net2phone polycom phones will not register

sean6605 · ‎06-10-2016

Hi All,

I am having an issue where I have just installed a 1941 router to act as the NAT and Firewall and now the net2phone polycom VVX400 phones will not register.

The phones were working fine on the cable modem/firewall and now moving over to the new service the phones have stopped registering.

The computers in the office connect to the Internet without issue it is just the phones.

I know it has to be in the inbound ACL on the external interface as the phones register and work 100% if I remove the ACL.

I had suspected that I forgot to add UDP port 5060 to the ACL but it is there with a UDP address range for media as well.

I had the net2phone SIP proxy in the ACL so that I can keep out other connections except net2phone but when it was not working I just expanded to and ACL of any any to make sure.

I've also read some information about turning off the "ip nat service sip udp port 5060" but this did not help.

I've tried to setup an inbound "ip inspect name voip sip" but that did nothing either.

I'm not sure if it causes any issues but I connect to a remote site using the EZVPN client

The 1941 version is 15.1

Has anyone had any experience with net2phone or sip phones through a cisco router with ACL and IOS firewall? I'm not sure what else to try right now.

Here is the router config. I have scrubbed the real IP addresses being used

Any help would be very appreciated.

Thank you in advance

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1941
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.0 192.168.1.100
!
ip dhcp pool INTERNAL
network 192.168.1.0 255.255.255.0
domain-name viking.lan
dns-server 8.8.8.8
default-router 192.168.1.1
lease 7
!
!
ip domain name domain.lan
ip name-server 8.8.8.8
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp router-traffic
ip inspect name CCP_LOW udp router-traffic
ip inspect name CCP_LOW vdolive
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
!
redundancy
!
!
!
!
ip tftp source-interface GigabitEthernet0/1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group VFGVPN
key xxxxxxxxxxxx
dns 8.8.8.8
domain domain.lan
pool SDM_POOL_1
acl 116
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
!
crypto ipsec client ezvpn ez
connect auto
group GROUP key xxxxxxxx
mode network-extension
peer
username username password xxxxxxxxxx
xauth userid mode local
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$
ip address 12.12.12.12 255.255.255.248
ip access-group 103 in
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec client ezvpn ez
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn ez inside
!
ip local pool SDM_POOL_1 192.168.2.61 192.168.2.79
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 12.12.12.13
!
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 permit udp any any eq 5060
access-list 103 permit udp any any range 10000 30000
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip any any log
access-list 107 remark CCP_ACL Category=2
access-list 107 permit ip 192.168.1.0 0.0.0.255 any
access-list 108 remark SiteToSite
access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 116 remark VPNSplitDNS
access-list 116 permit ip 192.168.0.0 0.0.7.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 107
!
!
!
control-plane
!
!
!
line con 0
password xxxxxxxxx
logging synchronous
login local
line aux 0
!
line vty 0 4
password xxxxxxxxx
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp server 129.6.15.30
end