Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
0
Replies

SIP Voice Gateway behind NAT

sean6605
Level 1
Level 1

‎10-06-2016 04:12 PM - edited ‎03-17-2019 08:17 AM

Hi all,

I am experiencing an odd problem with my voice gateway behind a my NAT firewall.

I have a cisco 2811 as a NAT/Firewall and behind the NAT/Firewall is another cisco 2811 acting as a voice gateway.

The NAT/firewall is Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T7

The Voice Gateway is Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M10

I am trying to connect a SIP phone to the voice gateway for an inbound call.

The call will go through but I have one way voice and the call drops in 20 seconds.

The really strange part is if I drop the Voice Gateway IOS from 15.1(4)M10 to 12.4(24)T7 everything works.

I have looked through the cisco Bug lists and do not find anything that should cause this.

I assume I am missing a setup some where but not sure where.

If any one has any suggestions I would appreciate the help.

The nat/firewall is 10.3.18.97/24 for the outside address and the inside address is 192.168.17.1/24

The Voice gateway is SIP and is located at 192.168.17.3/24

Ive looked at the debug ip nat translations detail and the nat appears to be translating.

When I look at a wireshark trace from the sip phone on the outside I see the voice gateways internal private address (192.168.17.3)instead of the outside address (10.3.18.199)

Since changing the IOS on the voice gateway makes it work I am honestly not sure if the issue is at the voice gateway or the nat/firewall. I want to say at the voice gateway but I am not sure what to change.

I only have an FXS card in for testing but the production environment is producing the same results.

The NAT firewall is configured as follows (I am using all private addresses do demonstrate the issue)

NAT/FIREWALL

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c2811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog

!
no aaa new-model

!
dot11 syslog
ip source-route
!
!
ip cef
!
!

ip name-server 8.8.8.8
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp router-traffic
ip inspect name CCP_LOW udp router-traffic
ip inspect name CCP_LOW vdolive
ip inspect name CCP_LOW pptp
ip inspect name CCP_LOW ntp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW h323-annexe
ip inspect name CCP_LOW h323-nxg
ip inspect name CCP_IN h323
ip inspect name CCP_IN h323-annexe
ip inspect name CCP_IN h323-nxg
ip inspect name CCP_IN sip
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-71224978
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-71224978
revocation-check none
rsakeypair TP-self-signed-71224978
!
!
crypto pki certificate chain TP-self-signed-71224978
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37313232 34393738 301E170D 31353039 32323134 32363237
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D373132 32343937
3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C2C4
3EA9FA1A 0C192C5D 20C1F817 53249123 7F135C3C 0F696E0E D756CB2A D90A9B5F
D12CA6CC 9CFAAE0D C972C1D0 7DA32691 C3841EDE E362202E 35172613 EED736A9
597D9E2C 32BC0960 ED4E037A C9788EFE D521B016 D9355987 B728B220 1D20071E
00870383 0D38E03F 58A1BDE2 81AFE950 94456C8B 57B52824 988F6EA6 B2150203
010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 551D1104
17301582 13633338 34352E6D 61726B65 74636F6D 2E636F6D 301F0603 551D2304
18301680 1464FFC6 554383A5 A6758266 CEB5F0D7 2A75E5DA 0B301D06 03551D0E
04160414 64FFC655 4383A5A6 758266CE B5F0D72A 75E5DA0B 300D0609 2A864886
F70D0101 04050003 81810038 6013F2FC B79DD3C0 A44AF266 8D3EBD8D 176AF8DB
C746B8DA 7421294A F88D2CD2 C5F8FC24 20BCB857 0E16BF7D C0DA61EF 52BB91E8
727359B4 D144D03C CB22C8BB 67A7CF15 A70DC06E B303AE77 98CC0BCF E31EFB2C
A87B2BA1 9B9CC2F6 7897A7CB A64BDB78 C67B0B8C 97BB8EF1 FC682B1B 478AFFA4
F47F3468 BE19FA9C F883AC
quit
!
!
archive
log config
hidekeys
!
!
!
!
!
ip tftp source-interface FastEthernet0/1
!
class-map type inspect match-any h323-traffic-class
match protocol h323
match protocol h323-annexe
match protocol h323-nxg
match protocol h225ras
!
!
!
!
!
!
interface FastEthernet0/0
description OUTSIDE
ip address 10.3.18.97 255.255.255.0
ip nat outside
ip inspect CCP_IN in
ip inspect CCP_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description INSIDE
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.3.18.1
no ip http server
ip http secure-server
!
!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static 192.168.17.3 10.3.18.199 extendable

!
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Voice Gateway

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v2811
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice service voip
no ip address trusted authenticate
!
!
!
!
!
voice translation-rule 1
rule 1 /\(.*\)/ /123\1/
!
!
voice translation-profile add123
translate called 1
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
archive
log config
hidekeys
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.17.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.17.1
!
!
!
!
!
!
!
control-plane
!
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
!
!
!
mgcp profile default
!
!
dial-peer voice 101 pots
destination-pattern 1231001
port 0/1/0
!
dial-peer voice 102 pots
destination-pattern 1002
port 0/1/1
!
dial-peer voice 103 pots
destination-pattern 1003
port 0/1/2
!
dial-peer voice 104 pots
destination-pattern 1004
port 0/1/3
!
!
dial-peer voice 1 voip
description INBOUND VOIP DIAL PEER
translation-profile incoming add123
answer-address 58..
incoming called-number .
codec g711ulaw
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
login
transport input all
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents