Solved: Trying to get RTP working through Cisco Router

dastrix80 · ‎08-19-2018

Hi All

I have NVI nat on this router, everything works on the LAN as expected but from the WAN, my Sip phone can register but no audio. I assume RTSP is the issue here

Ive restricted my SIP server to use 16384-16390 and opened these firewall ports direct to the SIP end host.

Unfortunately, the same issue

My configuration is attached.

Ultimately, all i need to do is make SIP signaled calls from a LAN based SIP client to a 4G, WAN based SIP client. only 1 call.

Is CUBE a solution?

class-map type inspect match-any WAN-to-LAN
 match access-group name RDP
 match access-group name SSH
 match protocol sip
 match access-group name HTTP-HTTPS
 match access-group name SIP-Protection
class-map type inspect match-any LAN-to-WAN
 match access-group name LAN-to-WAN
 match protocol https
 match protocol http
!
policy-map type inspect WAN-to-LAN
 description "Permits inbound to LAN from WAN"
 class type inspect WAN-to-LAN
  inspect
 class class-default
  drop
policy-map type inspect LAN-to-WAN
 description "Permits all traffic from the LAN to the WAN"
 class type inspect LAN-to-WAN
  inspect
 class class-default
  drop
!
zone security LAN
 description "Towards 192.168.0.x"
zone security WAN
 description "Towards NBN"
zone-pair security LAN-to-WAN source LAN destination WAN
 description "Ties the LAN to the WAN"
 service-policy type inspect LAN-to-WAN
zone-pair security WAN-to-LAN source WAN destination LAN
 description "Protect WAN interface"
 service-policy type inspect WAN-to-LAN

!
interface GigabitEthernet0/0
 description "NBN HFC Aussie BroadBand 100/40"
 ip address dhcp
 ip access-group 1 in
 no ip redirects
 ip nat enable
 zone-member security WAN
 load-interval 30
 duplex auto
 speed auto
!

interface GigabitEthernet0/1
 description "Local LAN 192.168.0.0/24"
 no ip address
 no ip redirects
 ip nat enable
 duplex auto
 speed 1000
 bridge-group 1
!

interface Vlan1
 description "Link to the 192.168.0.x LAN"
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 ip nat enable
 zone-member security LAN

!

ip nat source static tcp 192.168.0.141 80 interface GigabitEthernet0/0 6168
ip nat source static tcp 192.168.0.10 3389 interface GigabitEthernet0/0 6150
ip nat source static tcp 192.168.0.3 3001 interface GigabitEthernet0/0 3001
ip nat source static tcp 192.168.0.2 443 interface GigabitEthernet0/0 6164
ip nat source static tcp 192.168.0.4 3389 interface GigabitEthernet0/0 6169
ip nat source static tcp 192.168.0.3 3000 interface GigabitEthernet0/0 3000
ip nat source static tcp 192.168.0.3 22 interface GigabitEthernet0/0 6165
ip nat source static tcp 192.168.0.4 82 interface GigabitEthernet0/0 6166
ip nat source static tcp 192.168.0.3 8080 interface GigabitEthernet0/0 6170
ip nat source list LAN-NAT interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.0.4 5060 interface GigabitEthernet0/0 5060
ip route 192.168.0.7 255.255.255.255 ucse4/0
ip route 192.168.3.2 255.255.255.255 Embedded-Service-Engine0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip ssh source-interface Vlan1
ip ssh rsa keypair-name ssh
ip ssh version 2
!
ip access-list extended HTTP-HTTPS
 permit tcp any host 192.168.0.141 eq www
 permit tcp any host 192.168.0.3 eq 8080
 permit tcp any host 192.168.0.3 eq 3001
 permit tcp any host 192.168.0.4 eq 82
 permit tcp any host 192.168.0.3 eq www
 permit tcp any host 192.168.0.2 eq 443
 permit tcp any host 192.168.0.3 eq 6170
 permit tcp any host 192.168.0.3 eq 3000

ip access-list extended LAN-NAT
 remark NATs all the LAN hosts to the WAN
 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended LAN-to-WAN
 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended SIP-Protection
 permit tcp host 203.129.27.127 host 192.168.0.4 eq 5060
 permit udp host 203.129.27.127 host 192.168.0.4 eq 5060
 permit udp host 203.129.27.127 host 192.168.0.4
 permit udp any host 192.168.0.10 range 16384 16390
 permit udp any host 192.168.0.141 range 16384 16390

dastrix80 · ‎08-20-2018

And its fixed.

Had to open the RTP post to the SIP Server in combination with turning the ALG's on and setting RPORT on my zoipher client. Works nicely now :D

View solution in original post

Georg Pauwen · ‎08-20-2018

Hello,

interface GigabitEthernet0/1
description "Local LAN 192.168.0.0/24"
no ip address
no ip redirects
ip nat enable
duplex auto
speed 1000
--> bridge-group 1

Is this a typo ? If not, where is the BVI ?

dastrix80 · ‎08-20-2018

Sorry, here:

interface Vlan1
 description "Link to the 192.168.0.x LAN"
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 ip nat enable
 zone-member security LAN
end

Georg Pauwen · ‎08-20-2018

Hello,

that is the SVI. If you have a bridge group configured, you need a BVI interface. Post the full running configuration, not just snippets, otherwise it is just guesswork.

Also, I don't see access list 1, what do you have specified ?

interface GigabitEthernet0/0
description "NBN HFC Aussie BroadBand 100/40"
ip address dhcp
ip access-group 1 in
no ip redirects
ip nat enable
zone-member security WAN
load-interval 30
duplex auto
speed auto
!

interface GigabitEthernet0/1
description "Local LAN 192.168.0.0/24"
no ip address
no ip redirects
ip nat enable
duplex auto
speed 1000
bridge-group 1

dastrix80 · ‎08-20-2018

SVI/BVI - same thing. Everything works perfectly except SIP.

Full config here

paul driver · ‎08-20-2018

Hello Kris

This look suspiciously like that same rtr with the buggy IOS for NVI nat? - LOL

Anyhow could you try amend the ZBFW acl WAN-LAN to include the following and make sure they are above your exiting ace entries

ip access-list extended SIP-Protection
5 permit udp any any range 16384 32767
6 permit tcp any any eq 1720

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dastrix80 · ‎08-20-2018

Hi Paul

I changed the OS, which fixed the NAT issues :) 15.4.3 now. Still have the script which readds the NAT's upon DHCP on the WAN going down, but it works.

It's absolutely the same router though :D

Same issue im afraid.. I tuned FreeSwitch to the port range I put in my ACL FYI. No audio

paul driver · ‎08-20-2018

Hello

Going down the ZBFW route - Check out the post from the Firewall forum - here it may be applicable to you or not regards your voice

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dastrix80 · ‎08-20-2018

Thanks, with the ZBF turned off on the WAN/LAN, I get the same issue so I'm pretty sure this is a NAT/SIP issue?

I do see however he has static UDP nats for each RTP port

EDIT: added those nats, same issue :*

paul driver · ‎08-20-2018

Hello

So then you'll need to amend any static nat entries pertaining to your host to accommodate your voice

Have a look here

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dastrix80 · ‎08-20-2018

Yes, i tried that

I added this, 192.168.0.141 being the IP address of the device I'm calling on my LAN. No change.

conf t
!
 ip nat source static udp 192.168.0.141 16384 interface GigabitEthernet0/0 16384
 ip nat source static udp 192.168.0.141 16385 interface GigabitEthernet0/0 16385
 ip nat source static udp 192.168.0.141 16386 interface GigabitEthernet0/0 16386
 ip nat source static udp 192.168.0.141 16387 interface GigabitEthernet0/0 16387 
ip nat source static udp 192.168.0.141 16388 interface GigabitEthernet0/0 16388
ip nat source static udp 192.168.0.141 16389 interface GigabitEthernet0/0 16389
ip nat source static udp 192.168.0.141 16390 interface GigabitEthernet0/0 16390

dastrix80 · ‎08-20-2018

anyone :(

Georg Pauwen · ‎08-20-2018

Hello,

looking at your config, you have SIP ALG turned off:

no ip nat service sip udp port 5060

Is there a specific reason to disable it ? Try and reenable it:

--> ip nat service sip udp port 5060 (which is the default actually)...

dastrix80 · ‎08-20-2018

hi George, with it enabled or disabled the results are the same im afraid.

Signalling works if the SIP NAT Service is disabled for TCP. RTP doesnt work at all, ONLY on the LAN

FreeSwitch has been configured with RTP as below:

Ill happy PAY for someone to solve it!

    <!-- RTP port range -->
    <param name="rtp-start-port" value="16384"/>
    <param name="rtp-end-port" value="16390"/>

SI

Georg Pauwen · ‎08-20-2018

Hello,

try:

Router(config)#ip nat service allow-sip-even-rtp-ports