3 Replies Latest reply on Dec 14, 2017 1:07 PM by efurr

    Outbound translations

    efurr New Member

      I have a Netvanta 3120 with a PBX behind it setup with a sip trunk. In-bound calls always work, but outbound calls occasionally fail. Working with the sip provider it looks like the Router is translating port 5060 coming from the pbx and sending it on a different port going to the provider. Even though the destination port is still 5060 the provider rejects the registration because the source port is not 5060, or what ever the PBX last registered with. I know the PBX is always trying to register with port 5060, at least that is how it's setup.. I have the inbound rules for port forwarding setup without issue. What can I do to ensure that the outbound port doesn't get translated? 

       

      The config in question:

       

      hostname "frustrated_custmer"

      enable password encrypted blahblah

      !

      !

      ip subnet-zero

      ip classless

      ip routing

      domain-proxy

      name-server 8.8.8.8

      !

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

      service password-encryption

      !

      username "admin" password encrypted "nottherealpw"

      !

      ip policy-timeout udp all-ports 300

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      no ip firewall alg sip

      !

      !

      !

      !

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      !

      ip dhcp excluded-address 192.168.1.0 192.168.1.99

      ip dhcp excluded-address 192.168.1.251 192.168.1.255

      !

      ip dhcp pool "Private"

        network 192.168.1.0 255.255.255.0

        dns-server 192.168.1.1

        default-router 192.168.1.1

      !

      !

      !

      !

      !

      !

      !

      !

      !

      vlan 1

        name "Default"

      !

      !

      interface eth 0/1

        ip address  162.x.x.x  255.255.x.x

        ip access-policy Public

        no rtp quality-monitoring

        no shutdown

        no lldp send-and-receive

      !

      !

      interface switchport 0/1

        no shutdown

      !

      interface switchport 0/2

        no shutdown

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      !

      !

      interface vlan 1

        ip address  192.168.1.1  255.255.255.0

        ip access-policy Private

        no shutdown

      !

      !

      !

      !

      ip access-list standard wizard-ics

        remark NAT list wizard-ics

        permit any

      !

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-6

        remark remote_MGMT

        permit tcp host 104.x.x.x  any eq telnet   log

        permit tcp host 104.x.x.x  any eq https   log

        permit tcp host 104.x.x.x  any eq ssh   log

        permit icmp any  any  echo   log

      !

      ip access-list extended wizard-pfwd-1

        remark Port Forward 1

        permit udp host sip.provider.public.address  host 162.x.x.x (public address) eq 5060    log

        permit tcp any  host 162.x.x.x eq 5090   log

        permit tcp any  host 162.x.x.x eq 5003   log

        permit tcp any  host 162.x.x.x eq ftp   log

        permit tcp any  host 162.x.x.x eq 6001   log

        permit udp host sip.provider.public.address  host 162.x.x.x range 50000 50032    log

      !

      ip access-list extended wizard-remote-access

        remark do not hand edit this ACL

        permit icmp any  any  echo   log

        permit tcp host 104.x.x.x  any eq https   log

        permit tcp host 104.x.x.x  any eq telnet   log

        permit tcp host 104.x.x.x  any eq ssh   log

        permit tcp 192.168.1.0 0.0.0.255  any    log

        deny   tcp any  any eq telnet   log

        deny   tcp any  any eq ssh   log

      !

      !

      ip nat pool web-nat-pool-1 static

        local 192.168.1.15 192.168.1.15 global 162.x.x.x 162.x.x.x

      !

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

      !

      ip policy-class Public

        allow list web-acl-6 self

        nat destination list wizard-pfwd-1 address 192.168.1.15 (PBX local ip)

      !

      !

      ip route 0.0.0.0 0.0.0.0 162.x.x.x

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      !

      !

      !

      !

      ip sip udp 5060

      ip sip tcp 5060

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      line con 0

        login

        password encrypted 3c309c0483da2eb36a6b04185252b73a3ad4

      !

      line telnet 0

        login

        password encrypted 3c30bd91036f03145b06eb5043d04123583b

        no shutdown

      line telnet 1 2

        login

        password encrypted 404cbd107d81c719bfca71ab72ba23dfd000

        no shutdown

      line telnet 3

        login

        password encrypted 3a362665a7ac45cbccdad29e0ded67275042

        no shutdown

      line telnet 4

        login

        password encrypted 222e281f65ba76f86e29db61b9bac75989bd

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      sntp server 0.north-america.pool.ntp.org

      !

      !

      !

      !

      !

      !

      end

        • Re: Outbound translations
          jtcorcoran1 New Member

          You already have SIP ALG disabled so that's good... I'm not certain this will resolve your issue but I'd definitely start by removing the SIP statements from your router's config:

          !

          ip sip udp 5060

          ip sip tcp 5060

          !

          • Re: Outbound translations
            jayh Hall_of_Fame

            Your NAT overload is doing port translation when more than one session is established from the same inside to outside IP. You'll need a SIP b2bua configuration and not conventional NAT. Enable SIP ALG and transparent proxy, see if this works for you.

              • Re: Outbound translations
                efurr New Member

                I'll give SIP ALG and Transparent proxy a shot at some point. For a quick work around I set the udp time out to a higher value to keep the pbx from trying to use a different port for registration when the re-register time comes.. Not the most secure solution, but it got them operational.

                 

                Thanks for the answers!