08-12-2018 08:37 PM - edited 03-17-2019 01:20 PM
Hi All,
This was working on an ISR but appears to not work now.
I am using a Soft phone on a 4g connected Mobile to register to my router on TCP 5060, the SIP-UA says its active.
The router also has ZBF enable, but with it on or off the problem remains.
Registrations on the LAN interface are working fine as are calls.
When i do a port scan from the internet it cannot see 5060 open, so this is the crux of my issue. I am using NVI NAT also.
See attached config. Can someone please assist me? Thank you
voice-card 0 ! ! ! voice service voip ip address trusted list ipv4 1.129.110.146 ipv4 192.168.0.10 ipv4 192.168.0.114 ipv4 101.103.0.0 255.255.0.0 ipv4 1.128.0.0 255.224.0.0 ipv4 1.120.0.0 255.248.0.0 ipv4 61.9.128.0 255.255.128.0 ipv4 60.224.0.0 255.248.0.0 ipv4 58.160.0.0 255.240.0.0 ipv4 203.32.0.0 255.224.0.0 ipv4 192.148.0.0 255.255.0.0 ipv4 101.160.0.0 255.224.0.0 ipv4 110.142.0.0 255.254.0.0 ipv4 110.144.0.0 255.248.0.0 ipv4 1.129.111.20 255.255.255.255 ipv4 192.168.0.0 255.255.255.0 ipv4 1.129.109.71 ipv4 1.129.109.79 ipv4 1.0.0.0 255.0.0.0 ipv4 0.0.0.0 0.0.0.0 rtp-port range 16384 16390 allow-connections sip to sip no supplementary-service sip handle-replaces h323 call service stop sip bind control source-interface Vlan1 bind media source-interface Vlan1 registrar server expires max 1200 min 300 ! ! ! ! voice register global mode cme source-address 192.168.0.254 port 5060 max-dn 10 max-pool 10 auto-register ! ! voice register dn 1 number 1001 name Doorbird ! voice register dn 2 number 1002 name Note8 ! voice register dn 3 number 1003 name Laptop ! voice register pool 1 id mac 1CCA.E371.06FD number 1 dn 1 username 1001 password 456456 codec g711ulaw ! voice register pool 2 id mac 04D6.AA29.649C number 1 dn 2 username 1002 password 789789 codec g711ulaw ! voice register pool 3 id mac 0011.1111.1111 number 1 dn 3 username 1003 password 123123 codec g711ulaw ! ! ! ip nat source static tcp 192.168.0.141 80 interface GigabitEthernet0/0 6168 ip nat source static tcp 192.168.0.10 3389 interface GigabitEthernet0/0 6150 ip nat source static tcp 192.168.0.3 3001 interface GigabitEthernet0/0 3001 ip nat source static tcp 192.168.0.2 443 interface GigabitEthernet0/0 6164 ip nat source static tcp 192.168.0.4 3389 interface GigabitEthernet0/0 6169 ip nat source static tcp 192.168.0.3 3000 interface GigabitEthernet0/0 3000 ip nat source static tcp 192.168.0.3 22 interface GigabitEthernet0/0 6165 ip nat source static tcp 192.168.0.4 82 interface GigabitEthernet0/0 6166 ip nat source static tcp 192.168.0.254 5060 interface GigabitEthernet0/0 5060 ip nat source static tcp 192.168.0.3 8080 interface GigabitEthernet0/0 6170 ip nat source list LAN-NAT interface GigabitEthernet0/0 overload ip nat source static udp 192.168.0.254 5060 interface GigabitEthernet0/0 5060 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! interface Vlan1 description "Link to the 192.168.0.x LAN" ip address 192.168.0.254 255.255.255.0 no ip redirects ip nat enable ip virtual-reassembly in zone-member security LAN ! interface GigabitEthernet0/0 description "NBN HFC Aussie BroadBand 100/40" ip address dhcp no ip redirects ip nat enable ip virtual-reassembly in zone-member security WAN load-interval 30 duplex auto speed auto ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! ! ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! gateway timer receive-rtp 1200 ! sip-ua ! ! ! gatekeeper no shutdown ! ! vstack
08-13-2018 12:12 AM
Hi,
How did you check the port 5060 is not open from Internet? Have you tried with any other TCP port as well like 3000 as per your config to GigEth IP address?
And, can you please share "debug ip nat sip" output while trying from Softphone registration from Internet. And, if softphone is trying to register on UDP/5060 port, then you may add NAT Static translation for the same as well.
Regards...
Ashok.
08-13-2018 12:21 AM
HI Ashok.
I used port scan to check 5060 is open.
All other port forwarding static nat rules are working, 3001 and other ports like 6150 work just fine.
I will share the debug soon.
There is already a static nat translation in my config for 5060, youll see it.
08-13-2018 01:54 AM
Hi,
Thank you. I may be overlooked but I have not seen NAT static rule for SIP UDP/5060 port.
08-13-2018 04:28 AM
Hi, my client is set to only register on TCP so thats why theres only TCP.
@ashok_boin wrote:
Hi,
Thank you. I may be overlooked but I have not seen NAT static rule for SIP UDP/5060 port.
08-13-2018 04:54 AM - edited 08-13-2018 04:57 AM
Hi Ashok, here is the Debug
the ip nat service sip is turned on... even off it makes no difference
*Aug 13 11:53:56.477: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:53:57.509: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:53:59.509: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:53:59.517: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:53:59.517: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: Trying to find expires parameter
*Aug 13 11:53:59.517: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:00.017: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:00.017: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:00.017: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:01.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:01.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:01.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:02.105: NAT: SIP: [0] processing INVITE message
*Aug 13 11:54:02.105: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: Contact header found
*Aug 13 11:54:02.105: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] message body found
*Aug 13 11:54:02.105: NAT-SIP SDP old_len = 278
*Aug 13 11:54:02.105: NAT: SIP: Media Lines present:1
*Aug 13 11:54:02.105: NAT: SIP: Translated global m=(185.40.4.46, 5079) -> (185.40.4.46, 5079)
*Aug 13 11:54:02.105: NAT SIP SDP new_len=278 adjust=0
*Aug 13 11:54:02.105: NAT: SIP: old_sdp_len:278 new_sdp_len :278
*Aug 13 11:54:03.025: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:03.025: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:03.025: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:03.505: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:54:07.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:07.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:07.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:11.045: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:11.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:11.045: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:11.521: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:54:15.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:15.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:15.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:19.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:19.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:19.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:23.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:23.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:23.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:27.045: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:27.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:27.045: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:27.569: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:54:31.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:31.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:31.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: found Expires header, 70 sec
the ip nat service sip is turned on... even off it makes no difference
08-13-2018 05:04 AM
Hi,
Hope this debug was taken while trying through Softphone from Internet as I see Invite messages from the device to CME IP getting translated from
203.129.27.127 to 192.168.0.254
If this is correct, then I don't see any issues w.r.t reachability. However, I see TCP ALG error which you can fix through "ip nat service tcp port 5060".
If the problem is still not resolved, then please share the debug "debug ccsip messages" while trying through softphone from Internet.
Regards...
Ashok.
08-13-2018 01:45 PM
Hi Ashok
Yes it was taken as the SIP phone was talking to connect.
That ip nat service command is already on as per my previous message
Ill take the debug you suggested and post a reply
Regards
Kris
08-13-2018 08:31 PM - edited 08-13-2018 09:17 PM
So it seems toll fraud was protecting the port. Does anyone know how I can secure the CUCM from the internet without expressway and without specifying IP's?
My soft phone clients are dynamically assigned on the internet.
Is there a way to used the ZBF using mac address?
08-13-2018 11:37 PM
Hi Kris,
Have you done debugs? Are they showing any pointers towards Toll fraud related error while registering?
08-14-2018 04:21 AM
08-15-2018 04:36 AM
Thank you, ive got it working now :)
08-15-2018 10:28 PM
Glad to hear this. Can I know what was the problem diagnosed and fix?
09-14-2018 12:48 PM
Hi,
because I seem to have to resolve a similar issue, may I kindly ask you, too, to sched some light to what turned out to be the root cause and the resolution of the failure?
Cheers
Philipp
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: