To give some more details on why voice inspection on a firewall is a bad idea:<br><br>-SCCP is a Cisco proprietary protocol. This is good because Cisco can change the protocol as they need, version by version. This is bad for firewalls because how many people consider keeping their firewall version up to date with relationship to their phone firmware version - about as many as you would expect. There is a potential for even greater problems with 3rd party firewalls which may not be as up to date with the SCCP protocol version/messages. <br>
<br>-SIP isn't any better. Some may lean on open standards, say it's well understood, but that doesn't really hold up. SIP is very flexible and extensible, which means people can insert their own custom headers, add their own body types, etc. In a typical SIP message, you can't just do a simple find-and-replace for your NAT IP addresses and ports. One call agent may include it's private address in the Call-ID header. This header is not IP dependent, but it's just an identifier. If you NAT the IP in the Call-ID header the other end will not know which session to refer to and it will break the call. But, in the From/Via headers you want to NAT the IP. If I create a Nick-SIP-NAT-Break header, there isn't a way for the firewall to reliably know whether it should NAT that header or not unless it's familiar with it. You can also get into some implementation differences in how different vendors use headers differently, some use the shortcut notation of header definitions, some use optional parts of the header, and now the firewall has to be cognizant of these differences. <br>
<br>-H.323 is arguably the most secure through a firewall. It has a standard associated to it, and should be more predictable. We're seeing less of H.323 as almost all new devices are SIP. The one challenge with H.323 is that the H.245 connection is a random-to-random port usage which firewalls can struggle to keep up with. Most up-to-date major firewalls should be able to do this, but you see problems on the less-updated and niche firewalls.<br>
<br>In short, just change the addresses. It will save you time. Troubleshooting a voice topology with a firewall is easy - start at the firewall, because it's almost always the problem.<br><br>-nick<br><br><div class="gmail_quote">
On Mon, Mar 28, 2011 at 10:41 AM, Mauro Celli <span dir="ltr"><<a href="mailto:mauro.celli@2000net.it">mauro.celli@2000net.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I have some overlapping phone network, i need NAT for some reason.<br>
This is my nat "ip nat inside source list 101 pool Voce"<br>
No overload is added but:<br>
rotary work for 2/3 week,after this time, some phone is overload ip<br>
Match-host is not applicable<br>
without rotary and match-host, all phone have same ip (the router apply pat)<br>
Ios tested 12.4 15.0 15.1<br>
<br>
Thanks<br>
<br>
-----Messaggio originale-----<br>
Da: Peter Slow [mailto:<a href="mailto:peter.slow@gmail.com">peter.slow@gmail.com</a>]<br>
Inviato: domenica 27 marzo 2011 17:18<br>
A: Mauro Celli<br>
Cc: <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
Oggetto: Re: [cisco-voip] Nat skinny overload problem<br>
<div><div></div><div class="h5"><br>
The overload keyword is what causes it to do PAT instead of NAT. You<br>
do NOT have to put the "overload" keyword at the end of the ip nat<br>
inside source command. I'm not sure how skinny inspection works<br>
(because I've managed to avoid doing this, as it should be avoided and<br>
is poor design.) with IOS NAT/PAT, but you are going to need some form<br>
of Skinny inspection if you want dynamically assigned global IP<br>
addresses because the router needs to know what UDP ports to create a<br>
corresponding translation across the NAT boundary for.<br>
<br>
There is probably a solution here that we can help you come up with<br>
that will not need NAT/PAT. Tell us what your network architecture is<br>
like, and what you are trying to do. Perhaps we can help you come up<br>
with something that wont cause you heartache. ( for instance, if the<br>
NAT is due to overlapping address space, you can renumber the phones,<br>
that will be easier. If the NAT is because you are going across a<br>
public network, then as much as I hate the various forms of tunneling<br>
and VPNs, one of them may be for you and is probably a lesser evil<br>
than NAT.) There are even some other ways, such as forcing all your<br>
phones at thsi one site to send their RTP streams through an MTP with<br>
a Public IP address, thereby bypassing the need for the<br>
fixup/inspection. There are varying designs of that nature that use<br>
parts of CUBE or CUCM.<br>
<br>
Even if you manage to get this working now, skinny inspection/fixup<br>
breaks frequently, for a multitude of reasons.<br>
<br>
NAT/PAT really sucks for voice,<br>
Peter<br>
<br>
<br>
<br>
<br>
On Sat, Mar 26, 2011 at 5:16 PM, Mauro Celli <<a href="mailto:mauro.celli@2000net.it">mauro.celli@2000net.it</a>> wrote:<br>
> I need to make nat for some phones (15/20 phones) in 2 subnet<br>
><br>
> Subnet1 <a href="http://172.20.10.0/24" target="_blank">172.20.10.0/24</a><br>
><br>
> Subnet2 <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
><br>
> Nat pool 1.0.1.21 1.0.1.149<br>
><br>
> I need a mapping 1 to 1.<br>
><br>
> I have try some config but:<br>
><br>
><br>
><br>
> ip nat pool Voce 1.0.1.21 1.0.1.149 netmask 255.255.255.0<br>
><br>
> This not work,all internal phones is natted with 1.0.1.21 (is always<br>
> overloaded???)<br>
><br>
> ip nat pool Voce 1.0.1.21 1.0.1.149 netmask 255.255.255.0 match-host<br>
><br>
> This is not applicable, because i have two internal subnet<br>
><br>
> ip nat pool Voce 1.0.1.21 1.0.1.149 netmask 255.255.255.0 rotary<br>
><br>
> This work,but after 2/3 week, i found two phone with same natted address.<br>
><br>
><br>
><br>
> I need always a mapping 1->1 absolutely no overload is permette in my<br>
> config.<br>
><br>
> How i can make this without making a manual<br>
><br>
> ip nat inside source static x.x.x.x x.x.x.x for every phone?<br>
><br>
> Thanks<br>
><br>
> _______________________________________________<br>
> cisco-voip mailing list<br>
> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
> <a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
><br>
><br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div></div></blockquote></div><br>