Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
4
Helpful
6
Replies

NAT/inspect issue

Robert Craig
Level 3
Level 3

‎12-26-2012 11:46 AM - edited ‎03-04-2019 06:30 PM

I have been trying to figure out a NAT issue on my 2811 and the inspect engine.

I have 'ip inspect FW out' on my outside interface. If I turn it off, I also have to remove the access-list applying to inbound traffic on that same interface. Why is that? This whole thing centered around SIP registrations from devices on my LAN to my provider. The provieder is showing that I am registering from a high end port (1024 or something crazy). He said that it sounds like some type of SIP ALG or something on my router. For the life of me, I can't figure out what would be causing it. I am just using a standard route-map that points to the outside interface using 'overload'. Am I missing something?

Labels:
0 Helpful
6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

‎12-26-2012 12:31 PM

Hi,

What's the need of inspecting traffic to permit return traffic is there is no ACL blocking WAN traffic inbound?

If you've got no  ACL filtering traffic inbound then you don't need to inspect anything as all returning traffic will be permitted.

If you want to disable ALG for SIP you should try this:

no ip nat service sip tcp port 5060

no ip nat service sip udp port 5060

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Robert Craig
Level 3
Level 3

‎12-26-2012 12:52 PM

Ok. So why is there a requirement for inspection when an ACL is applied inbound? Also, is the SIP ALG on by default?

Sent from Cisco Technical Support iPhone App

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Robert Craig

‎12-26-2012 01:15 PM

hi,

the inspection is needed to create a state table and permit the return traffic for outbound traffic that is in this state table so

no taking into account the inbound ACL denying this traffic.

yes afaik the SIP ALG is the default.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Robert Craig
Level 3
Level 3

‎12-26-2012 01:43 PM

Ok, we'll thank you very much for the help. I appreciate it.

Sent from Cisco Technical Support iPhone App

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame

‎12-26-2012 05:02 PM

"ip inspect" has nothing to with NAT. It enables some sort of IOS firewall.It is not needed or helpfult at all, and can be removed altogether.

0 Helpful

Robert Craig
Level 3
Level 3

‎12-26-2012 09:57 PM

Well, I would remove it, but when I do, traffic fails unless I remove the ACL inbound on the WAN interface, which I don't want to do.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card