Solved: Remote voice, NAT and ACLs

patrickmcm · ‎07-22-2013

Hello,

I am studying for CCNA and simlutaneously setting up a VOIP server at work and have done the following:

Voice server and phone hang off a cisco 3500XL switch > which hang off G0/1 (10.10.100.x network)

my G0/0 connects directly to a cable modem (12.34.56.78 public network)

my current config is as follows:

interface GigabitEthernet0/0

ip address 12.34.56.78 255.255.255.192

no ip redirects

ip nat outside

ip virtual-reassembly in

duplex full

speed 1000

media-type rj45

!

interface GigabitEthernet0/1

ip address 10.10.100.1 255.255.255.0

no ip redirects

ip nat inside

ip virtual-reassembly in

duplex full

speed 100

media-type rj45

vlan-id dot1q 10

exit-vlan-config

!!!!

ip nat translation tcp-timeout 600

ip nat translation udp-timeout 60

ip nat translation dns-timeout 45

ip nat inside source list 92 interface GigabitEthernet0/0 overload

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip nat inside source static udp 10.10.100.90 5060 12.34.56.78 5060 extendable

ip nat inside source static udp 10.10.100.90 5062 12.34.56.78 5062 extendable

ip nat inside source static tcp 10.10.100.90 443 12.34.56.78 8080 extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 98.76.54.32(SIP Proivider) 255.255.255.0 12.34.56.78

!

access-list 92 permit 10.10.100.0 0.0.0.255

access-list 92 permit 12.34.56.78 0.0.0.64

access-list 101 permit udp 10.10.100.0 0.0.0.255 range 10000 20000 12.34.56.78 0.0.0.64 range 10000 20000

So my issue is this:

I can currently make calls out from phones on my local network. I can can even provision remote phones not on the local notwork by setting the phone's provisioning server as the public IP of the VOIP box. I can even dial numbers and hear it ring. But when the other end picks up I get zero voice. Now I know its because I am probably not passing the RTP traffic udp ports 10000 through 20000, but I cant figure out how to statically NAT traffic destined for my VOIP box for that port range. I successfully mapped:

ip nat inside source static udp 10.10.100.90 5060 12.34.56.78 5060 extendable

ip nat inside source static udp 10.10.100.90 5062 12.34.56.78 5062 extendable

ip nat inside source static tcp 10.10.100.90 443 12.34.56.78 8080 extendable

but this command does not allow for ranges. This is dovetailing with my CCNA studies as I still am hung up on ACL's. I need a visual. Can anyone provide some insight? Much appreciated.

BTW I know MUUUUCH more can be done to optimize voice traffic on my router. Right now I am simply trying to allow for remote user provisioning and use.

cadet alain · ‎07-22-2013

Hi,

take a look here:http://evilrouters.net/2010/05/25/port-forwarding-a-range-of-ports-on-cisco-ios/

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎07-22-2013

Hi,

take a look here:http://evilrouters.net/2010/05/25/port-forwarding-a-range-of-ports-on-cisco-ios/

Regards

Alain

Don't forget to rate helpful posts.

patrickmcm · ‎07-22-2013

awesome tutorial. thanks!

patrickmcm · ‎07-24-2013

Alain,

I tried implemeting the solution in the link you sent me with no avail. UDP simply does not map when using:

ip nat inside destination list 100 pool POOL

ip nat pool POOL 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary

access-list 100 permit udp any any range 10000 2000

it does however work if you implement route mapping and point the route map to an ACL with the port range you want mapped inside.

ip nat inside source static 192.168.1.10 X.X.X.X route-map RTP extendable

route-map RTP permit 10

match ip address 100

access-list 100 permit udp host 192.168.1.10 any range 10000 20000

I found this info on another support page linked below.

https://supportforums.cisco.com/thread/2122757

cadet alain · ‎07-24-2013

Hi,

yes apparently the rotary is only working with TCP as further searches revealed but I'm glad you got it working though.

Regards

Alain

Don't forget to rate helpful posts.