cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4546
Views
0
Helpful
17
Replies

Router 4531 IOS XE Static NAT issues

remi-reszka
Level 1
Level 1

Hello Experts,

I'm having troubles with newly bought router 4531 running IOS XE version: isr4300-universalk9.03.16.02.S.155-3.S2-ext.SPA.bin. I have a static NAT for SIP UDP 5060 and RTP ports 10000 to 10020. What happens is that the UDP port translation does not take effect, the NAT on this IOS XE ignores the static NAT configuration and opens dinamic ports instead.

I have the same configuration on 2800 and 2900 series routers and no issues, I register SIP mobile extention and can communicate with SIP office extensions.

While applying static NAT for 5060 port I get and error that this NAT port is being used (not having this issue on 2800 or 2900 routers) and first I have to remove PAT config, apply static NAT for UDP 5060 and then re-apply the PAT. 

Anybody had similar issues or could advise me what is wrong with this platform?

Thanks and best regards.

Remi

17 Replies 17

Philip D'Ath
VIP Alumni
VIP Alumni

Could you show us your NAT configuration?  Are you able to do a simple 1:1 NAT?

Hi Philip,

Thank you for the follow-up. Sure, below I paste the NAT config and the translation results. The 1:1 NAT works fine with TCP, I did a test for RDP TCP:3389 and works fine but when I try for SIP UDP:5060 and RTP ports 10000-10020 no joy. I have my IP PBX configured correctly to work with RTP ports range 10000-10020. I'm not fond of using a default SIP port 5060 and this will be changed, in fact I also did some test with 5071 port with same results.

This is a config for RDP and it works fine:

ip nat inside source static tcp 10.78.20.10 3389 187.118.87.230 3389 vrf TRANSIT extendable

Results:

tcp  187.118.87.230:3389   10.78.20.10:3389     189.139.241.250:58732 189.139.241.250:58732

This is a config for SIP and RTP:

ip nat inside source static udp 10.78.30.11 5060 187.118.87.230 5060 vrf TRANSIT extendable

iip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10000 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10001 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10002 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10003 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10004 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10005 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10006 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10007 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10008 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10009 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10010 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10011 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10012 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10013 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10014 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10015 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10016 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10017 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10018 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10019 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10020 vrf TRANSIT extendable

And the results:

udp  187.118.87.230:5060   10.78.30.11:5060     189.139.241.250:39960 189.139.241.250:39960

udp  187.118.87.230:10006  10.78.30.11:10006    192.168.1.1:4002      192.168.1.1:4002

From the above we I can see that the SIP registration completes however the RTP NAT does not complete and I get only one way audio, the returning trafic should take one of the designated UDP ports configured for RTP but it does not.

I also noticed if I dial an internal extension from the mobile extension, the internal extension does not ring however if from internal to a mobile extension it does ring.

I have same config with a router 2851 and works perfectly however I cannot get whey IOS XE (as Cisco says: State of Art software) has those basic issues. Unless I'm missing some configs.

Thank in advance.

Remi

Hi,

Please deny the static NAT entries in the dynamic NAT or overload statements, this is recommended.

Also, you're forwarding UDP port 10000 to 20 or so different ports, what is the reason behind this?

Thanks,

Shaunak

Hello Shaunak,

That could be a good idea. I currently have my PAT done (on the same public IP address) with route-map statement so I would need to deny those ports in the ACL. Let me try doing this. The UDP ports 10000-10020 I'm reserving is to carry SIP RTP (or audio) traffic between the extrenally registered extension to the internal IP PBX. Later on I will probably reserver a 100 ports but now reservinf only 20 for testing purposes.  

What is strange behaviour it this. I try to add a following NAT statement:

ip nat inside source static udp 10.78.30.11 5071 187.118.87.230 5071 vrf TRANSIT extendable

The router returnes this message:

%Port 5071 is being used by system

But this port does not exist in the NAT translation table. I found this bug CSCus49353:

(Eventually I will add this NAT statement by first clearing the NAT translation table, then removing PAT statement, applying this NAT static statement on port 5071 and reapplying the PAT. But NAT on UDO 5071 will not work anyway.)

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus49353/?referring_site=bugquickviewredir

sh ip nat portblock dynamic global

And this is the output:

tcp:
8192 -9215 7168 -8191 6144 -7167 5120 -6143 4096 -5119
810 -873 746 -809 682 -745 618 -681 545 -617
udp:
5525 -6548 4501 -5524 585 -648 512 -584

What is that mean? Those ports are reserverd by the system and I cannot "un-reserver" them? This range 4501 -5524 shows that I cannot use neither UDP 5060 or 5071 ports? Does it mean even if I add NAT statement for 5060 or 5071 the SIP signalling will not work correclty and will never pass audio or ports UDP 10000 and above? But ports UDP 10000 onwards are not reserved.

And by running this command:

show ip nat portblock pat global

I get the following:

tcp:
3389 123 122 121
udp:
10020 10019 10018 10017 10016
10015 10014 10013 10012 10011 10010
10009 10008 10007 10006 10005 10004
10003 10002 10001 10000

The port 5060 does not even show it is reserved in PAT even it is configured in static NAT.

I will try denying those ports in ACLs for PAT and let you know.

Best regards,

Remi

Hi Remi,

As per my experience UDP port ranges cannot be forwarded in a single statement, for VOIP to work I would suggest that you configure individual UDP port forwarding NAT statements or configure a 1to1 NAT if you have enough public IP addresses.

Denying the specific ports in the PAT statement is a good practice to follow also, do not configure a permit ip any any statement in the NAT ACL as well, this will lead to problems while NAT and router bound data or static NATs interoperating with each other.

I guess denying the ports in the PAT ACL would be a good point to start and then we'll take it from there. If this is a test environment then clear the NAT table so that there are no stale entries in the table.

Also, I see that only port UDP port 10000 is forwarded to different UDP ports as shown below--

ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10001 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10002 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10003 vrf TRANSIT extendable
ip nat inside source static udp 10.78.30.11 10000 187.118.87.230 10004 vrf TRANSIT extendable.......,

Is this a typo here? I'm a bit confused.

Thanks,

Shaunak

Hello Shaunak,

Many thanks for the suggestions. There was a typo error so that the ports in NAT translations do not match in the post above but I have them configured correctly: 10000 to 10000, 10001 to 10001, etc.

I understand your point but the interesting think is that I'm using a 2851 router for same NAT config and works perfectly, with VRFs and even with multi-tenant that is to say I'm running multiple IP PBXs (asterisk) having NAT configured with SIP and RTP mapped to different private IP address and different ports and all that on a single public IP address that is also used for PAT. Here with this beast router 4531 I cannot do it. Is that due to the fact that I'm trying to accomplish same config with IOS XE?

Best regards,

Remi

Hi Remi,

The IOS-XE and IOS instruction set is different and have different ways of handling things internally. This comparison might be an apples to orange comparison.

Try to deny the port ranges in PAT and see if that helps, otherwise you may also think of approaching TAC since they can remotely tshoot this over a call and webex sessions.

Thanks,

Shaunak

Hi Shaunak,

Again many thanks for the suggestions. I'm trying to block those ports in the PAT ACLs. I will let you know the results. Otherwise I will have to get the SmartNET and speak to TAC. I also consider this platform 4300/4400 or even ASR1K for my multi-tenant SIP services however after this problem not sure how I could deploy it in my scenario. I thought IOS XE was a real "State-of-Art" software as Cisco describes it and handles much better the processes as comparing to IOS, maybe there some good work around it. I'm sure Cisco has a strong support for IOS XE.

As a tip, how would you block the static NAT in PAT ACL? By denying "udp any any eq 5071" and "udp any any range 10000 10020" or I should narrow it down to certain host on the LAN?

Best regards,

Remi 

I haven't tried this on IOS-XE yet.  Lets pretend your SIP traffic comes from 8.8.8.8 then you could try the below.  What it should do is send all traffic from 8.8.8.8 to your internal phone system.

access-list 107 permit ip host 10.78.30.11 host 8.8.8.8

route-map nat-voip permit 1
match ip address 107

ip nat inside source static 10.78.30.11 <outside ip> route-map nat-voip reversible extendable

Can you delete all those NAT statements, and replace it with a 1:1 NAT ?  And move  10.78.20.10 onto a different external public IP address?

ip nat inside source static 10.78.20.11 3389 187.118.87.230 vrf TRANSIT extendable

A one to one NAT will work since that'll open all the ports.

Don't forget to deny this internal IP in the overload ACL otherwise this might lead to unexpected results during the NAT process.

ip nat inside source static 10.78.20.11 3389 187.118.87.230 vrf TRANSIT extendable
^
|
Remove this might have been left by mistake

Thank you for your comments Philip and Shaunak. Can I do the 1:1 NAT statement on this public IP if I have already used in the producction? If not I would need to try getting a new public IP.

Regards,

Remi,

This will not be possible since a Public IP cannot be used for both 1to1 static and PAT.

Since in 1to1 NAT all the ports are forwarded bi-directionally and PAT works from inside out opening ports dynamically. Now the range of ports is the same pool hence this conflicts with the idea behind both the technologies.

Hope this makes it clear.

Thanks,

Shaunak

Try getting a new public IP.  It would make life much easier.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: