[cisco-voip] IP-Phones NAT problem
Hinson, Greg
Greg_Hinson at adp.com
Thu Apr 6 13:45:19 EDT 2006
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implement
ation_design_guide09186a00800fd670.html
Below is an excerpt from this link, and it appears to be related to what
you are trying to accomplish
-Greg
Inspecting Complex Services
Several Internet services use multiple channels to handle the service
control and data communications. For instance, FTP uses one channel to
open initial communications from the client to the server, and the
server opens a separate channel back to the client to send the actual
file transfer traffic. Similarly, H.323 uses one channel for initial
call setup, and other channels are negotiated from the initial
connection to carry the actual streaming media, such as audio traffic in
an IP telephony connection.
The Stateful Inspection engine only needs to see the initiating
connection for these complex services. Subsequent connections for the
session are dynamically opened for the session, based on SPI's scrutiny
of the connection setup. This is usually known as "fixup". If an
outbound ACL is configured on an interface to restrict network access
policy, it must only account for the initiating port. The task of
accommodating the media channels will be handled by Stateful
inspection's fixup. The following command lists the complex services and
their initiating ports that Cisco IOS Stateful Inspection can handle:
FWRouter# sh ip port-map
Default mapping: vdolive port 7000 system defined
Default mapping: sunrpc port 111 system defined
Default mapping: netshow port 1755 system defined
Default mapping: cuseeme port 7648 system defined
Default mapping: rtsp port 8554 system defined
Default mapping: realmedia port 7070 system defined
Default mapping: streamworks port 1558 system defined
Default mapping: ftp port 21 system defined
Default mapping: rtsp port 554 system defined
Default mapping: h323 port 1720 system defined
Default mapping: sip port 5060 system defined
Default mapping: mgcp port 2427 system defined
Granular Inspection
Granular Protocol Inspection (GPI), introduced in Cisco IOS Software
Release 12.3(14)T, offered complete integration with PAM. Prior to GPI,
a firewall policy was defined by configuring inspection for outbound
TCP, UDP, and ICMP traffic. Inspection was explicitly configured for
specific protocols, such as FTP, H.323, Skinny, Session Initiation
Protocol (SIP) and others that required fixup to watch for and allow
protocol-specific media channels. Common single-connection services such
as POP, Telnet, Microsoft RPC, and other simple protocols were inspected
by the generic capability of TCP, UDP, and ICMP inspection. Using these
generic inspection capabilities is simple to configure, but it limits
Stateful Packet Inspection's granularity-any traffic that was allowed to
leave through a firewall was allowed to return because inspection
created an ACL Bypass entry for that traffic.
GPI allows creation of specific ACL Bypass for only the desired traffic,
as defined by an inspection list consisting of only the protocols that
are explicitly permitted by an organization's Internet/security access
policy.
A complete list of the default services that GPI can inspect is
contained in the appendix at the enof the Stateful Inspection section.
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Mounir Mohamed
Sent: Thursday, April 06, 2006 10:35 AM
To: Voll, Scott
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] IP-Phones NAT problem
The NAT device not PIX it's C2621XM and i'm using POOL so is there is
any workaround to solve the prlblem.
On 4/6/06, Voll, Scott <Scott.Voll at wesd.org> wrote:
fixup is a command on the pix firewall that works on a protocol to make
it work correctly.
scott
________________________________
From: cisco-voip-bounces at puck.nether.net on behalf of Mounir Mohamed
Sent: Thu 4/6/2006 10:18 AM
To: Wes Sisk
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] IP-Phones NAT problem
?
Dear Wes,
Could you clarify more What is the FIXUP
Bet Reagrds,
Mounir Mohamed
On 4/6/06, Wes Sisk<wsisk at cisco.com> wrote:
all voip protocols embed the L3 address in the signaling protocol. You
will need a NAT device that supports a 'fixup' mechanism for those
protocols.
I know the PIX does.
/Wes
On Apr 6, 2006, at 8:21 AM, Mounir Mohamed wrote:
Dear All,
I have 2 IP-phones connected to C2621 with the below configuration the
problem that, the phones used 10.0.0.25 <http://10.0.0.25/> and
10.0.0.26 <http://10.0.0.26/> and both is NATED on the 2600 router,
also both registered in international SIP server but thay can not make
calls even between each other, But when i trying to using static NAT
(Private--> Real IP) everything working fine but i can not deticate IP
for each phone and now the problem due to NAT so anybody could help in
that, HOw can i use NAT but in the same time the phones working because
it's seems that the NAT port changes it the reason behind the problem
Seef-HQ#sh run
Building configuration...
Current configuration : 1596 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Seef-HQ
!
logging buffered 4096 debugging
enable secret 5 $1
!
ip subnet-zero
ip cef
!
!
ip name-server 195.219.14.20 <http://195.219.14.20/>
ip name-server 64.85.63.6 <http://64.85.63.6/>
!
!
!
voice rtp send-recv
!
voice service voip
sip
!
voice class codec 1
codec preference 1 g711ulaw
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface FastEthernet0/0
ip address 217.X.X.X 255.255.255.240 <http://255.255.255.240/>
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 <http://10.0.0.1/> 255.255.255.0
<http://255.255.255.0/>
ip nat inside
duplex auto
speed auto
!
ip nat pool LAN 217.X.X.X 217.X.X.X prefix-length 28
ip nat inside source list 10 pool LAN overload
ip nat inside source static tcp 10.0.0.113 <http://10.0.0.113/> 80
interface FastEthernet0/0 9999
ip nat inside source static 10.0.0.4 <http://10.0.0.4/> 217.X.X.Y
ip nat inside source static 10.0.0.3 <http://10.0.0.3/> 217.X.X.Z
ip http server
ip classless
ip route 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/> 217.X.X.X
!
!
access-list 10 permit 10.0.0.0 <http://10.0.0.0/> 0.0.0.255
<http://0.0.0.255/>
!
!
!
!
!
!
dial-peer voice 1 voip
session protocol sipv2
session target ipv4:67.X.X.X
session transport udp
!
sip-ua
nat symmetric role active
nat symmetric check-media-src
retry invite 2
retry response 2
retry bye 2
retry cancel 2
sip-server ipv4:67.X.X.X
--
Best Reagrds,
Mounir Mohamed
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
--
Best Reagrds,
Mounir Mohamed
--
Best Reagrds,
Mounir Mohamed
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20060406/1cf9533f/attachment-0001.html
More information about the cisco-voip
mailing list