08-19-2018 06:47 PM - edited 08-19-2018 11:01 PM
Hi All
I have NVI nat on this router, everything works on the LAN as expected but from the WAN, my Sip phone can register but no audio. I assume RTSP is the issue here
Ive restricted my SIP server to use 16384-16390 and opened these firewall ports direct to the SIP end host.
Unfortunately, the same issue
My configuration is attached.
Ultimately, all i need to do is make SIP signaled calls from a LAN based SIP client to a 4G, WAN based SIP client. only 1 call.
Is CUBE a solution?
class-map type inspect match-any WAN-to-LAN match access-group name RDP match access-group name SSH match protocol sip match access-group name HTTP-HTTPS match access-group name SIP-Protection class-map type inspect match-any LAN-to-WAN match access-group name LAN-to-WAN match protocol https match protocol http ! policy-map type inspect WAN-to-LAN description "Permits inbound to LAN from WAN" class type inspect WAN-to-LAN inspect class class-default drop policy-map type inspect LAN-to-WAN description "Permits all traffic from the LAN to the WAN" class type inspect LAN-to-WAN inspect class class-default drop ! zone security LAN description "Towards 192.168.0.x" zone security WAN description "Towards NBN" zone-pair security LAN-to-WAN source LAN destination WAN description "Ties the LAN to the WAN" service-policy type inspect LAN-to-WAN zone-pair security WAN-to-LAN source WAN destination LAN description "Protect WAN interface" service-policy type inspect WAN-to-LAN ! interface GigabitEthernet0/0 description "NBN HFC Aussie BroadBand 100/40" ip address dhcp ip access-group 1 in no ip redirects ip nat enable zone-member security WAN load-interval 30 duplex auto speed auto ! interface GigabitEthernet0/1 description "Local LAN 192.168.0.0/24" no ip address no ip redirects ip nat enable duplex auto speed 1000 bridge-group 1 ! interface Vlan1 description "Link to the 192.168.0.x LAN" ip address 192.168.0.254 255.255.255.0 no ip redirects ip nat enable zone-member security LAN ! ip nat source static tcp 192.168.0.141 80 interface GigabitEthernet0/0 6168 ip nat source static tcp 192.168.0.10 3389 interface GigabitEthernet0/0 6150 ip nat source static tcp 192.168.0.3 3001 interface GigabitEthernet0/0 3001 ip nat source static tcp 192.168.0.2 443 interface GigabitEthernet0/0 6164 ip nat source static tcp 192.168.0.4 3389 interface GigabitEthernet0/0 6169 ip nat source static tcp 192.168.0.3 3000 interface GigabitEthernet0/0 3000 ip nat source static tcp 192.168.0.3 22 interface GigabitEthernet0/0 6165 ip nat source static tcp 192.168.0.4 82 interface GigabitEthernet0/0 6166 ip nat source static tcp 192.168.0.3 8080 interface GigabitEthernet0/0 6170 ip nat source list LAN-NAT interface GigabitEthernet0/0 overload ip nat source static tcp 192.168.0.4 5060 interface GigabitEthernet0/0 5060 ip route 192.168.0.7 255.255.255.255 ucse4/0 ip route 192.168.3.2 255.255.255.255 Embedded-Service-Engine0/0 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip ssh source-interface Vlan1 ip ssh rsa keypair-name ssh ip ssh version 2 ! ip access-list extended HTTP-HTTPS permit tcp any host 192.168.0.141 eq www permit tcp any host 192.168.0.3 eq 8080 permit tcp any host 192.168.0.3 eq 3001 permit tcp any host 192.168.0.4 eq 82 permit tcp any host 192.168.0.3 eq www permit tcp any host 192.168.0.2 eq 443 permit tcp any host 192.168.0.3 eq 6170 permit tcp any host 192.168.0.3 eq 3000 ip access-list extended LAN-NAT remark NATs all the LAN hosts to the WAN permit ip 192.168.0.0 0.0.0.255 any ! ip access-list extended LAN-to-WAN permit ip 192.168.0.0 0.0.0.255 any ! ip access-list extended SIP-Protection permit tcp host 203.129.27.127 host 192.168.0.4 eq 5060 permit udp host 203.129.27.127 host 192.168.0.4 eq 5060 permit udp host 203.129.27.127 host 192.168.0.4 permit udp any host 192.168.0.10 range 16384 16390 permit udp any host 192.168.0.141 range 16384 16390
Solved! Go to Solution.
08-20-2018 08:10 PM
And its fixed.
Had to open the RTP post to the SIP Server in combination with turning the ALG's on and setting RPORT on my zoipher client. Works nicely now :D
08-20-2018 12:32 AM
Hello,
interface GigabitEthernet0/1
description "Local LAN 192.168.0.0/24"
no ip address
no ip redirects
ip nat enable
duplex auto
speed 1000
--> bridge-group 1
Is this a typo ? If not, where is the BVI ?
08-20-2018 01:12 AM
Sorry, here:
interface Vlan1 description "Link to the 192.168.0.x LAN" ip address 192.168.0.254 255.255.255.0 no ip redirects ip nat enable zone-member security LAN end
08-20-2018 01:27 AM
Hello,
that is the SVI. If you have a bridge group configured, you need a BVI interface. Post the full running configuration, not just snippets, otherwise it is just guesswork.
Also, I don't see access list 1, what do you have specified ?
interface GigabitEthernet0/0
description "NBN HFC Aussie BroadBand 100/40"
ip address dhcp
ip access-group 1 in
no ip redirects
ip nat enable
zone-member security WAN
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "Local LAN 192.168.0.0/24"
no ip address
no ip redirects
ip nat enable
duplex auto
speed 1000
bridge-group 1
08-20-2018 01:39 AM
08-20-2018 02:13 AM - edited 08-20-2018 02:14 AM
Hello Kris
This look suspiciously like that same rtr with the buggy IOS for NVI nat? - LOL
Anyhow could you try amend the ZBFW acl WAN-LAN to include the following and make sure they are above your exiting ace entries
ip access-list extended SIP-Protection
5 permit udp any any range 16384 32767
6 permit tcp any any eq 1720
08-20-2018 02:19 AM - edited 08-20-2018 02:24 AM
Hi Paul
I changed the OS, which fixed the NAT issues :) 15.4.3 now. Still have the script which readds the NAT's upon DHCP on the WAN going down, but it works.
It's absolutely the same router though :D
Same issue im afraid.. I tuned FreeSwitch to the port range I put in my ACL FYI. No audio
08-20-2018 02:36 AM - edited 08-20-2018 02:36 AM
Hello
Going down the ZBFW route - Check out the post from the Firewall forum - here it may be applicable to you or not regards your voice
08-20-2018 02:42 AM - edited 08-20-2018 02:51 AM
Thanks, with the ZBF turned off on the WAN/LAN, I get the same issue so I'm pretty sure this is a NAT/SIP issue?
I do see however he has static UDP nats for each RTP port
EDIT: added those nats, same issue :*
08-20-2018 02:57 AM
Hello
So then you'll need to amend any static nat entries pertaining to your host to accommodate your voice
Have a look here
08-20-2018 02:59 AM - edited 08-20-2018 03:00 AM
Yes, i tried that
I added this, 192.168.0.141 being the IP address of the device I'm calling on my LAN. No change.
conf t ! ip nat source static udp 192.168.0.141 16384 interface GigabitEthernet0/0 16384 ip nat source static udp 192.168.0.141 16385 interface GigabitEthernet0/0 16385 ip nat source static udp 192.168.0.141 16386 interface GigabitEthernet0/0 16386 ip nat source static udp 192.168.0.141 16387 interface GigabitEthernet0/0 16387 ip nat source static udp 192.168.0.141 16388 interface GigabitEthernet0/0 16388 ip nat source static udp 192.168.0.141 16389 interface GigabitEthernet0/0 16389 ip nat source static udp 192.168.0.141 16390 interface GigabitEthernet0/0 16390
08-20-2018 02:01 PM
anyone :(
08-20-2018 01:40 PM
Hello,
looking at your config, you have SIP ALG turned off:
no ip nat service sip udp port 5060
Is there a specific reason to disable it ? Try and reenable it:
--> ip nat service sip udp port 5060 (which is the default actually)...
08-20-2018 02:10 PM - edited 08-20-2018 02:20 PM
hi George, with it enabled or disabled the results are the same im afraid.
Signalling works if the SIP NAT Service is disabled for TCP. RTP doesnt work at all, ONLY on the LAN
FreeSwitch has been configured with RTP as below:
Ill happy PAY for someone to solve it!
<!-- RTP port range --> <param name="rtp-start-port" value="16384"/> <param name="rtp-end-port" value="16390"/>
SI
08-20-2018 02:15 PM
Hello,
try:
Router(config)#ip nat service allow-sip-even-rtp-ports
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide