[cisco-voip] IP-Phones NAT problem

Hinson, Greg Greg_Hinson at adp.com
Thu Apr 6 13:45:19 EDT 2006 

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implement
ation_design_guide09186a00800fd670.html
 
Below is an excerpt from this link, and it appears to be related to what
you are trying to accomplish
 
-Greg
 
Inspecting Complex Services
Several Internet services use multiple channels to handle the service
control and data communications. For instance, FTP uses one channel to
open initial communications from the client to the server, and the
server opens a separate channel back to the client to send the actual
file transfer traffic. Similarly, H.323 uses one channel for initial
call setup, and other channels are negotiated from the initial
connection to carry the actual streaming media, such as audio traffic in
an IP telephony connection.
The Stateful Inspection engine only needs to see the initiating
connection for these complex services. Subsequent connections for the
session are dynamically opened for the session, based on SPI's scrutiny
of the connection setup. This is usually known as "fixup". If an
outbound ACL is configured on an interface to restrict network access
policy, it must only account for the initiating port. The task of
accommodating the media channels will be handled by Stateful
inspection's fixup. The following command lists the complex services and
their initiating ports that Cisco IOS Stateful Inspection can handle:
FWRouter# sh ip port-map
Default mapping: vdolive     port 7000   system defined
Default mapping: sunrpc      port 111    system defined
Default mapping: netshow     port 1755   system defined
Default mapping: cuseeme     port 7648   system defined
Default mapping: rtsp        port 8554   system defined
Default mapping: realmedia   port 7070   system defined
Default mapping: streamworks port 1558   system defined
Default mapping: ftp         port 21     system defined
Default mapping: rtsp        port 554    system defined
Default mapping: h323        port 1720   system defined
Default mapping: sip         port 5060   system defined
Default mapping: mgcp        port 2427   system defined
Granular Inspection
Granular Protocol Inspection (GPI), introduced in Cisco IOS Software
Release 12.3(14)T, offered complete integration with PAM. Prior to GPI,
a firewall policy was defined by configuring inspection for outbound
TCP, UDP, and ICMP traffic. Inspection was explicitly configured for
specific protocols, such as FTP, H.323, Skinny, Session Initiation
Protocol (SIP) and others that required fixup to watch for and allow
protocol-specific media channels. Common single-connection services such
as POP, Telnet, Microsoft RPC, and other simple protocols were inspected
by the generic capability of TCP, UDP, and ICMP inspection. Using these
generic inspection capabilities is simple to configure, but it limits
Stateful Packet Inspection's granularity-any traffic that was allowed to
leave through a firewall was allowed to return because inspection
created an ACL Bypass entry for that traffic.
GPI allows creation of specific ACL Bypass for only the desired traffic,
as defined by an inspection list consisting of only the protocols that
are explicitly permitted by an organization's Internet/security access
policy.
A complete list of the default services that GPI can inspect is
contained in the appendix at the enof the Stateful Inspection section.
 
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Mounir Mohamed
Sent: Thursday, April 06, 2006 10:35 AM
To: Voll, Scott
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] IP-Phones NAT problem
 
The NAT device not PIX it's C2621XM and i'm using POOL so is there is
any workaround to solve the prlblem.
On 4/6/06, Voll, Scott <Scott.Voll at wesd.org> wrote: 
fixup is a command on the pix firewall that works on a protocol to make
it work correctly.
 
scott
 
________________________________

From: cisco-voip-bounces at puck.nether.net on behalf of Mounir Mohamed 
Sent: Thu 4/6/2006 10:18 AM
To: Wes Sisk
Cc: cisco-voip at puck.nether.net 
Subject: Re: [cisco-voip] IP-Phones NAT problem

 
? 
Dear Wes,
 
Could you clarify more What is the FIXUP
 
Bet Reagrds,
Mounir Mohamed

 
On 4/6/06, Wes Sisk<wsisk at cisco.com> wrote: 
all voip protocols embed the L3 address in the signaling protocol.  You
will need a NAT device that supports a 'fixup' mechanism for those
protocols. 

 
I know the PIX does.

 
/Wes
 
On Apr 6, 2006, at 8:21 AM, Mounir Mohamed wrote:
 
Dear All,
 
 
I have 2 IP-phones connected to C2621 with the below configuration the
problem that, the phones used 10.0.0.25 <http://10.0.0.25/>  and
10.0.0.26 <http://10.0.0.26/>  and both is NATED on the 2600 router,
also both registered in international SIP server but thay can not make
calls even between each other, But when i trying to using static NAT
(Private--> Real IP) everything working fine but i can not deticate IP
for each phone and now the problem due to NAT so anybody could help in
that, HOw can i use NAT but in the same time the phones working because
it's seems that the NAT port changes it the reason behind the problem 
 
Seef-HQ#sh run
Building configuration...
 
Current configuration : 1596 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Seef-HQ
!
logging buffered 4096 debugging
enable secret 5 $1
!
ip subnet-zero
ip cef
!
!
ip name-server 195.219.14.20 <http://195.219.14.20/> 
ip name-server 64.85.63.6 <http://64.85.63.6/> 
!
!
!
voice rtp send-recv
!
voice service voip 
 sip
!
voice class codec 1
 codec preference 1 g711ulaw
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
!
!         
!         
!         
interface FastEthernet0/0
 ip address 217.X.X.X 255.255.255.240 <http://255.255.255.240/>  
 ip nat outside
 duplex auto
 speed auto
!         
interface FastEthernet0/1
 ip address 10.0.0.1 <http://10.0.0.1/>  255.255.255.0
<http://255.255.255.0/>  
 ip nat inside
 duplex auto
 speed auto
!         
ip nat pool LAN 217.X.X.X 217.X.X.X prefix-length 28
ip nat inside source list 10 pool LAN overload
ip nat inside source static tcp 10.0.0.113 <http://10.0.0.113/>  80
interface FastEthernet0/0 9999 
ip nat inside source static 10.0.0.4 <http://10.0.0.4/>  217.X.X.Y
ip nat inside source static 10.0.0.3 <http://10.0.0.3/>  217.X.X.Z
ip http server
ip classless
ip route 0.0.0.0 <http://0.0.0.0/>  0.0.0.0 <http://0.0.0.0/>  217.X.X.X
!         
!         
access-list 10 permit 10.0.0.0 <http://10.0.0.0/>  0.0.0.255
<http://0.0.0.255/> 
!         
!         
!         
!         
!         
!         
dial-peer voice 1 voip
 session protocol sipv2
 session target ipv4:67.X.X.X
 session transport udp
!         
sip-ua    
 nat symmetric role active
 nat symmetric check-media-src
 retry invite 2
 retry response 2
 retry bye 2
 retry cancel 2
 sip-server ipv4:67.X.X.X


-- 
Best Reagrds,
Mounir Mohamed 
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

 



-- 
Best Reagrds,
Mounir Mohamed 



-- 
Best Reagrds,
Mounir Mohamed 


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20060406/1cf9533f/attachment-0001.html

More information about the cisco-voip mailing list