[c-nsp] iChat AV and Cisco CBAC/NAT

Rodney Dunn rodunn at cisco.com
Thu Mar 15 15:58:02 EST 2007


On Thu, Mar 15, 2007 at 03:35:43PM -0500, Church, Charles wrote:
> Rodney,
> 
> 	We were instructed to use:
> 
> no ip nat service sip tcp port 5060
> no ip nat service sip udp port 5060 
> 
> by TAC to fix an issue with NAT between Cisco phones and a Broadsoft IP
> softswitch.  That fixed our issue of phones not registering correctly.

That just turns off sip translation for embedded payload information.
If your end stations require that SIP may fail.

> The thing that bothered me was that the default according to the docs
> was that NAT payload correction (for lack of a better term) wasn't
> supposed to be enabled by default.

It is.

  Back when I had Vonage a year ago,
> it worked flawlessly with various home routers, which don't touch the
> payload.  Since it seems that most ATAs/phones and softswitches these
> days seem to work with non payload correction NAT, wouldn't it make
> sense for a NATing device in the middle to no longer touch the payload?

If that were the case I do agree with you. But I'm not a SIP expert so
I can't comment on what devices would or would no work if the embedded
information isn't translated correctly.


> The docs on CCO didn't seem to cover the matter when I was looking about
> 5 months ago.  It was painful though.  

I've but a few bumps on my noggin from a couple of SIP/NAT bugs. ;)

Rodney

> 
> Chuck Church
> Multimax Network Engineer, CCIE #8776
> EDS Contractor, Multimax - Navy Marine Corps Intranet (NMCI)
> 1210 N. Parker Rd. | Greenville, SC 29609 
> Office: 864-335-9473 | Cell: 864-266-3978
> cchurch at multimax.com
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn
> Sent: Thursday, March 15, 2007 3:45 PM
> To: Jared Mauch
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] iChat AV and Cisco CBAC/NAT
> 
> > 
> > 	Cisco doesn't actually care about SIP though from what I can
> tell as 
> > some of their devices (eg: 7970) don't handle SIP messages properly.
> 
> We do care. I've spent some countless hours working on whacky NAT
> problems were we didn't handle some embedded SIP payload translation
> right. It's not that we don't care. It's that some of the SIP
> implementations and timing conditions, etc. we just don't see in the
> lab. Some we've never even heard of. 
> 
> > I don't think they test with anything but their own internal suites 
> > which appear to be buggy.  I was able to crash some older sip phones 
> > in the past by sending them a well formatted and innocious options 
> > message in the past.
> 
> I don't know all the details but I know they have some SIP test suites
> that the NAT folks test with to try and make sure NAT can handle all of
> them. It's not perfect for sure.
> 
> I'm sure no other vendor's NAT implementation that starts translating
> embedded ip information is perfect either. 
> 
> If someone has found a bug where we don't translate open the TAC case
> and it will be fixed if the SIP implementation is acting within
> specification.
> 
> Rodney
> 
> > 
> > 	- jared
> > 
> > --
> > Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> > clue++;      | http://puck.nether.net/~jared/  My statements are only
> mine.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list