall rules for the SIP_UDP and SIP_TCP traffic (UDP port from 5060 to 5070) that permit this traffic from ANY source to the 192.168.75.254
When I try to call someone form inside to the outside everything is working well, but when someone try to call me from the outside, the SIP call is blocked by the firewall (as I've understand). I say this because of this debug results ("debug ip nat inside sip" on the 877 and Packet Capture on the SA520):
Caputerd traffic from the SA520 (I've covered my IP Public address and my phone number):
The only error that I see is the "401 Unathorized" but after I also can see "Status OK"... I've verified that the incoming call not reach the UC500 with the command "debug ccsip messages" and "debug voip dialpeer inout".
I'm not be able to isolate the problem. I also have tried to forward all incoming traffic from the 877 directly to the UC500 with a firewall rule on the SA520 but without result. It seems, according to me, to be an issue about SA520 and not about the 877 or the UC500.
Is there some tests or debug that I can do to isolate the problem?
Other useful information:
Only the dialer0 interface NAT from and to the outside networks.
SIP Alg on the SA520 is enabled
NO other NAT inside the LAN
The registration with the trunk is ok (verified with a "sh sip-ua register status command" on the UC500)
The provider make incoming call with a pool of IP addresses that are not in the same subnet of the SIP trunk endpoint (but I've installed the rule in the firewall with a ANY sources)
In the packet capture, it looks like the INVITES are seen on the WAN. If you run a packet capture on the LAN side, do you see the INVITES going to the UC500? What image is running on the SA520? This looks similar to some issues seen with SIP ALG. You will probably want to open a case with SBSC and work with them on this.
I made a debug (debug ccsip all, debug voip dialpeer inout, etc...) on the UC500 and it seems that the SA520 does not forward the INVITES to the UC500. On the SA520 there is the last version of the firware (sa500-k9-2.1.51.img).
The strange thing is that sometimes it works (with or without firewall rules). I've tried without the firewall and it works so there is something in the SA520 configuration that block the sip traffic. I've also tried to forward all the traffic from the router directly to the US500 and it doens't work, this confirm my opinion that there something in the SA520 config.
I have to open a case with the SBSC and work with them on it.
If you have some other suggestions please let me know.
Configure Multicast Paging on the Cisco IP Phone 7800 Series or 8800 Series Multiplatform Phone
The Cisco IP Phone 7800 and 8800 Series Multiplatform Phones provide voice communication over an Internet Protocol (IP) network...
Add Call Park on a Cisco 7800 or 8800 Series Multiplatform Phone Key Expansion Module
Call park allows the user of the phone to put an incoming call on hold so that the call can be retrieved on another phone. A call is park...