Current configuration : 4912

TheITThree · ‎09-23-2014

Hi all,

I'm having a problem with a Cisco SPA504G phone not registering with the SIP carrier over the Internet. We've recently rolled out a Cisco 877 router onto a new NBN business connection and can't get the pre-configured IP phone to register.

When we tested the phone with the NBN-provided Netgear router, it worked fine, as it did with the previous Cisco 1841 router we were using on a different link.

The way it's setup is using VLANs to define the internal subnets, which are then assigned to the physical interfaces (since the 887 doesn't allow IP assignments to the interfaces directly).

VLAN 100 is the internal network and has a SBS2011 server – assigned to F0 – IP range is 192.168.1.0

VLAN 200 is the guest network and has Internet access only – assigned to F1 – IP range is 10.1.1.0

VLAN 500 is the WAN network and connects to the NBN upstream box – assigned to F3 – external IP address assigned by DHCP

I've been playing around with access lists, nat rules, basically everything in my limited Cisco knowledge to try and figure this out, but to no avail. I have even configured what I believe is unrestricted access to IP, UDP and TCP outbound and inbound to all VLANs and still can't get it to register.

Tried isolating the issue by creating a new VLAN and assigning it to the spare interface and basically allowing everything in and out, but still no luck.

The problem has to be something on the router – probably some small line of config I haven’t removed or added.

I am going to pull my hair out soon, so would really appreciate some assistance from the Cisco gurus out there.

My client has just purchased about 10 of these handsets from their provider so I need to fix this ASAP. The guy who provided them wasn't very helpful, and basically said I'm on my own once we tested using the NBN-provided Netgear router.

Happy to post my config as well.

Please help!!!!

Leo Laohoo · ‎09-24-2014

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Did you disable ALG?

TheITThree · ‎09-24-2014

Hi, thanks for the reply,

I was playing with those commands yesterday after reading some forum posts. I have applied them but no luck so far - the phone says "failed - no response". The config only shows the UDP command though - not sure if that is how it's meant to be...

What do you mean by disable ALG - is that what those commands are doing?

I'll post my config as well in case this helps.

Thanks again.

TheITThree · ‎09-24-2014

Current configuration : 4912 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.1.1.1
!
ip dhcp pool GUEST
network 10.1.1.0 255.255.255.0
dns-server 10.1.1.1 203.50.2.71 139.130.4.4
default-router 10.1.1.1
!
!
ip cef
no ip domain lookup
ip domain name network.local
ip name-server 192.168.1.123
ip name-server 203.23.53.12
ip name-server 197.12.32.86
ip name-server 8.8.8.8
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FGL171220XY
!
!
username admin privilege 15 secret 5 $1$aNsm$N1BCQYkoi8gnURyvloYEX/
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
bridge-group 10
pvc 8/35
!
!
interface FastEthernet0
description NAC - Internal network
switchport access vlan 100
no ip address
!
interface FastEthernet1
description NAC - Guest network
switchport access vlan 200
no ip address
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
description **** WAN Port ****
switchport access vlan 500
no ip address
!
interface Vlan1
no ip address
bridge-group 10
hold-queue 100 out
!
interface Vlan100
description NAC - Internal Vlan
ip address 192.168.1.1 255.255.255.0
ip access-group IN-100 in
ip access-group OUT-100 out
ip nat inside
ip virtual-reassembly in
!
interface Vlan200
description NAC - Guest Vlan
ip address 10.1.1.1 255.255.255.0
ip access-group IN-200 in
ip access-group OUT-200 out
ip nat inside
ip virtual-reassembly in
!
interface Vlan500
description **** WAN Vlan ****
ip address dhcp
ip nat outside
no ip virtual-reassembly in
!
no ip forward-protocol nd
ip http server
ip http access-class 23
ip http secure-server
!
ip dns server
ip nat inside source list NAT-100 interface Vlan500 overload
ip nat inside source list NAT-200 interface Vlan500 overload
ip nat inside source static tcp 192.168.1.123 25 interface Vlan500 25
ip nat inside source static tcp 192.168.1.123 443 interface Vlan500 443
ip nat inside source static tcp 192.168.1.123 3389 interface Vlan500 3399
ip nat inside source static tcp 192.168.1.123 80 interface Vlan500 80
ip nat inside source static tcp 192.168.1.123 4125 interface Vlan500 4125
ip nat inside source static tcp 192.168.1.124 3389 interface Vlan500 3390
ip nat inside source static tcp 192.168.1.123 987 interface Vlan500 987
ip nat inside source static tcp 192.168.1.123 1723 interface Vlan500 1723
ip route 0.0.0.0 0.0.0.0 55.234.52.43
!
ip access-list extended IN-100
permit udp any any range bootps bootpc
deny ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended IN-200
permit udp any any range bootps bootpc
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended NAT-100
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended NAT-200
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended OUT-100
permit udp any range bootps bootpc any
deny ip 10.1.1.0 0.0.0.255 any
permit ip any 192.168.1.0 0.0.0.255
ip access-list extended OUT-200
permit udp any range bootps bootpc any
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any 10.1.1.0 0.0.0.255
!
access-list 23 permit 59.23.164.52
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 120.146.0.0 0.0.255.255
access-list 23 permit 149.185.12.0 0.0.0.255
access-list 23 permit 110.44.28.0 0.0.0.255
access-list 23 permit 110.44.26.0 0.0.0.255
access-list 23 permit 103.25.212.0 0.0.0.255
access-list 23 permit any
!
!
!
!
bridge 10 protocol ieee
banner motd ^C

*****************************************
* Authorized personnel only! *
*****************************************

^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
password password01
login local
transport input all
!
end

Leo Laohoo · ‎09-24-2014

Depending on your VSP. Mine is Internode and they encourage ALG to be disabled. They also discourage NAT-ing the phones to them because they already do the NAT. Once I turned ALG off the router and ensured my Asterisk has disabled NAT (from Asterisk to Internode), my phones started working.

In some cheap Netgear, Linksys, Belkin stuff, ALG is disabled by default, however, Cisco routers (IOS version 12.4 and above) have ALG turned on by default.

TheITThree · ‎09-28-2014

Yeah no idea - I've tried with this on and off and still having no luck connecting. I've gone over every line of config and tried different access list permissions without any success.

Any other suggestions before I rip my hair out?

Leo Laohoo · ‎09-29-2014

Not so fast.

Talk to your VSP. They can run a debug on their end to see what your call server is doing.

TheITThree · ‎09-30-2014

Hmm, yeah they've been surprisingly unhelpful with this one - however I understand their senior techs are under the pump at the moment and their rep did try and help as much as possible, but just doesn't have the technical knowledge.

I spent another 5 hours there today and have worked around the problem now (finally). I've got the NBN router acting as the gateway so it's really a waste having the Cisco router there, except that they have a guest network for Internet access only that's on a different IP range. I'm doing a double NAT through both routers for this network as the NBN router doesn't support VLANs or multiple IP ranges.

Not really how I'd wanted this solution to look, but I've had enough of this issue. Considering the time spent on this one, it would have probably been more cost effective for me to fly interstate for a holiday and just pay for their telephone calls for a year....

Interestingly though, I downloaded a SIP client for my laptop and put the details into that and it worked first time... I'm not sure what all the settings were, but that made me wonder - and I reset the IP phone to factory settings and started again - again with no luck and about 2 hours of frustration.

Anyway, enough whining about this. I'm about a week behind on my work now. Thanks for the suggestions anyway :)

Leo Laohoo · ‎09-30-2014

Sounds like a firmware problem.

One of the easiest way to test is to download/install a softphone. If you get the softphone working but your IPTel doesn't then there's possibly a firmware issue.

Same thing happened with me with a 7970 and 9971.

Cisco 877 router - Cisco IP phone won't register with SIP provider