[c-nsp] iChat AV and Cisco CBAC/NAT
Church, Charles
cchurch at multimax.com
Thu Mar 15 15:35:43 EST 2007
Rodney,
We were instructed to use:
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
by TAC to fix an issue with NAT between Cisco phones and a Broadsoft IP
softswitch. That fixed our issue of phones not registering correctly.
The thing that bothered me was that the default according to the docs
was that NAT payload correction (for lack of a better term) wasn't
supposed to be enabled by default. Back when I had Vonage a year ago,
it worked flawlessly with various home routers, which don't touch the
payload. Since it seems that most ATAs/phones and softswitches these
days seem to work with non payload correction NAT, wouldn't it make
sense for a NATing device in the middle to no longer touch the payload?
The docs on CCO didn't seem to cover the matter when I was looking about
5 months ago. It was painful though.
Chuck Church
Multimax Network Engineer, CCIE #8776
EDS Contractor, Multimax - Navy Marine Corps Intranet (NMCI)
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978
cchurch at multimax.com
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn
Sent: Thursday, March 15, 2007 3:45 PM
To: Jared Mauch
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] iChat AV and Cisco CBAC/NAT
>
> Cisco doesn't actually care about SIP though from what I can
tell as
> some of their devices (eg: 7970) don't handle SIP messages properly.
We do care. I've spent some countless hours working on whacky NAT
problems were we didn't handle some embedded SIP payload translation
right. It's not that we don't care. It's that some of the SIP
implementations and timing conditions, etc. we just don't see in the
lab. Some we've never even heard of.
> I don't think they test with anything but their own internal suites
> which appear to be buggy. I was able to crash some older sip phones
> in the past by sending them a well formatted and innocious options
> message in the past.
I don't know all the details but I know they have some SIP test suites
that the NAT folks test with to try and make sure NAT can handle all of
them. It's not perfect for sure.
I'm sure no other vendor's NAT implementation that starts translating
embedded ip information is perfect either.
If someone has found a bug where we don't translate open the TAC case
and it will be fixed if the SIP implementation is acting within
specification.
Rodney
>
> - jared
>
> --
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only
mine.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list