cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
903
Views
0
Helpful
3
Replies

Portforward range

m.x
Level 1
Level 1

Hi all! 

 

Hope you are all healthy and sane?!

Because of Corvid-19 more people are working from home. This means telephones need to connect also from home. This is not my forte. They mostly ask to configure portforwards  for both the registration and the audio. The audio ussualy needs an portrange. This is where my question comes in:

To setup a range of ports I use this:

 

ip nat pool natpool 192.168.36.208 192.168.36.208 netmask 255.255.255.0 type rotary
ip nat inside destination list portrange pool natpool

ip access-list extended portrange
 permit tcp any any eq www
 permit udp any any eq 5060
 permit udp any any range 16000 16511
 permit tcp any any range 16000 16511
 deny   ip any any

I'm not using a dialer of gig interface, becaus of the IP nat inside command. 

The phones register, but there is no audio...

 

What am I missing? 

 

 

Anyhelp would be appriciated. 

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @m.x ,

audio packets are carried inside RTP packets that use a much wider port range

see the following thread

https://community.cisco.com/t5/ip-telephony-and-phones/rtp-port-range/td-p/1345511

 

>> RTP has a broad range of ports assigned 16384 - 32767 UDP. However different vendors use different ports (e.g. CUCM uses only a number 24576-32767/UDP) hence you may want to check the ASterisk Documentation to make sure you open only concerned ports.

 

Hope to help

Giuseppe

 

 

Hello
Append your acl to allow the following voip and signaling taffic and test again:
permit udp any any eq 16384 32767
permit tcp any any eq 1720

Regards your NAT statements, you have destination nat to a single internal host, So your present nat pool statement wouldn’t require the rotary command?

DNAT would be most applicable when you have a virtual ip address related to multiple internal physical servers So I would expect your nat pool to state multiple internal hosts and then have a the access-list to state a specific public ip address!  However, without knowing you topology this may not be applicable.

Example: Host 1.1.1.1 is your inside global vip address
ip nat pool natpool 192.168.36.208 192.168.36.211 netmask 255.255.255.0 type rotary
ip nat inside destination list portrange pool natpool

ip access-list extended portrange
permit udp any host 1.1.1.1 eq 16384 32767
permit tcp any host 1.1.1.1 eq 1720
permit tcp any host 1.1.1.1 eq www
permit udp any host 1.1.1.1 eq 5050


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you all for helping. 

 

Sadly none of the solutions worked. My NOC egineer told me that the UDP-range doesn't work. So I added all ports 16000-17000 manually and now it works. 

 

still many thanks!

stay safe!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: