Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
0
Helpful
3
Replies

1:1 NAT used for Cisco CallManager

jeffdanderson
Level 1
Level 1

‎05-05-2006 01:25 PM - edited ‎03-03-2019 12:36 PM

I have a cisco call-manager located behind a DSL router. I am trying to allow inbound connections from the public internet to this call manager. I have setup a 1:1 NAT (have an additional /30 block routed towards my dialer interface) and can reach the web and other services on it just fine. The IP address of the CCM is 10.40.0.20.

The problem is I can't get phones to register remotely. These phones on the inside LAN will register and work just fine. I think NAT or something is breaking my inbound connections to the CCM.

Please see the config below and let me know if you can find the problem.

Thanks

version 12.3

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname Cisco827

!

boot-start-marker

boot-end-marker

!

logging buffered 100000 debugging

enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

clock timezone CST -6

clock summer-time CST recurring

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 10.40.0.1 10.40.0.50

!

ip dhcp pool DATA

network 10.40.0.0 255.255.255.0

dns-server xxxxxxxxxxxxxxxxxxxxx

default-router 10.40.0.1

!

!

class-map match-any VOIP

match ip precedence 3 5

!

!

policy-map BROADBAND

class VOIP

priority 256

class class-default

fair-queue

!

!

!

!

!

interface Ethernet0

ip address 216.243.xxx.xx5 255.255.255.252 secondary

ip address 10.40.0.1 255.255.255.0

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface Dialer1

description PPPoA Dialer to xxxxxxxxxxxxxxxxxxxxx

bandwidth 1500

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

service-policy output BROADBAND

!

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static udp 10.40.0.5 3389 interface Dialer1 3389

ip nat inside source static tcp 10.40.0.10 5900 interface Dialer1 5900

ip nat inside source static udp 10.40.0.10 5900 interface Dialer1 5900

ip nat inside source static tcp 10.40.0.5 6889 interface Dialer1 6889

ip nat inside source static tcp 10.40.0.5 6888 interface Dialer1 6888

ip nat inside source static tcp 10.40.0.5 6887 interface Dialer1 6887

ip nat inside source static tcp 10.40.0.5 6886 interface Dialer1 6886

ip nat inside source static tcp 10.40.0.5 6885 interface Dialer1 6885

ip nat inside source static tcp 10.40.0.5 6884 interface Dialer1 6884

ip nat inside source static tcp 10.40.0.5 6883 interface Dialer1 6883

ip nat inside source static tcp 10.40.0.5 6882 interface Dialer1 6882

ip nat inside source static tcp 10.40.0.5 6881 interface Dialer1 6881

ip nat inside source static udp 10.40.0.5 4672 interface Dialer1 4672

ip nat inside source static tcp 10.40.0.5 4662 interface Dialer1 4662

ip nat inside source static tcp 10.40.0.10 3389 interface Dialer1 3390

ip nat inside source static tcp 10.40.0.5 3389 interface Dialer1 3389

ip nat inside source static 10.40.0.20 216.243.xxx.xx6 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

access-list 101 permit ip 10.40.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

line con 0

transport preferred all

transport output all

stopbits 1

line vty 0 4

session-timeout 60

privilege level 15

login

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

sntp server xxxxxxxx

sntp server xxxxxxxxxxxxx

end

Labels:
0 Helpful
3 Replies 3

kamlesh.sharma
Level 3
Level 3

‎05-05-2006 10:01 PM

hi i will suggest you to remove all the ip address which are statically being natted from accesslist 101 and i suppose your public ip addresses are 216.243.xxx.xx4/30 so why you are using extendible command for CCM.

HTH

Kamlesh

0 Helpful

jeffdanderson
Level 1
Level 1
In response to kamlesh.sharma

‎05-05-2006 10:34 PM

How do you suggest i do that? I am still pretty new to all this. I tried creating a route map that referenced an ACL:

route-map NONAT permit 101

match ip address 101

ip nat inside source route-map NONAT interface Dialer1 overload

access-list 101 deny ip 216.243.xxx.xx4 0.0.0.4 any

access-list 101 permit ip 10.40.0.0 0.0.0.255 any

This didnt make any improvement, but i may have configured it incorrectly as well.

I also dont understand what the extendable command does, i will look that up.

0 Helpful

kamlesh.sharma
Level 3
Level 3
In response to jeffdanderson

‎05-06-2006 03:21 AM

Hi,

You just need to a deny statement in your access-list 101 which will select all the ip address which are being natted statically.

access-list 101 deny ip host 10.40.0.20

and remove extendible commmand from last statement i suppose route-map command is usefull when you want to do conditional natting out of multiple interfaces.

if you have any firewall than also you need to open the port for your CCM for incoming traffic from ip phone which wants to register to your CCM.

eve if you are using extendible natting than also you can use this but you need to cnfigure the incoming port 3389 and 3390 to your CCM ip address which is 10.40.0.20.

ip nat inside static tcp 10.40.0.20 3389 203.x.x.x6 3389 extendible.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card