11-02-2015 04:09 AM - edited 03-17-2019 04:46 AM
Hello,
We are using a cisco router with IOS version 12.4. Its purpose is to perform basic connectivity with ISP's SIP server. I have done NATing and it seems to be working fine. I can ping the ISP's SIP server and though portforwading the PBX is able to receive SIP packets from ISP which are sent towards the WAN port of router.
But the router is not forwarding SIP packets towards the ISP on its WAN port. Packet capture shows only incomming SIP packets on WAN port and no packets leaving the interface. I can see in debug log that incomming packets on LAN interface are correctly translated but they are never forwarded out through WAN interface if the packets belong to SIP protocol.
Here is the relevant config portion :
!
interface GigabitEthernet0/0
description "SIP TRUNK"
ip address x.x.x.142 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.53
encapsulation dot1Q 53
ip address x.y.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static udp x.z.1.20 5060 interface GigabitEthernet0/0 5060
ip route 0.0.0.0 0.0.0.0 x.x.x.141
ip route x.z.0.0 255.255.0.0 x.y.1.10
access-list 10 permit x.0.0.0 0.63.255.255
11-02-2015 05:22 AM
You don't want to NAT SIP (Unless you know what you are doing...)
NAT only translates the IP packet header details. SIP has the nasty habit of including IP addresses inside of packets.
To "NAT" SIP, you need something a bit more complex than a basic IOS NAT. (e.g. an ASA doing traffic inspection or a full-blow CUBE)
GTG
11-02-2015 05:37 AM
I am aware of that. On pbx I can see that packet headers are correctly being replaced by the cisco router with destination IP set to that of pbx. What I dont understant is why is the cisco router dropping outbound packets after NATing if the port is 5060.
11-02-2015 05:57 AM
Would love to help or atleast try to but the version of your ios code is too old its scary :). My honest advise is to upgrade the ios first, before thinking of anything else..Once you have done that we can begin to troubleshoot..
11-02-2015 06:23 AM
hello.. i tried the code first on version 15.0..
I am working remotely and the team on site replaced the router to see if the problem was specific to that router. We can still put it back if a working solution turns up.
11-02-2015 06:26 AM
OK, what is the full picture? What call control system are you using? CUCM? CCME?
We will need the config on the gateway (sh run)--You can sanitize your config, but we neeed all the sip related config and ips..so might be better to just send everything...masking your public ip etc
11-02-2015 06:50 AM
The VoIP gateway is from Mitel. Cisco router was provided by the ISP with basic license i guess. As i mentioned before that any packet going through the router destined for ISP is being dropped by it if the port is 5060 over udp. I generated dummy udp packets on port 5060 and they were also dropped by the router.
I am not intrested any any addition voip features on the router as all of that is already being handled by the pabx. My only concern is that the router should allow the traffic towards WAN. i.e it should act as a proxy server with minimum configuration required.
here is the config:
Current configuration : 1765 bytes
!
! Last configuration change at 19:24:44 UTC Sat Oct 31 2015 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
interface GigabitEthernet0/0
description "SIP TRUNK"
ip address A.A.A.142 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!1.53 interface is towards VoIP lan
interface GigabitEthernet0/1.53
encapsulation dot1Q 53
ip address B.B.B.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
!C.C.C.20 is pbx
ip nat inside source static udp C.C.C.20 5060 interface GigabitEthernet0/0 5060
ip route 0.0.0.0 0.0.0.0 A.A.A.141
!B.B.1.10 is LAN firewall behind which pbx resides
ip route C.C.0.0 255.255.0.0 B.B.1.10
!
ip access-list extended Monitored-Host
permit ip any any
!
access-list 10 permit C.C.0.0 0.0.255.255
11-02-2015 07:31 AM
Guessing widely... would you like to change the systems default SIP port (which is 5060) in your router to some other value and then check again...
- Vivek
11-02-2015 07:31 AM
Guessing widely... would you like to change the systems default SIP port (which is 5060) in your router to some other value and then check again...
- Vivek
11-03-2015 04:41 AM
i did try that before and it enabled traffic forwarding behind NAT but it disable sip packet inspection for NAT and because of that the embedded address translation feature got disabled (obviously) which we require for NATing to work correctly.
11-02-2015 08:10 AM
I dont see any dial-peer to match the inbound call from Mitel. I also done see any dial-peer to route the call to your ITSP.
You also need to configure this device as a CUBE. This is an IP to IP call and hence this device needs to be configured as a CUBE. So you seem to be mnissing a few things here
11-02-2015 10:50 PM
I copied the config from another router provided by another ISP and they didnt do any additional voip configuration either? Any guess how that router is working fine?
11-03-2015 12:51 AM
Perhaps you didnt copy the full configuration, the other possibility might be black magic :)
Cisco routers router route calls based on dial-peer matching. Additionally when you want to route a call between two IP legs, you need CUBE functionality. Aside from this you might have to invoke some Harry Porter spell.. :)
11-03-2015 04:32 AM
actually i did copy the relevant config and that is not the original issue.
The router is not license for CUBE or any other VoIP functionality (besides nat sip service and sip-sbc) and its the one provided by the ISP to all the other customers where it is working fine with NATing.
The issue here is that i can see through "debug ip nat sip" that all the embedded addresses whether incomming our outgoing are being correctly replaced by the router with corresponding destination address. But only incomming packets from WAN port make it out of router towards the voip pbx and the one destined for ISP dont make out of the WAN interface.
The purpose of this router is not do call routing so dial-peer etc are not available. Its purpose is to provide basic routing and do the neccessary NATing.
11-03-2015 04:35 AM
OK I get the picture now. I am sorry, I cant help you, perhaps others can. You may want to post this in the routing and switching or firewall section.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide