How to get RTSP through NAT

computerone1 · ‎11-04-2018

Whatever I try, I can't manage to have RTSP (Real-Time Streaming Protocol) pass through a Cisco881K9 running NAT:
The TCP flux is running OK, but the UDP AV flux gets stopped by the NAT.

The client is lan-side, the server is wan-side.

The C881K9 is performing InterVlanRouting, with a trunk on one of its switching module.

Nat is running, and there are a few ACLs to isolate the vlans.

It's a very simple configuration.

Everything is working perfectly, except the RTSP audio/video streams.

Doesn anybody know how to manage this problem?

Here are the hardware/software/license versions:

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.4(3)M9, RELEASE SOFTWARE (fc1)
License Level: advipservices Type: Permanent

Here is the C881K9 basic config (stripped-down and anonymized):

!

ip domain name example.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip multicast-routing
ip cef
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport trunk native vlan 110
switchport mode trunk
no ip address
!
interface FastEthernet4
description WAN
ip address 172.16.7.240 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
ip access-group ACL1 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
ip access-group ACL1 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 172.16.30.1 255.255.255.0
ip access-group ACL1 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan40
ip address 172.16.40.1 255.255.255.0
ip access-group ACL1 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
ip address 172.16.100.1 255.255.255.0
ip access-group ACL1 in
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 172.16.7.1
!
ip access-list extended ACL1
permit ip 172.16.10.0 0.0.0.255 172.16.10.0 0.0.0.255
permit ip 172.16.20.0 0.0.0.255 172.16.20.0 0.0.0.255
permit ip 172.16.30.0 0.0.0.255 172.16.30.0 0.0.0.255
permit ip 172.16.40.0 0.0.0.255 172.16.40.0 0.0.0.255
permit ip 172.16.100.0 0.0.0.255 172.16.100.0 0.0.0.255
permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
permit ip 172.16.40.0 0.0.0.255 172.16.10.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 log-input
permit ip any any
!
!
access-list 100 permit ip 172.16.0.0 0.0.255.255 any
!
!
!
control-plane
!
!
vstack

Georg Pauwen · ‎11-04-2018

Hello,

I think you have to enable NAT traversal. Check the doc below (it works in conjunction with pools):

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-4t/nat-12-4t-book/iadnat-host-sbc.html

javierzuleta · ‎01-22-2020

tenia el mismo problema. resulta que NAT overload no acepta a RTSP.

RTSP solo es posible con NAT estático.

anchambe · ‎08-06-2020

I wanted to post this here since I came across this thread when searching for the problem too. This is a known bug on the IOS platform with RTSP and NAT ALG. Here is the link to the bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtn86205

The feature works on IOS XE, but not IOS.