UC500, SA520 and Cisco 877

Stefano Pilla · ‎07-29-2011

Hi everybody,

I've an issue with incoming calls to my UC500 that is behind an SA520 firewall and a Cisco 877.

The topology is like that:

Internet (SIP Provider) <---- ADSL (POTS)----> (NAT Public Static IP Address) Cisco 877 LAN(192.168.1.1) <---> (192.168.1.2 - WAN) SA520 (VLAN1 192.168.75.1) <--> 192.168.75.254 (WAN) UC540 (VLAN1 192.168.200.1) <--> INSIDE LAN (switches, phones, etc)..

The 877 simply forward all incoming traffic from the outside network to the SA520 firewall and all inside traffic to the outside with the static NAT entry:

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static 192.168.1.2 MY_PUBLIC_IP_ADDRESS

(Access-list 1 permit inside LAN traffic)

On the SA520 configuration I've installed two firewall rules for the SIP_UDP and SIP_TCP traffic (UDP port from 5060 to 5070) that permit this traffic from ANY source to the 192.168.75.254

When I try to call someone form inside to the outside everything is working well, but when someone try to call me from the outside, the SIP call is blocked by the firewall (as I've understand). I say this because of this debug results ("debug ip nat inside sip" on the 877 and Packet Capture on the SA520):

Jul 29 10:14:05.495: NAT: SIP: [1] processing INVITE message

Jul 29 10:14:05.495: NAT: SIP: [1] translated embedded address MY_PUBLIC_IP_ADDRESS->192.168.1.2

Jul 29 10:14:05.495: NAT: SIP: [1] register:0 door_created:0

Jul 29 10:14:05.495: NAT: SIP: Contact header found

Jul 29 10:14:05.495: NAT: SIP: Trying to find expires parameter

Jul 29 10:14:05.495: NAT: SIP: [1] register:0 door_created:0

Jul 29 10:14:05.495: NAT: SIP: [1] message body found

Jul 29 10:14:05.499: NAT: SIP: Media Lines present:1

Jul 29 10:14:05.499: NAT: SIP: Translated m= (62.94.199.36, 55024) -> (62.94.199.36, 55024)

Jul 29 10:14:05.499: NAT: SIP: old_sdp_len:414 new_sdp_len :414

Jul 29 10:14:05.955: NAT: SIP: [1] processing INVITE message

Jul 29 10:14:05.955: NAT: SIP: [1] translated embedded address MY_PUBLIC_IP_ADDRESS->192.168.1.2

Jul 29 10:14:05.955: NAT: SIP: [1] register:0 door_created:0

Jul 29 10:14:05.955: NAT: SIP: Contact header found

Jul 29 10:14:05.955: NAT: SIP: Trying to find expires parameter

Jul 29 10:14:05.955: NAT: SIP: [1] register:0 door_created:0

Jul 29 10:14:05.955: NAT: SIP: [1] message body found

Jul 29 10:14:05.959: NAT: SIP: Media Lines present:1

Jul 29 10:14:05.959: NAT: SIP: Translated m= (62.94.199.36, 55024) -> (62.94.199.36, 55024)

Caputerd traffic from the SA520 (I've covered my IP Public address and my phone number):

The only error that I see is the "401 Unathorized" but after I also can see "Status OK"... I've verified that the incoming call not reach the UC500 with the command "debug ccsip messages" and "debug voip dialpeer inout".

I'm not be able to isolate the problem. I also have tried to forward all incoming traffic from the 877 directly to the UC500 with a firewall rule on the SA520 but without result. It seems, according to me, to be an issue about SA520 and not about the 877 or the UC500.

Is there some tests or debug that I can do to isolate the problem?

Other useful information:

Only the dialer0 interface NAT from and to the outside networks.

SIP Alg on the SA520 is enabled

NO other NAT inside the LAN

The registration with the trunk is ok (verified with a "sh sip-ua register status command" on the UC500)

The provider make incoming call with a pool of IP addresses that are not in the same subnet of the SIP trunk endpoint (but I've installed the rule in the firewall with a ANY sources)

Thanks in advance to everybody,

Brandon Turpin · ‎08-02-2011

Hi Stefano,

In the packet capture, it looks like the INVITES are seen on the WAN. If you run a packet capture on the LAN side, do you see the INVITES going to the UC500? What image is running on the SA520? This looks similar to some issues seen with SIP ALG. You will probably want to open a case with SBSC and work with them on this.

Thanks,

Brandon

Stefano Pilla · ‎08-05-2011

Hi Brandon,

thanks for your reply.

I made a debug (debug ccsip all, debug voip dialpeer inout, etc...) on the UC500 and it seems that the SA520 does not forward the INVITES to the UC500. On the SA520 there is the last version of the firware (sa500-k9-2.1.51.img).

The strange thing is that sometimes it works (with or without firewall rules). I've tried without the firewall and it works so there is something in the SA520 configuration that block the sip traffic. I've also tried to forward all the traffic from the router directly to the US500 and it doens't work, this confirm my opinion that there something in the SA520 config.

I have to open a case with the SBSC and work with them on it.

If you have some other suggestions please let me know.

Thank you very much.