05-01-2020 05:09 AM
Hi all!
Hope you are all healthy and sane?!
Because of Corvid-19 more people are working from home. This means telephones need to connect also from home. This is not my forte. They mostly ask to configure portforwards for both the registration and the audio. The audio ussualy needs an portrange. This is where my question comes in:
To setup a range of ports I use this:
ip nat pool natpool 192.168.36.208 192.168.36.208 netmask 255.255.255.0 type rotary
ip nat inside destination list portrange pool natpool
ip access-list extended portrange
permit tcp any any eq www
permit udp any any eq 5060
permit udp any any range 16000 16511
permit tcp any any range 16000 16511
deny ip any any
I'm not using a dialer of gig interface, becaus of the IP nat inside command.
The phones register, but there is no audio...
What am I missing?
Anyhelp would be appriciated.
05-01-2020 05:42 AM
Hello @m.x ,
audio packets are carried inside RTP packets that use a much wider port range
see the following thread
https://community.cisco.com/t5/ip-telephony-and-phones/rtp-port-range/td-p/1345511
>> RTP has a broad range of ports assigned 16384 - 32767 UDP. However different vendors use different ports (e.g. CUCM uses only a number 24576-32767/UDP) hence you may want to check the ASterisk Documentation to make sure you open only concerned ports.
Hope to help
Giuseppe
05-01-2020 06:28 AM - edited 05-01-2020 06:31 AM
Hello
Append your acl to allow the following voip and signaling taffic and test again:
permit udp any any eq 16384 32767
permit tcp any any eq 1720
Regards your NAT statements, you have destination nat to a single internal host, So your present nat pool statement wouldn’t require the rotary command?
DNAT would be most applicable when you have a virtual ip address related to multiple internal physical servers So I would expect your nat pool to state multiple internal hosts and then have a the access-list to state a specific public ip address! However, without knowing you topology this may not be applicable.
Example: Host 1.1.1.1 is your inside global vip address
ip nat pool natpool 192.168.36.208 192.168.36.211 netmask 255.255.255.0 type rotary
ip nat inside destination list portrange pool natpool
ip access-list extended portrange
permit udp any host 1.1.1.1 eq 16384 32767
permit tcp any host 1.1.1.1 eq 1720
permit tcp any host 1.1.1.1 eq www
permit udp any host 1.1.1.1 eq 5050
06-05-2020 02:21 AM
Thank you all for helping.
Sadly none of the solutions worked. My NOC egineer told me that the UDP-range doesn't work. So I added all ports 16000-17000 manually and now it works.
still many thanks!
stay safe!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide