Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2538
Views
0
Helpful
1
Replies

How to IP NAT SIP trunk traffic to an IP PBX while using SIP handsets at the same time?

Matthew Needs
Level 1
Level 1

‎03-22-2013 06:00 AM - edited ‎03-04-2019 07:22 PM

Hi All,

I've come across an issue to which I thought I had found the solution.. However, it didn't work and I don't fully understand why?   Take a look at the diagram and HW config attached FYI. The HQ site hosts a PBX with SIP trunks and the remote sites use LAN-LAN VPN to support a couple of SIP phones. Both trunks and the phones use UDP 5060 to register to the PBX. Hence the problem which I think due to my NAT config at the HQ!?...

I need to port forwardUDP 5060 to 172.16.16.2 (PBX) for the SIP service provider while at the same time allowing remote SIP Phones to register to the PBX. The trouble is i cant get both Trunks and Phones to work correctly at the same time!

I have removed my firewall ingress ACL from the config for now to keep things simple..

Thanks in advance for any help with this.

Matt

Labels:
15356918-HQ 887VA Config.txt.zip
332 KB
0 Helpful
1 Reply 1

Matthew Needs
Level 1
Level 1

‎03-27-2013 09:51 AM

Hi All,

Suprised nobody has anything to say here! . Anyway, I think I may have found the problem (subject to tests).

Here's my original config:

!

!

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Head-Office

!

boot-start-marker

boot-end-marker

!

!

logging buffered 10000 informational

enable secret 5 ********

!

aaa new-model

!

!

aaa authentication login AUTH local

!

!

!

!

!

aaa session-id common

!

memory-size iomem 10

clock timezone GMT 0 0

clock summer-time brit_summer recurring

!

!

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip dhcp excluded-address 172.16.16.1 172.16.16.5

ip dhcp excluded-address 172.16.16.253 172.16.16.254

!

ip dhcp pool USERS

network 172.16.16.0 255.255.255.0

default-router 172.16.16.254

dns-server 8.8.8.8

!

!

ip name-server 8.8.8.8

ip inspect name INSPECT-OUT tcp

ip inspect name INSPECT-OUT udp

ip inspect name INSPECT-OUT icmp

ip inspect name INSPECT-OUT sip

ip inspect name INSPECT-IN sip

ip cef

login block-for 300 attempts 5 within 300

login quiet-mode access-class TELNET_RULES

no ipv6 cef

!

!

multilink bundle-name authenticated

!

!

!

spanning-tree vlan 1 priority 4096

vtp mode transparent

username admin privilege 15 secret *******

!

!

!

!

!

controller VDSL 0

!

vlan 2

!

!

class-map match-any VOICE

match access-group name QOS_RULES

!

policy-map VOICEPOLICY

class VOICE

  priority 4000

class class-default

  fair-queue

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ******* address *******  no-xauth

crypto isakmp key ******* address *******  no-xauth

crypto isakmp key ******* address *******  no-xauth

crypto isakmp key ******* address *******  no-xauth

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 periodic

!

!

crypto ipsec transform-set trans1 esp-3des esp-sha-hmac

!

!

!

crypto map VPNCRYPTO 1 ipsec-isakmp

set peer *******

set transform-set trans1

match address VPN1

crypto map VPNCRYPTO 2 ipsec-isakmp

set peer *******

set transform-set trans1

match address VPN2

crypto map VPNCRYPTO 3 ipsec-isakmp

set peer *******

set transform-set trans1

match address VPN3

crypto map VPNCRYPTO 4 ipsec-isakmp

set peer *******

set transform-set trans1

match address VPN4

!

!

!

!

!

interface Ethernet0

no ip address

!

interface Ethernet0.101

encapsulation dot1Q 101

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

description *LAN*

switchport access vlan 2

no ip address

!

interface FastEthernet1

description *LAN*

switchport access vlan 2

no ip address

!

interface FastEthernet2

description *LAN*

switchport access vlan 2

no ip address

!

interface FastEthernet3

description *LAN*

switchport access vlan 2

no ip address

!

interface Vlan1

no ip address

!

interface Vlan2

description *INSIDE NETWORK*

ip address 172.16.16.254 255.255.255.0

ip nat inside

ip inspect INSPECT-OUT out

ip virtual-reassembly in

hold-queue 100 out

!

interface Dialer1

description *FTTC*

bandwidth 8000

ip address A.A.A.A 255.255.255.248

ip inspect INSPECT-IN in

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ********

ppp chap password ********

ppp ipcp dns request

no cdp enable

crypto map VPNCRYPTO

service-policy output VOICEPOLICY

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source route-map NAT interface Dialer1 overload

ip nat inside source static tcp 172.16.16.2 5060 A.A.A.B 5060 route-map GAMMA extendable

ip nat inside source static udp 172.16.16.2 5060 A.A.A.B 5060 route-map GAMMA extendable

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list standard TELNET_RULES

permit *********

permit *********

!

ip access-list extended QOS_RULES

permit ip any any dscp ef

permit ip any any precedence critical

ip access-list extended VPN1

permit ip 172.16.16.0 0.0.0.255 172.16.18.0 0.0.0.255

ip access-list extended VPN2

permit ip 172.16.16.0 0.0.0.255 172.16.17.0 0.0.0.255

ip access-list extended VPN3

permit ip 172.16.16.0 0.0.0.255 172.16.19.0 0.0.0.255

ip access-list extended VPN4

permit ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255

!

access-list 100 permit ip 172.16.16.0 0.0.0.255 88.215.60.0 0.0.0.255

access-list 100 permit ip 172.16.16.0 0.0.0.255 88.215.61.0 0.0.0.255

access-list 100 permit ip 172.16.16.0 0.0.0.255 88.215.62.0 0.0.0.255

!

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.17.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.18.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.19.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255

access-list 101 permit ip 172.16.16.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

!

route-map GAMMA permit 10

match ip address 100

!

route-map NAT permit 10

match ip address 101

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 15 0

privilege level 15

logging synchronous

login authentication AUTH

line aux 0

line vty 0 4

access-class TELNET_RULES in

exec-timeout 15 0

privilege level 15

logging synchronous

login authentication AUTH

transport input all

!

ntp server ******** prefer source Dialer1

ntp server ********

!

end

Im thinking maybe it's my global PAT route-map matching SIP provider traffic before the NAT port forward route-map?! Im going to try and modify ACL 101 as follows in bold. I'll let you know what happens..

!

access-list 101 deny   ip 172.16.16.0 0.0.0.255 88.215.60.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 88.215.61.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 88.215.62.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.17.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.18.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.19.0 0.0.0.255

access-list 101 deny   ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255

access-list 101 permit ip 172.16.16.0 0.0.0.255 any

!

Matt

0 Helpful
Customers Also Viewed These Support Documents