problems with sip troug cbac router

From: Jens Petter (jenseike@start.no)
Date: Thu Sep 21 2006 - 14:29:53 ART

I have some sip phones that connects to an sip server on the outside of the
router.. I am using cbac on the router, this is the config :

 

ip inspect name FIREWALL tcp alert on

ip inspect name FIREWALL udp alert on timeout 30

ip inspect name FIREWALL icmp alert on

ip inspect name FIREWALL sip alert on timeout 350

 

interface FastEthernet4

 ip address 213.162.xxx.xxx 255.255.255.252

 ip access-group FIREWALL_ACL in

 ip verify unicast reverse-path

 no ip redirects

 no ip proxy-arp

 ip inspect FIREWALL out

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 

interface Vlan1

 ip address 192.168.1.1 255.255.255.0

 no ip unreachables

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 

ip nat inside source list NAT interface FastEthernet4 overload

 

ip access-list extended NAT

 permit ip 192.168.1.0 0.0.0.255 any

 

ip access-list extended FIREWALL_ACL

 permit tcp 213.162.224.0 0.0.31.255 host 213.162.236.222 eq telnet

 permit icmp 213.162.224.0 0.0.31.255 host 213.162.236.222 echo

 permit icmp any host 213.162.236.222 echo-reply

 deny ip any any log

 

I am encountering a problem with the phones, they keep disconnecting. I am
not sure why. You can have a look at the log under.. I was hoping some
of your voice experts could lead me in the right direction for solving this.

 

I read on cco that you should enable inspection in both direction, but that
did not help here.. The timeout on the server is set to 300 sec

 

I am using version1 12.4.(4)T3 software

 

 

This is the log on sip server.. This is the Qualify traffic that does not
work. :

Sep 21 14:44:51 NOTICE[25178] chan_sip.c: Peer '51213595' is now REACHABLE!
(89ms / 2000ms)
Sep 21 14:45:55 NOTICE[25178] chan_sip.c: Peer '51213595' is now
UNREACHABLE! Last qualify: 89
Sep 21 15:01:31 NOTICE[25178] chan_sip.c: Peer '51213595' is now
UNREACHABLE! Last qualify: 120
Sep 21 15:02:57 NOTICE[25178] chan_sip.c: Peer '51213595' is now REACHABLE!
(147ms / 2000ms)
Sep 21 15:04:01 NOTICE[25178] chan_sip.c: Peer '51213595' is now
UNREACHABLE! Last qualify: 147
Sep 21 15:05:27 NOTICE[25178] chan_sip.c: Peer '51213595' is now REACHABLE!
(149ms / 2000ms)

Sep 21 14:39:58 NOTICE[25178] chan_sip.c: Peer '51213596' is now REACHABLE!
(28ms / 2000ms)
Sep 21 14:41:02 NOTICE[25178] chan_sip.c: Peer '51213596' is now
UNREACHABLE! Last qualify: 28
Sep 21 15:01:27 NOTICE[25178] chan_sip.c: Peer '51213596' is now
UNREACHABLE! Last qualify: 36
Sep 21 15:06:19 NOTICE[25178] chan_sip.c: Peer '51213596' is now REACHABLE!
(38ms / 2000ms)
Sep 21 15:13:14 NOTICE[25178] chan_sip.c: Peer '51213596' is now
UNREACHABLE! Last qualify: 30
Sep 21 15:18:12 NOTICE[25178] chan_sip.c: Peer '51213596' is now REACHABLE!
(33ms / 2000ms)

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART