cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1930
Views
0
Helpful
13
Replies

Cannot register to Call Manager Express on C3945 from the Internet using Soft phone

dastrix80
Level 1
Level 1

Hi All,

 

This was working on an ISR but appears to not work now.

 

I am using a Soft phone on a 4g connected Mobile to register to my router on TCP 5060, the SIP-UA says its active.

 

The router also has ZBF enable, but with it on or off the problem remains.

 

Registrations on the LAN interface are working fine as are calls.

 

When i do a port scan from the internet it cannot see 5060 open, so this is the crux of my issue. I am using NVI NAT also.

 

See attached config. Can someone please assist me? Thank you

voice-card 0
!
!
!
voice service voip
 ip address trusted list
  ipv4 1.129.110.146
  ipv4 192.168.0.10
  ipv4 192.168.0.114
  ipv4 101.103.0.0 255.255.0.0
  ipv4 1.128.0.0 255.224.0.0
  ipv4 1.120.0.0 255.248.0.0
  ipv4 61.9.128.0 255.255.128.0
  ipv4 60.224.0.0 255.248.0.0
  ipv4 58.160.0.0 255.240.0.0
  ipv4 203.32.0.0 255.224.0.0
  ipv4 192.148.0.0 255.255.0.0
  ipv4 101.160.0.0 255.224.0.0
  ipv4 110.142.0.0 255.254.0.0
  ipv4 110.144.0.0 255.248.0.0
  ipv4 1.129.111.20 255.255.255.255
  ipv4 192.168.0.0 255.255.255.0
  ipv4 1.129.109.71
  ipv4 1.129.109.79
  ipv4 1.0.0.0 255.0.0.0
  ipv4 0.0.0.0 0.0.0.0
 rtp-port range 16384 16390
 allow-connections sip to sip
 no supplementary-service sip handle-replaces
 h323
  call service stop
 sip
  bind control source-interface Vlan1
  bind media source-interface Vlan1
  registrar server expires max 1200 min 300
!
!
!
!
voice register global
 mode cme
 source-address 192.168.0.254 port 5060
 max-dn 10
 max-pool 10
 auto-register
 !
!
voice register dn  1
 number 1001
 name Doorbird
!
voice register dn  2
 number 1002
 name Note8
!
voice register dn  3
 number 1003
 name Laptop
!
voice register pool  1
 id mac 1CCA.E371.06FD
 number 1 dn 1
 username 1001 password 456456
 codec g711ulaw
!
voice register pool  2
 id mac 04D6.AA29.649C
 number 1 dn 2
 username 1002 password 789789
 codec g711ulaw
!
voice register pool  3
 id mac 0011.1111.1111
 number 1 dn 3
 username 1003 password 123123
 codec g711ulaw
!
!
!

ip nat source static tcp 192.168.0.141 80 interface GigabitEthernet0/0 6168
ip nat source static tcp 192.168.0.10 3389 interface GigabitEthernet0/0 6150
ip nat source static tcp 192.168.0.3 3001 interface GigabitEthernet0/0 3001
ip nat source static tcp 192.168.0.2 443 interface GigabitEthernet0/0 6164
ip nat source static tcp 192.168.0.4 3389 interface GigabitEthernet0/0 6169
ip nat source static tcp 192.168.0.3 3000 interface GigabitEthernet0/0 3000
ip nat source static tcp 192.168.0.3 22 interface GigabitEthernet0/0 6165
ip nat source static tcp 192.168.0.4 82 interface GigabitEthernet0/0 6166
ip nat source static tcp 192.168.0.254 5060 interface GigabitEthernet0/0 5060
ip nat source static tcp 192.168.0.3 8080 interface GigabitEthernet0/0 6170
ip nat source list LAN-NAT interface GigabitEthernet0/0 overload
ip nat source static udp 192.168.0.254 5060 interface GigabitEthernet0/0 5060
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
interface Vlan1
 description "Link to the 192.168.0.x LAN"
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 ip nat enable
 ip virtual-reassembly in
 zone-member security LAN
!

interface GigabitEthernet0/0
 description "NBN HFC Aussie BroadBand 100/40"
 ip address dhcp
 no ip redirects
 ip nat enable
 ip virtual-reassembly in
 zone-member security WAN
 load-interval 30
 duplex auto
 speed auto
!

!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
 !
 !
 !
 !
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
gateway
 timer receive-rtp 1200
!
sip-ua
!
!
!
gatekeeper
 no shutdown
!
!
 vstack

 

13 Replies 13

ashok_boin
Level 5
Level 5

Hi,

How did you check the port 5060 is not open from Internet? Have you tried with any other TCP port as well like 3000 as per your config to GigEth IP address?

 

And, can you please share "debug ip nat sip" output while trying from Softphone registration from Internet. And, if softphone is trying to register on UDP/5060 port, then you may add NAT Static translation for the same as well.

Regards...

Ashok.


With best regards...
Ashok

HI Ashok.

 

I used port scan to check 5060 is open.

 

All other port forwarding static nat rules are working, 3001 and other ports like 6150 work just fine.

 

I will share the debug soon.

 

There is already a static nat translation in my config for 5060, youll see it.

Hi,

Thank you. I may be overlooked but I have not seen NAT static rule for SIP UDP/5060 port.


With best regards...
Ashok

Hi, my client is set to only register on TCP so thats why theres only TCP.


@ashok_boin wrote:

Hi,

Thank you. I may be overlooked but I have not seen NAT static rule for SIP UDP/5060 port.


 

Hi Ashok, here is the Debug

 

 

the ip nat service sip is turned on... even off it makes no difference

 


*Aug 13 11:53:56.477: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:53:57.509: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:53:59.509: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:53:59.517: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:53:59.517: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: Trying to find expires parameter
*Aug 13 11:53:59.517: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:53:59.517: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:53:59.517: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:00.017: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:00.017: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:00.017: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:00.017: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:00.017: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:01.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:01.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:01.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:01.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:01.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:02.105: NAT: SIP: [0] processing INVITE message
*Aug 13 11:54:02.105: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: Contact header found
*Aug 13 11:54:02.105: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:02.105: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:02.105: NAT: SIP: [0] message body found
*Aug 13 11:54:02.105:  NAT-SIP SDP old_len =  278
*Aug 13 11:54:02.105: NAT: SIP: Media Lines present:1
*Aug 13 11:54:02.105: NAT: SIP: Translated global m=(185.40.4.46, 5079) -> (185.40.4.46, 5079)
*Aug 13 11:54:02.105:  NAT SIP SDP new_len=278 adjust=0
*Aug 13 11:54:02.105: NAT: SIP: old_sdp_len:278 new_sdp_len :278
*Aug 13 11:54:03.025: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:03.025: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:03.025: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:03.025: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:03.025: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:03.505: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:54:07.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:07.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:07.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:07.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:07.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:11.045: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:11.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:11.045: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:11.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:11.045: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:11.521: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:54:15.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:15.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:15.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:15.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:15.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:19.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:19.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:19.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:19.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:19.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:23.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:23.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:23.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:23.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:23.037: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:27.045: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:27.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:27.045: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:27.045: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:27.045: NAT: SIP: found Expires header, 70 sec
*Aug 13 11:54:27.569: NAT SIP: NAT TCP-ALG disabled. So, ALG fixup for SIP message is not done.
*Aug 13 11:54:31.037: NAT: SIP: [0] processing REGISTER message
*Aug 13 11:54:31.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: Trying to find expires parameter
*Aug 13 11:54:31.037: NAT: SIP: [0] register:1 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: [0] translated embedded address 203.129.27.127->192.168.0.254
*Aug 13 11:54:31.037: NAT: SIP: [0] register:0 door_created:0
*Aug 13 11:54:31.037: NAT: SIP: found Expires header, 70 sec

 

 

the ip nat service sip is turned on... even off it makes no difference

Hi,

 

Hope this debug was taken while trying through Softphone from Internet as I see Invite messages from the device to CME IP getting translated from

203.129.27.127 to 192.168.0.254

If this is correct, then I don't see any issues w.r.t reachability. However, I see TCP ALG error which you can fix through "ip nat service tcp port 5060". 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/nat-tcp-sip-alg.html

 

If the problem is still not resolved, then please share the debug "debug ccsip messages" while trying through softphone from Internet.

 

Regards...

Ashok.


With best regards...
Ashok

Hi Ashok

 

Yes it was taken as the SIP phone was talking to connect.

 

That ip nat service command is already on as per my previous message

 

Ill take the debug you suggested and post a reply

 

Regards

Kris

So it seems toll fraud was protecting the port. Does anyone know how I can secure the CUCM from the internet without expressway and without specifying IP's?

 

My soft phone clients are dynamically assigned on the internet.

 

Is there a way to used the ZBF using mac address?

Hi Kris,

 

Have you done debugs? Are they showing any pointers towards Toll fraud related error while registering?

 

 

 

 


With best regards...
Ashok

Ok. If the Router is still in testing mode, can you pls try with debug IP
TCP packet to see whether the packets are entering the Router in the first
place on 5060. If you see packets hitting the router and getting dropped,
then we can think of config issue on the router.

With best regards...
Ashok

Thank you, ive got it working now :)

Glad to hear this. Can I know what was the problem diagnosed and fix?


With best regards...
Ashok

Hi,

because I seem to have to resolve a similar issue, may I kindly ask you, too, to sched some light to what turned out to be the root cause and the resolution of the failure?

Cheers

Philipp

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: