Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3597
Views
0
Helpful
4
Replies

Static NAT Public-Private Forwarding on 887VA

Go to solution
Ian Stephens
Level 1
Level 1

‎09-04-2012 04:46 AM - edited ‎03-04-2019 05:27 PM

So, I have a bit of a problem getting out Natted Cisco 7960 working with our external SIP providers behind NAT.

We have a block of IPs available to us, however when I asign a static NAT rule for the internal phone, outgoing calls are fine but incoming provides no audio.

We have no ACL blocking or anything, it's fully open to the outside world with the IP assigned to it via NAT.

Our static NAT rule for the phone:

ip nat inside source static 192.168.0.250 xxx.xxx.xxx.xxx

NAT is configured on the phone, with the external IP set correctly.

Also, after a while, it seems as the the registration times out or something because incoming calls no longer work.

I thought a static NAT rule would just allow full access to incoming connections to the internal IP specified?

Your help, thoughts, suggestions and tips are greatly appreciated.

Our main router config (with unnecessary information removed):

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r1.essex.xxxx.xxx

!

boot-start-marker

boot system flash c880data-universalk9-mz.151-4.M3.bin

boot-end-marker

!

!

no logging buffered

enable secret 5 xxxxxx

enable password xxxxxx

!

no aaa new-model

memory-size iomem 10

no ip source-route

!

!

!

ip dhcp excluded-address 192.168.0.1

ip dhcp excluded-address 192.168.0.50 192.168.0.255

!

ip dhcp pool NET-POOL

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 8.8.8.8 8.8.4.4

!

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

!

!

!

!

!

!

controller VDSL 0

!

no ip ftp passive

!

!

!

!

!

!

!

interface Ethernet0

no ip address

!

interface Ethernet0.101

encapsulation dot1Q 101

pppoe-client dial-pool-number 1

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

shutdown

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

shutdown

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer0

ip address 81.138.131.190 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname xxxxxxxx

ppp chap password 0 xxxxxxxxx

ppp ipcp route default

no cdp enable

!

ip forward-protocol nd

no ip http server

ip http secure-server

!

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static 192.168.0.250 xxx.xxx.xxx.xxx <-- THE PHONE's STATIC RULE

!

access-list 101 permit ip any any

!

!

!

!

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ROBERTO TACCON
Level 4
Level 4

‎09-06-2012 12:17 PM

Have you try:

1) disabling NAT ALG for SIP ?

no ip nat service sip udp port 5060

2) change the timeout for NAT

ip nat translation timeout 1800

ip nat translation tcp-timeout 1800

3) check the PHONE SIP/RTP protocolos timeout/registration timers // NOT negotiate but use a single VOICE codec on the PHONE

4) upgrade the IOS to MAIN/STABLE version M ?

P.S.: if you want you can send me by email also the "sh tech"  for checking also the CPU problem

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ROBERTO TACCON
Level 4
Level 4

‎09-06-2012 12:17 PM

Have you try:

1) disabling NAT ALG for SIP ?

no ip nat service sip udp port 5060

2) change the timeout for NAT

ip nat translation timeout 1800

ip nat translation tcp-timeout 1800

3) check the PHONE SIP/RTP protocolos timeout/registration timers // NOT negotiate but use a single VOICE codec on the PHONE

4) upgrade the IOS to MAIN/STABLE version M ?

P.S.: if you want you can send me by email also the "sh tech"  for checking also the CPU problem

0 Helpful

Go to solution
Ian Stephens
Level 1
Level 1
In response to ROBERTO TACCON

‎09-06-2012 01:51 PM

Roberto,

Thank you for also looking at this topic.

I have just applied the following directive:

no ip nat service sip udp port 5060

I will see how it goes and post my feedback.

I have changed the NAT timeouts in the past, but that didn't fix anything.

I thought a static NAT directive would always forward all ports and data on to the private IP, therefore timeouts didn't matter because the port was opened each time an incoming request came in.  Am I right?

We are currently running the following on the router:

Version 15.1(4)M3, RELEASE SOFTWARE (fc1)

Thank you again for your assistance.

0 Helpful

Go to solution
Ian Stephens
Level 1
Level 1
In response to ROBERTO TACCON

‎09-06-2012 01:55 PM

Roberto,

I can confirm that voice data is now working for incoming calls!

Using the following command:

no ip nat service sip udp port 5060

I'll just wait now to make sure the registration doesn't time out.

I'll keep this post updated.

Thanks!

0 Helpful

Go to solution
ROBERTO TACCON
Level 4
Level 4
In response to Ian Stephens

‎09-07-2012 01:14 AM

> I thought a static NAT directive would always forward all ports and data on to the private IP, therefore timeouts didn't matter because the port was opened each time an incoming request came in.  Am I right?

use "sh ip nat translations verbose" and check for the timeout

0 Helpful
Customers Also Viewed These Support Documents