03-27-2007 01:44 PM - edited 03-14-2019 08:43 PM
Hi all,
I have a cisco 2811 router with a NAT configuration and Call Manager 4.1.3. I have setup the SIP trunk to an outside company. When I call an outside number using this SIP trunk it rings the phone but after that there is just silence. No one can hear a thing. Here is my router's config. I appreciate any help.
ip inspect name SIP_INSPECT sip
ip inspect name SIP_INSPECT udp router-traffic
ip inspect name SIP_INSPECT sip-tls
ip inspect name SIP_INSPECT rtsp
!
voice-card 0
no dspfarm
!
voice call send-alert
voice rtp send-recv
!
interface FastEthernet0/0
description NAT_TRANSLATION_TO_SIP_TRUNK
ip address 10.18.21.11 255.255.255.0
ip nat inside
ip inspect SIP_INSPECT in
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description DEAD_INTERFACE
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/2/0
description USLEC_SIP_TRUNK
ip address 10.64.122.62 255.255.255.252
ip nat outside
ip inspect SIP_INSPECT out
ip virtual-reassembly
encapsulation ppp
!
ip route 10.18.10.0 255.255.255.0 10.168.21.128
ip route 10.18.11.0 255.255.255.0 10.168.21.128
ip route 27.x.x.196 255.255.255.255 Serial0/2/0
ip route 27.x.x.196 255.255.255.255 Serial0/2/0
ip route 27.x.x.33 255.255.255.255 Serial0/2/0
ip route 10.64.122.61 255.255.255.255 Serial0/2/0
!
ip nat pool pool1 13.43.117.209 13.43.117.209 prefix-length 30
ip nat inside source route-map NAT_SIP pool pool1 overload
!
access-list 10 permit 10.168.10.1
access-list 10 permit 10.168.10.2
!
route-map NAT_SIP permit 10
match ip address 10
set interface Serial0/2/0
03-28-2007 04:45 AM
Hello,
May be an IP routing issue to your nat pool (13.43.117.209/30). Check out this link, which details NAT support for SIP
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d43.html
Since you are on a 2811 I am quite sure that you are running an IOS supporting this, as it was implemented in 12.2T. Just the same, turn on the debug
debug ip nat sip
as listed in the doc and test your call again.
You should see the embedded addresses being translated. then a Show IP Nat Trans. All this is to verify your NAT.
Then let's verify the IP routing issue that I suspect may be you problem. Go to the gateway that the call exits on. Issue
Show Ip Route 13.43.117.209
If you see "network not in table" then this gateway will send those packets to his Default Gateway, so then issue Show Ip Route 0.0.0.0
You will then need to go to that gateway and issue the same show commands. If you receive Network Not In Table and there is no default the packets are dropped.
The call setup occurs correctly between CM & 2811. But payload data is obviously not flowing.
Please rate helpful posts.
Thanks,
Jeff
03-28-2007 04:19 PM
Hello Jeff,
thank you very much for your response. I checked out the link you posted in your response and did all those debugging, but it still is same.
I do not understand something: "13.43.117.209" is used just to do NAT, when the packets are routed inside network, they will have their new private destination IP, right?So why should I have a routing for 13.43.117.209?
And if I add a route for "13.43.117.209" it would point to the outside NAT interface anyway since I do not have this IP in my network.
thank you
Ercan
03-29-2007 06:44 AM
It sounds like you're having a firewall issue. Make sure you don't have an issue with RTP. It sounds like the signalling is working but not voice. Voice=RTP
03-29-2007 09:57 PM
Ercan,
Wanted to run earlier debug to ensure that SIP NAT was working correctly. *IF* you do not have active sip calls flowing through system, capture debug ccsip all and attach to your next post as an attachment. Turn on the debug and attempt a call.
If you do have active sip calls flowing through system you should wait until off-hours to do isolated test with debug.
Thanks,
Jeff
03-30-2007 05:35 AM
03-30-2007 07:36 PM
Ercan,
As I wrote above, your SIP Call Control traffic is flowing as expected but your RTP is not. How will your router examine the SIP conversations being negotiated including the RTP? The RTP endpoints will also need to NAT Accordingly. Don't see this happening in your debug. Although it would not be shown in that debug anyway.
You also have this router acting as a firewall (CBAC). Therefore take that into consideration also. The firewall will need to allow the incoming SIP Signalling (already OK), and the incoming RTP (N-OK), then NAT & Route accordingly.
Here's a suggestion. In testing disable the firewall by removing the IP Inspect commands. That can stop this from working, so best to keep it off while trying to configure the solution.
Related to that, another idea is to offload the firewall function alltogether. A pix may have features such as fixup to better accomodate your needs. Any security IE reading this add comments...
Now back to making your current solution work. On further research this is a IP-to-IP Gateway feature available in 12.4(9)T. The feature is called SIP Session Border control. Your 2811 will actually terminate the originating call from CCM. It will then originate another towards your SIP Service Provider, with the correct public IP. Your router now has complete end-to-end knowledge of the voip conversations occuring, and uses the correct IP for each portion on top of that. The first link below is a white paper on the feature. The second discusses actual config. I'd need further info on your setup to determine where this fits in. Although after reading both docs you should be able to head in the right direction. Note that the config also discusses VRF which you are not using, so you can omit that part.
Service Provider PAT Port Allocation Enhancement for RTP and RTC
http://www.cisco.com/en/US/products/ps6640/products_white_paper0900aecd80597bc7.shtml
Discusses NATing RTP Traffic using a Sip Session Border COntrol
Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a008071c4ba.html
Please rate helpful posts.
Jeff
04-07-2007 12:20 PM
Jeff,
thanks so much for your help. So far I have upgraded to new IOS 12.4(11)T1 and tried to configure NAT Traversal for Session Border Controller as you sent me information. I still do not have any luck with this. Call setup is successfull but voice traffic does not flow. I am posting my routers config again and debug from a test SIP call.
call managers IPs are 10.18.10.1 and 10.18.10.2
thanks
Ercan
04-08-2007 06:52 AM
Ercan,
In order to test further I will have to lab this up. However one thing does stand out. I suggest you try expanding access-list 10 to include the range of your IP Phones. Try that, post back to let me know if that helps.
Other than that I'll have to lab it, which could take a few days.
04-10-2007 06:35 AM
Jeff,
I added the phone IP range to the access-list, but it did not help.
thanks
Ercan
04-17-2007 09:14 AM
it is working now.
I have tried to use "ip nat sip-sbc" but it did not work for some reason. I am using NAT now and I had to arrange routing and ACLs little bit as well.
thanks for your help.
04-24-2008 08:29 AM
Hi Jeff,
I saw this message so I would like to ask you some questions regarding to SBC configuration. Is it required to have phone registered to SBC in order to use SIP NAT. In my configuration, I have SIP phones registered with SIP proxy and these devices are inside SBC with all private IP addresses. the SBC outside interface connect to Internet, then connected to PIX for remote site. behind the pix, I have phones registered back to same proxy behind SBC. How to configre SBC NAT traversal to make this works. Any helps would be very appreciated. Thanks!
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide