Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
10
Helpful
2
Replies

NAT ports IOS and monitoring

davidfield
Level 3
Level 3

‎01-17-2013 10:51 AM - edited ‎03-11-2019 05:48 PM

Hello All,

Quick question.  I have a PBX (10.0.30.253) on the network at a remote location and the telecoms company setup a SIP trunk.  I have Nat'd the ports as requested but they are saying the PBX doesn't register.

Can someone advise how I can monitor through IOS what ports the PBX is trying to use?  Can I monitor the NAT statements or the access-list to see what is/isn't forwarding from 10.0.30.253?

ip nat pool PRTFWD 10.0.30.253 10.0.30.253 netmask 255.255.255.0 type rotary

ip nat inside source static udp 10.0.30.253 5060 interface Dialer1 5060

ip nat inside source static tcp 10.0.30.253 5060 interface Dialer1 5060

ip nat inside destination list 190 pool PRTFWD

!

access-list 190 permit udp any any range 10000 20000

access-list 190 permit tcp any any range 10000 20000

Thanks in advance for any pointers

Dave

Labels:
0 Helpful
2 Replies 2

shamax_1983
Level 3
Level 3

‎01-18-2013 02:35 AM

Hi David,

The easiest way to do this is to have a permit access list with logs enabled.

you can create,

access-list 200 permit ip host 10.0.30.253 any log

You can simply apply this ACL inbound on the router's LAN interface ( your PBXs' Default GW ) and check for logs.. Router will log all the packets PBX is sending out.. ( if you are not consoling in to the router make sure you have "terminal monitor" turned on so you can see the logs over the SSH/Telnet session..

Let me know if you have more queries on this.

Please rate helpful posts..

Shamal

Michal Garcarz
Cisco Employee
Cisco Employee

‎01-18-2013 02:43 AM

Hi David,

I do not see your interface NAT config, if you use classic nat you can monitor NAT translations:

"show ip nat translations"

If you use NVI nat:

"show ip nat nvi translations"

Are you sure that your RTP sessions use port range 10k-20k ?

You can also try to sniff packets using embedded packet capture:

http://www.cisco.com/en/US/docs/ios-xml/ios/epc/configuration/15-2mt/nm-packet-capture.html#GUID-7E23C5F6-7BDF-4D18-A208-34FD726D6789

Then you will know for sure if packets arrived at router interface and what were the port numbers.

But this is just for dynamic translations for RTP streams, and:

"they are saying the PBX doesn't register" incidate that we have problems with registration via SIP.

It mean that we have problem with port 5060. If you try to telnet to port DIALER1_IP port 5060 from outside network (dialer1) - is it working ?

--

Michal

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card