Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2665
Views
5
Helpful
7
Replies

Cisco ACE NAT and SIP

silk
Level 1
Level 1

‎06-09-2010 08:56 AM

Hello,

I've an ACE that is doing static nat for a couple of servers, no load balancing, just nat in this scenario.

NAT works fine in and out, except for the SIP protocol.

When SIP is used, the traffic stops at the ACE and it doesn't get forwarded to the inside server.

Do I need to configure something sip-peculiar to make it work?

Thanks in advance.

Labels:
0 Helpful
7 Replies 7

Sean Merrow
Level 4
Level 4

‎06-09-2010 09:19 AM

Hello,

I'm not much of a SIP expert, but I can say for sure, sip-peculiar should definitely be a word! ;- )

You likely just need to create a policy that will allow the ACE to perform SIP inspection on your traffic.  Take a look at what the ACE does as far as SIP Inspection does, then later in the same document, you can see how to configure SIP inspection.  The SIP traffic does not have to be a load balanced connection to perform inspection on it.

Hope this helps!

Sean

silk
Level 1
Level 1
In response to Sean Merrow

‎06-09-2010 09:41 AM

Thanks for your reply Sean,

I can say I'm everything BUT a SIP expert that's why I'm a bit confused here

This is basically my actual configuration (simplified)

access-list NAT_ACL line 10 extended permit ip host 10.11.12.13 any

class-map match-any NAT_CLASS
  2 match access-list NAT_ACL
  3 match port udp eq sip
 
policy-map multi-match  NAT_POLICY
  class NAT_CLASS
    nat dynamic 100 vlan 2000
    inspect sip

(the service policies are applied on the interfaces)

NAT is working fine, I've added the "match port udp eq sip" and the "inspect sip" commands, but they seem to have

no effect at all.

I do not need to change any header or the like of the sip packet, I just want it to be forwarded to the inside 10.11.12.13 address,

but all I can see with the capture command is the traffic arriving from the ouside and terminating on the ACE, while every protocol other than SIP

gets to the inside address.

I'm reading all of the Cisco's documentation but as for now I had no luck.

I don't know if I'm missing something big or....

Any help would be appreciated!

0 Helpful

Sean Merrow
Level 4
Level 4
In response to silk

‎06-09-2010 10:36 AM

Hello,

I know in load balancing, you need to break out the NAT and inspection.  Can you modify your config as follows?

access-list NAT_ACL line 10 extended permit ip host 10.11.12.13 any

class-map match-any NAT_CLASS
  2 match access-list NAT_ACL
class-map match-any SIP-TRAFFIC
  3 match port udp eq sip

policy-map multi-match  NAT_POLICY
  class NAT_CLASS
    nat dynamic 100 vlan 2000
  class SIP-TRAFFIC
    inspect sip

Let me know if that helps.

Sean

silk
Level 1
Level 1
In response to Sean Merrow

‎06-10-2010 03:09 AM

Hi there,

I solved the problem.

SIP traffic now gets NATted and routed correctly to the inside destination.

To solve it I had to change NAT from dedicated dynamic address to a real static nat:

class-map match-all Static_NAT
  2 match source-address 10.11.12.13 255.255.255.255


class-map match-all Inspect-SIP
  2 match port udp eq sip


policy-map multi-match Static_NAT
  class Static_NAT
    nat static netmask 255.255.255.255 vlan 2000


policy-map multi-match SIP_Inspect_Policy
  class Inspect-SIP
    inspect sip

(I ended up with 2 separate policies for Nat and Inspection)

That simple.

Hope this may be useful for reference.

0 Helpful

philippe.bureau
Level 1
Level 1
In response to silk

‎07-27-2010 06:58 AM

Can anyone help with SIP souce-nat config in load-balancing in one-arm mode?

Thanks

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to philippe.bureau

‎07-28-2010 03:47 AM

FYI, we do not support PAT with SIP traffic.

This feature request is tracked with bug id:

CSCta33350    SIP: INSPECT: Invite dropped with NAF error in OCM

So, if you want to NAT, you have to go for full nat.

Then simply follow the configuration guide to implement NAT using nat-pool and policies and all you need for sip is to add the "inspect sip" command so that we can nat the payload.

Gilles.

0 Helpful

olumidekomolafe
Level 1
Level 1
In response to Gilles Dufour

‎11-12-2012 01:44 PM

Hi Gilles

Can you please tell me if the bug - CSCta33350 is still an issue? (software bug Toolkit is inconclusive)

I have a similar senario - multiple clients needing to use a single  VIP (in one armed Mode) for SIP Traffic. (Hence PAT)

ACE software A5(1.2) running

Many thanks - olumide.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card