A quick note Vasilii,

remi-reszka · ‎03-28-2016

Hello Experts,

I'm having troubles with newly bought router 4531 running IOS XE version: isr4300-universalk9.03.16.02.S.155-3.S2-ext.SPA.bin. I have a static NAT for SIP UDP 5060 and RTP ports 10000 to 10020. What happens is that the UDP port translation does not take effect, the NAT on this IOS XE ignores the static NAT configuration and opens dinamic ports instead.

I have the same configuration on 2800 and 2900 series routers and no issues, I register SIP mobile extention and can communicate with SIP office extensions.

While applying static NAT for 5060 port I get and error that this NAT port is being used (not having this issue on 2800 or 2900 routers) and first I have to remove PAT config, apply static NAT for UDP 5060 and then re-apply the PAT.

Anybody had similar issues or could advise me what is wrong with this platform?

Thanks and best regards.

Remi

Vasilii Mikhailovskii · ‎03-31-2016

Hello.

Could you provide your nat configuration from XE device along with the NAT translation output?

remi-reszka · ‎04-05-2016

Hello Vasilii,

Thank you for getting in touch with me and please forgive me for responding until now, I was away and did not have access to the Internet. Below I paste the relevant configuration:

!

interface GigabitEthernet0/0/1
description WAN Edge ISP-2
vrf forwarding WAN2
ip address 187.118.87.230 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
media-type rj45
negotiation auto
history BPS
no cdp enable
ip virtual-reassembly

!

interface GigabitEthernet0/0/2.301
description TRANSIT
encapsulation dot1Q 301
vrf forwarding TRANSIT
ip address 172.16.31.2 255.255.255.240
ip nat inside
ip tcp adjust-mss 1412
ip policy route-map LB_TRAFFIC_MAP
no cdp enable
ip virtual-reassembly
!

ip nat inside source route-map NAT_ON_WAN2 interface GigabitEthernet0/0/1 vrf TRANSIT overload

!

ip access-list extended WAN2_PAT_ACL
permit ip any any

!

route-map NAT_ON_WAN2 permit 10
match ip address WAN2_PAT_ACL
match interface GigabitEthernet0/0/1

!

ip nat inside source static udp 10.178.30.11 5060 187.118.87.230 5060 vrf TRANSIT extendable

!
ip nat inside source static udp 10.178.30.11 10000 187.118.87.230 10000 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10001 187.118.87.230 10001 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10002 187.118.87.230 10002 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10003 187.118.87.230 10003 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10004 187.118.87.230 10004 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10005 187.118.87.230 10005 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10006 187.118.87.230 10006 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10007 187.118.87.230 10007 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10008 187.118.87.230 10008 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10009 187.118.87.230 10009 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10010 187.118.87.230 10010 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10011 187.118.87.230 10011 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10012 187.118.87.230 10012 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10013 187.118.87.230 10013 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10014 187.118.87.230 10014 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10015 187.118.87.230 10015 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10016 187.118.87.230 10016 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10017 187.118.87.230 10017 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10018 187.118.87.230 10018 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10019 187.118.87.230 10019 vrf TRANSIT extendable
ip nat inside source static udp 10.178.30.11 10020 187.118.87.230 10020 vrf TRANSIT extendable

!

This exact config I have running on 2851 router and works like a charm, I even host multitenant IP PBX solutions on the same public IP address, just changing the SIP registration port (5071, 5072, 5073, etc.) and ranges of the UDP ports for RTP (audio). In this scenario for troubleshooing of the 4351 I left the default port 5060 for SIP registration and RTP range 10000-10020 (same setup on IP PBX - asterisk).

When I try to configure static NAT for 5060 I get the following error:

%Port 5060 is being used by system

And this according to the bug: CSCus49353 (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus49353/?referring_site=bugquickviewredir)

I have to remove the PAT configuration, clear the NAT table and then apply the NAT config for port 5060, and reaply the PAT config. I don't get this error when I try to configure RTP ports 1000-10020.

Anyway, when the router is configured the way I describe above I can register the softphone over WAN to the internal IP PBX but the router does not complete the NAT translation on audio ports or even does it incorrectly, the call is being dropped after few seconds. Same happens with the incoming calls on SIP trunk into the IP PBX, I use here DIDWW for testing purposes.

OK so this is what happens in this very moment when the call is being established:

udp 187.118.87.230:4504 10.178.30.11:10014 46.19.209.69:35544 46.19.209.69:35544

As you can see the router does not even respect the ports of the static NAT 10014 and 10015. It assigns some random ports. Sometimes it does assing the correct port but the audio is only one way and dropped after few seconds - this regarding the incoming call on the SIP trunk. It would be something like that:

udp 187.118.87.230:10014 10.178.30.11:10014 46.19.209.69:35544 46.19.209.69:35544

But if I call-in from the softphone over WAN I don't even get one way audio, but the router tries to do 2 NAT translations and I suppose it's correct for 2-way audio communication.

udp 187.118.87.230:4518 10.178.30.11:10014 192.168.1.1:4002 192.168.1.1:4002

udp 187.118.87.230:4538 10.178.30.11:10015 192.168.1.1:4003 192.168.1.1:4003

And this is what is happening on the router 2851:

udp 187.118.84.73:10070 10.24.8.46:10070 189.139.207.219:39234 189.139.207.219:39234
udp 187.118.84.73:10071 10.24.8.46:10071 189.139.207.219:39235 189.139.207.219:39235

As you can see the router does respect the NAT configuration, applies the correct translation and the audio flows through the router perfectly.

I ran out of all the ideas. I tried denying the static NAT ports under access-list in PAT configuration and did not help. I don't have other IP address to do 1:1 NAT.

Do you have any ideas?

Best regards,

Remi

remi-reszka · ‎04-05-2016

A quick note Vasilii,

I removed PAT config, reapplied the static NAT and again applied PAT. Now I get the correct ports being translated.

udp 187.118.87.230:10005 10.178.30.11:10005 46.19.209.69:44327 46.19.209.69:44327
udp 187.118.87.230:10018 10.178.30.11:10018 46.19.209.69:44146 46.19.209.69:44146
udp 187.118.87.230:10004 10.178.30.11:10004 46.19.209.69:44326 46.19.209.69:44326
udp 187.118.87.230:10019 10.178.30.11:10019 46.19.209.69:44147 46.19.209.69:44147
udp 187.118.87.230:10010 10.178.30.11:10010 46.19.209.69:43688 46.19.209.69:43688
udp 187.118.87.230:10011 10.178.30.11:10011 46.19.209.69:43689 46.19.209.69:43689

But still the incoming call on SIP trunk drops after few seconds.

Regards,

Remi

tadeystas · ‎05-24-2017

Ever found the problem?

remi-reszka · ‎05-24-2017

Yeah! You have to go for VASI design if going to NAT between the FVRF and IVRF.

Cheers!

Router 4531 IOS XE Static NAT issues