Solved: Re: Trying to get RTP working through Cisco Router - Page 2

dastrix80 · ‎08-19-2018

Hi All

I have NVI nat on this router, everything works on the LAN as expected but from the WAN, my Sip phone can register but no audio. I assume RTSP is the issue here

Ive restricted my SIP server to use 16384-16390 and opened these firewall ports direct to the SIP end host.

Unfortunately, the same issue

My configuration is attached.

Ultimately, all i need to do is make SIP signaled calls from a LAN based SIP client to a 4G, WAN based SIP client. only 1 call.

Is CUBE a solution?

class-map type inspect match-any WAN-to-LAN
 match access-group name RDP
 match access-group name SSH
 match protocol sip
 match access-group name HTTP-HTTPS
 match access-group name SIP-Protection
class-map type inspect match-any LAN-to-WAN
 match access-group name LAN-to-WAN
 match protocol https
 match protocol http
!
policy-map type inspect WAN-to-LAN
 description "Permits inbound to LAN from WAN"
 class type inspect WAN-to-LAN
  inspect
 class class-default
  drop
policy-map type inspect LAN-to-WAN
 description "Permits all traffic from the LAN to the WAN"
 class type inspect LAN-to-WAN
  inspect
 class class-default
  drop
!
zone security LAN
 description "Towards 192.168.0.x"
zone security WAN
 description "Towards NBN"
zone-pair security LAN-to-WAN source LAN destination WAN
 description "Ties the LAN to the WAN"
 service-policy type inspect LAN-to-WAN
zone-pair security WAN-to-LAN source WAN destination LAN
 description "Protect WAN interface"
 service-policy type inspect WAN-to-LAN

!
interface GigabitEthernet0/0
 description "NBN HFC Aussie BroadBand 100/40"
 ip address dhcp
 ip access-group 1 in
 no ip redirects
 ip nat enable
 zone-member security WAN
 load-interval 30
 duplex auto
 speed auto
!

interface GigabitEthernet0/1
 description "Local LAN 192.168.0.0/24"
 no ip address
 no ip redirects
 ip nat enable
 duplex auto
 speed 1000
 bridge-group 1
!

interface Vlan1
 description "Link to the 192.168.0.x LAN"
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 ip nat enable
 zone-member security LAN

!

ip nat source static tcp 192.168.0.141 80 interface GigabitEthernet0/0 6168
ip nat source static tcp 192.168.0.10 3389 interface GigabitEthernet0/0 6150
ip nat source static tcp 192.168.0.3 3001 interface GigabitEthernet0/0 3001
ip nat source static tcp 192.168.0.2 443 interface GigabitEthernet0/0 6164
ip nat source static tcp 192.168.0.4 3389 interface GigabitEthernet0/0 6169
ip nat source static tcp 192.168.0.3 3000 interface GigabitEthernet0/0 3000
ip nat source static tcp 192.168.0.3 22 interface GigabitEthernet0/0 6165
ip nat source static tcp 192.168.0.4 82 interface GigabitEthernet0/0 6166
ip nat source static tcp 192.168.0.3 8080 interface GigabitEthernet0/0 6170
ip nat source list LAN-NAT interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.0.4 5060 interface GigabitEthernet0/0 5060
ip route 192.168.0.7 255.255.255.255 ucse4/0
ip route 192.168.3.2 255.255.255.255 Embedded-Service-Engine0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip ssh source-interface Vlan1
ip ssh rsa keypair-name ssh
ip ssh version 2
!
ip access-list extended HTTP-HTTPS
 permit tcp any host 192.168.0.141 eq www
 permit tcp any host 192.168.0.3 eq 8080
 permit tcp any host 192.168.0.3 eq 3001
 permit tcp any host 192.168.0.4 eq 82
 permit tcp any host 192.168.0.3 eq www
 permit tcp any host 192.168.0.2 eq 443
 permit tcp any host 192.168.0.3 eq 6170
 permit tcp any host 192.168.0.3 eq 3000

ip access-list extended LAN-NAT
 remark NATs all the LAN hosts to the WAN
 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended LAN-to-WAN
 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended SIP-Protection
 permit tcp host 203.129.27.127 host 192.168.0.4 eq 5060
 permit udp host 203.129.27.127 host 192.168.0.4 eq 5060
 permit udp host 203.129.27.127 host 192.168.0.4
 permit udp any host 192.168.0.10 range 16384 16390
 permit udp any host 192.168.0.141 range 16384 16390

dastrix80 · ‎08-20-2018

No change Georg :(

Georg Pauwen · ‎08-20-2018

Hello,

what if you use the IP address assigned by DHCP to your WAN interface and use that instead of the interface name ? So e.g.:

ip nat source static tcp 192.168.0.4 5060 212.22.12.12 5060 extendable

dastrix80 · ‎08-20-2018

Hi Georg

The issue is not with 5060, as mentioned the phone can register with the SIP server just fine on the static nat I've created. It rings, accepts and hangs up just fine. So this static nat is not the culprit.

Also the extendable is not an option using my nat statement

dastrix80 · ‎08-20-2018

And here lies the problem. That IP address is my mobile phones private IP (the the Telco allocated one) which means the proxy doesnt know how to route to it, hence no RTP.

v=0
o=Zoiper 0 1 IN IP4 10.164.13.47
s=Zoiper
c=IN IP4 10.164.13.47
t=0 0
m=audio 16392 RTP/AVP 0 3 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv

dastrix80 · ‎08-20-2018

And its fixed.

Had to open the RTP post to the SIP Server in combination with turning the ALG's on and setting RPORT on my zoipher client. Works nicely now :D

Georg Pauwen · ‎08-21-2018

Hello,

so, for future reference, in the end your initial router configuration was good ?

Glad that you got it sorted out...

dastrix80 · ‎08-21-2018

Well i didnt have RTP open the SIP server, i thought RTP was peer to peer, not peer to server?