To post this debugs I have to go to the office to change the connections physically, I'll try to go there today (saturday) to change and try this debug, but in advance I'll post the running config for any suggestions...

I have this MGCP commands but I don't use MGCP at all, but I can't remove this commands and do not know if this influences into something.

Current configuration : 31664 bytes
!
!
!
voice-card 0
 codec sub-sample
 dsp services dspfarm
!
!
voice rtp send-recv
!
voice service voip
 no ip address trusted authenticate
 allow-connections sip to sip
 no supplementary-service sip moved-temporarily
 fax protocol t38 version 0 ls-redundancy 3 hs-redundancy 1 fallback pass-through g711ulaw
 modem passthrough nse codec g711alaw
 sip
  bind control source-interface Loopback 0
  bind media source-interface Loopback 0
  registrar server expires max 43200 min 3600
  midcall-signaling passthru
  g729 annexb-all
  no call service stop
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
 codec preference 3 g729br8
 codec preference 4 g729r8
!
voice register global
 mode cme
 source-address 10.1.1.2 port 5060
 timeouts interdigit 2
 max-dn 10
 max-pool 10
 authenticate register
 authenticate realm all
 timezone 17
 time-format 24
 date-format D/M/Y
 url directory http://10.1.1.2:80/localdirectory
 tftp-path flash:
 file text
 create profile sync 0248614221262326
 conference hardware
 camera
 video
!
voice register dn  1
 number ****
 name Gabriel Movel
 label Gabriel Movel
!
voice register pool  1
 id mac 0000.0000.0000
 number 1 dn 1
 voice-class codec 1
 username **** password ********
 description Gabriel VoIP
 after-hour exempt
!
!
class-map match-any VOICETRAFFIC
 match protocol rtp audio 
 match protocol sip
 match protocol rtcp
!
policy-map VOICETRAFFIC-POLICY
 class VOICETRAFFIC
  priority percent 30
!
! 
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface Loopback 0
 ip address 179.184.187.53 255.255.255.255
!
interface GigabitEthernet0/0
 no ip address
!
interface GigabitEthernet0/1
 no ip address
 duplex full
 speed auto
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.1.1.2 255.255.255.192
!
!
interface GigabitEthernet0/2
 no ip address 
!
!
ip forward-protocol nd
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.4
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
sccp local GigabitEthernet0/1.20
sccp ccm 10.1.1.2 identifier 100 priority 1 version 7.0 
sccp
!
sccp ccm group 1
 associate ccm 100 priority 1
 associate profile 2 register transcode0
 associate profile 1 register confdsp1
 keepalive retries 5
 switchover method immediate
!
dspfarm profile 2 transcode  
 codec g729abr8
 codec g729ar8
 codec g729r8
 codec g729br8
 codec g711alaw
 codec g711ulaw
 maximum sessions 7
 associate application SCCP
!
dspfarm profile 1 conference  
 codec g711ulaw
 codec g711alaw
 codec g729ar8
 codec g729abr8
 codec g729r8
 codec g729br8
 associate application SCCP
 shutdown
!
!
dial-peer voice 200 voip
 corlist outgoing CorLOCAL
 tone ringback alert-no-PI
 description CHAMADAS EXTERNAS VIA IDT - OUT
 destination-pattern [2-5].......
 session protocol sipv2
 session target ipv4:66.33.157.120:5060
 voice-class codec 1  
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 210 voip
 description ENTRADA LIGACOES EXTERNAS IDT - IN
 translation-profile incoming NUMEROS_DE_ENTRADA
 session protocol sipv2
 incoming called-number 86[5-9].
 voice-class codec 1  
 dtmf-relay rtp-nte
 no vad
!
gateway 
 timer receive-rtp 1200
!
sip-ua 
 max-forwards 15
 retry invite 4
 retry response 4
 retry bye 4
 retry cancel 4
!
!
!
gatekeeper
 shutdown
!
!
telephony-service
 protocol mode ipv4
 sdspfarm units 2
 sdspfarm transcode sessions 7
 sdspfarm tag 1 confdsp1
 sdspfarm tag 2 transcode0
 conference hardware
 moh-file-buffer 2000
 no auto-reg-ephone
 max-ephones 20
 max-dn 30
 ip source-address 10.1.1.2 port 2000
 calling-number initiator
 service dnis dir-lookup
 timeouts interdigit 4
 timeouts ringing 40
 system message Telesim Telecom
 url directories http://10.1.1.2:80/localdirectory
 cnf-file location flash:
 user-locale U2 load CME-locale-pt_BR-Portuguese-8.8.2.5.tar
 network-locale U1
 load 7911 term11.default
 load 7960-7940 P0030801SR02.loads
 time-zone 17
 time-format 24
 date-format dd-mm-yy
 keepalive 10
 voicemail 50
 mwi relay
 max-conferences 8 gain -6
 call-park system application
 call-forward pattern ....
 moh "music-on-hold.au"
 transfer-system full-consult
 transfer-pattern ....
 fac standard
 create cnf-files version-stamp 7960 Feb 27 2015 22:09:23
!
!
!
ephone-dn  1  dual-line
 number ****
 pickup-call any-group
 label Gabriel Braga
 name Gabriel Braga
 mobility
 snr ring-stop
 call-forward noan **** timeout 15
 corlist incoming Cor0300
!
ephone  7
 device-security-mode none
 description GABRIEL
 mac-address ****.****.****
 ephone-template 1
 after-hours exempt
 paging-dn 28
 type 7940
 button  1:1
!
!
end

Gabriel,

Let me understand this, you have the public IP on the firewall, but you also put it on the GW as a loopback? 

The connection used to work when the traffic originated from the GW with the public IP, but now it's going through the firewall and it gets NATed. 

It sounds to me like all you need is a static one-to-one NAT rule on your firewall to translate the private IP into the Public IP, this will make it look to the carrier like it was before. However, I am concerned that we may be looking into the wrong thing, your call connects, which means the signaling is working correctly (ccsip messages will confirm this). If your call stays muted, this points to an issue with your media traffic. Please make sure you also have NAT rules for your voice traffic, since the RTP will establish directly between your endpoints and the ITSP. Your firewall will need an access-list matching your phones subnet, as well as allowing the voice ports 16384 - 32767.

Thanks,

FG

Yes, if I doesn't do that the SDP messages will not put this IP on SIP packets and the carrier will not accept.

Yes, the connection used to work, now the public IP is on the firewall and it NAT the incoming and outcoming IP packets, but doesn't change SIP information.

We have only one public IP, and we use to mail server, HTTP server and others services besides voice.

My NAT configuration translates the RTP incoming from carrier on port range from 20000 to 30000 and the SIP on port 5060. Everything leaving the router to the internet gets out through the firewall public IP address.

Thanks a lot for your attention.

*EDIT.  

Oh, I get it, you are saying that I must do a rule for all the traffic (not all, but for testing purposes let's say all) leaving from my IP Phones to the internet (carrier) be NATted too.

In fact my voice vlan doesn't even have permission to go out to internet.

Exactly!

That RTP stream once the call connects is directly from IP Phone -> Firewall->Internet. Your IP phones will need to get NATed as well, some "CUBE" functions allow for address hiding if you want to look into that.

But for now, you can test this by doing the following: 

Establish a call, then press the "?" button on your IP phone, if your tx/rx packets are not increasing, it means they're dying at the firewall due to not being able to access the internet.

Good luck and let me know!

FG

I'm heading to the office right now to test and very soon I'll let you know.

Thanks!

So, unlucky...

When I call from outside to inside, not connecting.

When I call from inside to outside, just one way audio... I can hear from outside.

Well that's a litte bit of progress at least.

Lets recap for anyone else that might read this, after enabling the voice subnet access out of the firewall, your packets are now going out, but we still don't get any rtp packets coming in.

This means not only do we have to grant access to the voice vlan out of the firewall, but also create access for incoming traffic. Something like:

ip access list extended INCOMING_VOICE

permit udp any any range 16384 32767 

NOTE: I am NOT a firewall/security expert, this may work but please make sure you understand how this will affect your network. 

Thanks,

FG

So, I already have a rule in my firewall that NATs this range to the router (2911)...

I went to check on the firewall and I believe they are not getting any RTP packets, I think that some information in the SIP packet is registering the internal endpoint IP, then the answer can not come back. This might be happening?

I'm not sure a NAT is what we need in this case, your firewall is doing NAT from the phone to the outside so it wouldnt make sense to NAT the return traffic directly to the router. We'll need someone else with great firewall experience to look at this to make sure.

We have solved half the problem so it is very clear we are looking at a configuration need in the firewall. My guess is that you will need to allow rtp traffic from the outside into the voice subnet, not just a NAT to the router. 

Phone -> FW->NAT->OUTSIDE

OUTSIDE->FW->PHONE 

Well, it's not possible that a packet arrives on firewall with a destination IP of an endpoint. So, I was thinking, is there a way to connect the two side through the router and not peer to peer? To force the media through the router.

EDIT*

I changed the ip source-addres from telephony-service to the public IP and the audio from inside started to work, but the reverse stopped.

Gabriel,

I think I had understood this backwards. You are now able to send packets out, but you cannot hear the PSTN after changing the source address to the public IP. This makes sense since your bind commands have loopback0 specified, now we need to figure out why the packets are not making it all the way back. 

Does the firewall also have the same public IP in one of its interfaces? If so, when the packets come in from the ITSP, they could be terminating at the FW and not entering into your VG. 

Thanks,

FG

Francisco, thanks a lot for your help...

The firewall have an interface with this public IP, but I don't think the firewall is the problem because when I replaced the router by a Panasonic PBX all works fine, this is why I'm asking for suggestions on router configuration...

I think leave the peer to peer connection through the endpoints will not work by the filter that carrier implies on IP packets content, the IP on the packets must be the public IP that we register on our contract with the carrier. I'm affraid that are any packages, whether SIP or RTP, leaving the router with a private IP.

There may be some setting that I did not think to put this set up to work. ?

Thanks.

Gabriel,

It is my pleasure to help. I think we are close to resolving this, but we have to work together understanding your topology. I have created this scenario in my lab with a ASA5505 in front of my 2911 VG. The public address in the loopback of the 2911, and outside interface of the ASA. 

When the traffic comes in from the provider, it is terminating on the ASA interface and not routing inside, because the ASA thinks it's destined to its interface. 

To test this on your environment, "debug ip icmp" on your router, and ping the public interface from your firewall. If the router shows ICMP debug, then the traffic is incoming and we can move on. If it does not, then the return packets are not getting to the router, or the endpoints.

Try this and let me know. 

Thanks,

FG