topic Re: Cisco ACE NAT and SIP in Application Networking

Cisco ACE NAT and SIP

silk — Wed, 09 Jun 2010 15:56:42 GMT

Hello,

I've an ACE that is doing static nat for a couple of servers, no load balancing, just nat in this scenario.

NAT works fine in and out, except for the SIP protocol.

When SIP is used, the traffic stops at the ACE and it doesn't get forwarded to the inside server.

Do I need to configure something sip-peculiar to make it work?

Thanks in advance.

Re: Cisco ACE NAT and SIP

Sean Merrow — Wed, 09 Jun 2010 16:19:21 GMT

Hello,

I'm not much of a SIP expert, but I can say for sure, sip-peculiar should definitely be a word! ;- )

You likely just need to create a policy that will allow the ACE to perform SIP inspection on your traffic. Take a look at what the ACE does as far as SIP Inspection does, then later in the same document, you can see how to configure SIP inspection. The SIP traffic does not have to be a load balanced connection to perform inspection on it.

Hope this helps!

Sean

Re: Cisco ACE NAT and SIP

silk — Wed, 09 Jun 2010 16:41:28 GMT

Thanks for your reply Sean,

I can say I'm everything BUT a SIP expert that's why I'm a bit confused here

This is basically my actual configuration (simplified)

access-list NAT_ACL line 10 extended permit ip host 10.11.12.13 any
class-map match-any NAT_CLASS
2 match access-list NAT_ACL
3 match port udp eq sip

policy-map multi-match NAT_POLICY
class NAT_CLASS
nat dynamic 100 vlan 2000
inspect sip

(the service policies are applied on the interfaces)

NAT is working fine, I've added the "match port udp eq sip" and the "inspect sip" commands, but they seem to have

no effect at all.

I do not need to change any header or the like of the sip packet, I just want it to be forwarded to the inside 10.11.12.13 address,

but all I can see with the capture command is the traffic arriving from the ouside and terminating on the ACE, while every protocol other than SIP

gets to the inside address.

I'm reading all of the Cisco's documentation but as for now I had no luck.

I don't know if I'm missing something big or....

Any help would be appreciated!

Re: Cisco ACE NAT and SIP

Sean Merrow — Wed, 09 Jun 2010 17:36:18 GMT

Hello,

I know in load balancing, you need to break out the NAT and inspection. Can you modify your config as follows?

access-list NAT_ACL line 10 extended permit ip host 10.11.12.13 any

class-map match-any NAT_CLASS
2 match access-list NAT_ACL
class-map match-any SIP-TRAFFIC
3 match port udp eq sip

policy-map multi-match NAT_POLICY
class NAT_CLASS
nat dynamic 100 vlan 2000
class SIP-TRAFFIC
inspect sip

Let me know if that helps.

Sean

Re: Cisco ACE NAT and SIP

silk — Thu, 10 Jun 2010 10:09:12 GMT

Hi there,

I solved the problem.

SIP traffic now gets NATted and routed correctly to the inside destination.

To solve it I had to change NAT from dedicated dynamic address to a real static nat:

class-map match-all Static_NAT
2 match source-address 10.11.12.13 255.255.255.255

class-map match-all Inspect-SIP
2 match port udp eq sip

policy-map multi-match Static_NAT
class Static_NAT
nat static netmask 255.255.255.255 vlan 2000

policy-map multi-match SIP_Inspect_Policy
class Inspect-SIP
inspect sip

(I ended up with 2 separate policies for Nat and Inspection)

That simple.

Hope this may be useful for reference.

Re: Cisco ACE NAT and SIP

philippe.bureau — Tue, 27 Jul 2010 13:58:00 GMT

Can anyone help with SIP souce-nat config in load-balancing in one-arm mode?

Thanks

Re: Cisco ACE NAT and SIP

Gilles Dufour — Wed, 28 Jul 2010 10:47:43 GMT

FYI, we do not support PAT with SIP traffic.

This feature request is tracked with bug id:

CSCta33350 SIP: INSPECT: Invite dropped with NAF error in OCM

So, if you want to NAT, you have to go for full nat.

Then simply follow the configuration guide to implement NAT using nat-pool and policies and all you need for sip is to add the "inspect sip" command so that we can nat the payload.

Gilles.

Cisco ACE NAT and SIP

olumidekomolafe — Mon, 12 Nov 2012 21:44:39 GMT

Hi Gilles

Can you please tell me if the bug - CSCta33350 is still an issue? (software bug Toolkit is inconclusive)

I have a similar senario - multiple clients needing to use a single VIP (in one armed Mode) for SIP Traffic. (Hence PAT)

ACE software A5(1.2) running

Many thanks - olumide.

topic Re: Cisco ACE NAT and SIP in Application Networking

Cisco ACE NAT and SIP

Re: Cisco ACE NAT and SIP

Re: Cisco ACE NAT and SIP

access-list NAT_ACL line 10 extended permit ip host 10.11.12.13 anyclass-map match-any NAT_CLASS 2 match access-list NAT_ACL 3 match port udp eq sip policy-map multi-match NAT_POLICY class NAT_CLASS nat dynamic 100 vlan 2000 inspect sip

Re: Cisco ACE NAT and SIP

Re: Cisco ACE NAT and SIP

Re: Cisco ACE NAT and SIP

Re: Cisco ACE NAT and SIP

Cisco ACE NAT and SIP

access-list NAT_ACL line 10 extended permit ip host 10.11.12.13 any
class-map match-any NAT_CLASS
2 match access-list NAT_ACL
3 match port udp eq sip

policy-map multi-match NAT_POLICY
class NAT_CLASS
nat dynamic 100 vlan 2000
inspect sip