Re: NAT+route-map

Vadim71439 · ‎06-15-2020

Hi!

I try to solve the problem of setting up a telephony server behind NAT Cisco 2911.
CISCO2911 MGMT_IP: 10.40.1.1
SIPSERVER_IP: 10.40.12.2
It is necessary to ensure the availability of tcp / udp ports 5060,5061,5090 and the range for RTP udp 9000-10999.

For this I use route-map NAT. Ports are visible from the external network, everything is fine. The problem was not immediately detected - about adding

ip nat inside source static 10.40.12.2 172.22.1.2 route-map SIP_NAT
access to 2911 by SSH falls off, and pings pass, but not from 2911, but the telephony server. To access via SSH I had to add

ip nat inside source static tcp 10.40.1.1 22 172.22.1.2 22 extendable
When i try
sh ip nat tr
icmp is redirected to 10.40.12.2, apparently SSH goes there too.
As soon as I remove the route-map, everything returns, pings run, but accordingly I lose 9000-10999 udp ports. There is no desire to add 20,000 entries to the config.

Only the necessary ports and ranges are indicated in the SIP_PORTS ACL, why does everything go to 10.40.12.2?

The task is to ensure that route-map on SIP telephony does not affect the operation of other hosts. I’ve already tried everything, it doesn’t work, it seems that I simply don’t understand something. I work with route-map for the first time, usually nat inside static was enough.
!
interface GigabitEthernet0/1
description -==WAN==-
ip address 172.22.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2.112
description -==SRV_SIP==-
encapsulation dot1Q 112
ip address 10.40.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
no ip nat service sip udp port 5060
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.40.1.1 22 172.22.1.2 22 extendable
ip nat inside source static tcp 10.40.12.2 3389 172.22.1.2 42721 extendable
ip nat inside source static 10.40.12.2 172.22.1.2 route-map SIP_NAT
!
ip access-list extended NAT
permit ip 10.40.0.0 0.0.255.255 any
ip access-list extended SIP_PORTS
permit tcp host 10.40.12.2 any eq 5060 5061 5090
permit udp host 10.40.12.2 any eq 5060 5061 5090
permit udp host 10.40.12.2 any range 9000 10999
!
route-map SIP_NAT permit 10
match ip address SIP_PORTS

Georg Pauwen · ‎06-15-2020

Hello,

try and add the 'extendable' keyword:

ip nat inside source static 10.40.12.2 172.22.1.2 route-map SIP_NAT extendable

Vadim71439 · ‎06-15-2020

Thanks Georg, but no result.

paul driver · ‎06-15-2020

Hello

not quite sure i understand you issue however i do notice you have an nat statement that doesn't look correct as its internal host inst residing on your lan interface unless that is you haven't posted the route for it

Please see attached file for suggested changes:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vadim71439 · ‎06-15-2020

Hi, Paul!

Thank you for participating in the solution.

I tried to make these changes, but there is no result.
The problem is that at least I can not ping the router, but only the server 10.40.12.2 behind it, and also there are no pings from the router interfaces to the outside. It is planned to deploy many different services on virtual machines and these problems with NAT can affect further configuration and operation.

gw0401 (config) #do ping 8.8.8.8 source gi0 / 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.22.1.2
.....
Success rate is 0 percent (0/5)
gw0401 (config) #do ping 8.8.8.8 source gi0 / 2.112
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.40.12.1
.....
Success rate is 0 percent (0/5)

gw0401(config)#no ip nat inside source static 10.40.12.2 172.22.1.2 route-map SIP_NAT extendable
gw0401(config)#do ping 8.8.8.8 source gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.22.1.2
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms

paul driver · ‎06-17-2020

Hello

@Vadim71439 wrote:

The problem is that at least I can not ping the router, but only the server 10.40.12.2 behind it, and also there are no pings from the router interfaces to the outside.

Apologies for not getting back to you sooner.

It looks like your wan interface is already being natted I assume by your ISP so basically your lan subnet isnt known by them hence your addtional nat is being applied.

Now was your wanting to nat your sip traffic on bespoke port ranges it could be preferable to use a nat port-map

Please review this document

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vadim71439 · ‎06-17-2020

Paul, you are absolutely right, Cisco Gi0/1 WAN port is currently behind the nat of another device. Currently, I work in a home laboratory and the Cisco WAN port is connected to a home router 172.22.1.1, on which all ports are forwarded from WAN ISP to Cisco Gi0/1.

There is a route from the home router to WAN (Gi0/1), because I check ping from a computer on the local network to the Gi0/1 interface. Thanks for the link to the manual, I will write on the results.

Vadim71439 · ‎06-17-2020

I made the settings according to the manual using the portmap.
Pings ok, but check of 9000-10999 ports do not pass. If you look at the ports, the router assigns the ports as described in the article - 1024 + 1 and so on. Perhaps this is due to the fact that during the tests on the interface is not RTP UDP traffic? Is it possible? Does Cisco inspect traffic in the specified configuration? If voice traffic goes, will it be redirected to 9000-10999 ports?
If i try appl udp-rtp startport 8960 size 2048 tests fails too ("full cone test failed").

ip nat portmap SIPMAP
appl sip-rtp startport 8960 size 2048
no ip nat service sip udp port 5060

ip nat inside source list NAT interface GigabitEthernet0/1 overload portmap SIPMAP
ip nat inside source static tcp 10.40.12.2 5060 172.22.1.2 5060 extendable
ip nat inside source static udp 10.40.12.2 5060 172.22.1.2 5060 extendable
ip nat inside source static tcp 10.40.12.2 5061 172.22.1.2 5061 extendable
ip nat inside source static udp 10.40.12.2 5061 172.22.1.2 5061 extendable
ip nat inside source static tcp 10.40.12.2 5090 172.22.1.2 5090 extendable
ip nat inside source static udp 10.40.12.2 5090 172.22.1.2 5090 extendable

ip access-list extended NAT
permit ip 10.40.0.0 0.0.255.255 any

Results of firewall self-tests

testing SIP Server... done
detecting SIP ALG... not detected
testing port 5060... done
starting service... done
testing Tunneling Proxy... done
testing port 5090... done

testing ports [9000..9398]
testing port 9000... Mapping does not match 9000. Mapping is 1025
testing port 9002... Mapping does not match 9002. Mapping is 1026
testing port 9004... Mapping does not match 9004. Mapping is 1027
.......