From: Church, Chuck (cchurch@multimax.com)
Date: Thu Sep 21 2006 - 16:32:29 ART
I had a similar problem. CBAC wasn't the problem. NAT was. Try adding
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
to the config. This is despite the fact that NAT service (payload
modification of addresses) should be off by default...
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
guide09186a0080087d43.html#wp1031752
We spent a lot of time figuring this out...
Chuck Church
Network Engineer
CCIE #8776, MCNE, MCSE
Multimax, Inc.
Enterprise Network Engineering
Home Office - 864-335-9473
Cell - 864-266-3978
cchurch@multimax.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jens Petter
Sent: Thursday, September 21, 2006 1:30 PM
To: 'Cisco certification'
Subject: problems with sip troug cbac router
I have some sip phones that connects to an sip server on the outside of
the
router.. I am using cbac on the router, this is the config :
ip inspect name FIREWALL tcp alert on
ip inspect name FIREWALL udp alert on timeout 30
ip inspect name FIREWALL icmp alert on
ip inspect name FIREWALL sip alert on timeout 350
interface FastEthernet4
ip address 213.162.xxx.xxx 255.255.255.252
ip access-group FIREWALL_ACL in
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip nat inside source list NAT interface FastEthernet4 overload
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended FIREWALL_ACL
permit tcp 213.162.224.0 0.0.31.255 host 213.162.236.222 eq telnet
permit icmp 213.162.224.0 0.0.31.255 host 213.162.236.222 echo
permit icmp any host 213.162.236.222 echo-reply
deny ip any any log
I am encountering a problem with the phones, they keep disconnecting. I
am
not sure why. You can have a look at the log under.. I was hoping some
of your voice experts could lead me in the right direction for solving
this.
I read on cco that you should enable inspection in both direction, but
that
did not help here.. The timeout on the server is set to 300 sec
I am using version1 12.4.(4)T3 software
This is the log on sip server.. This is the Qualify traffic that does
not
work. :
Sep 21 14:44:51 NOTICE[25178] chan_sip.c: Peer '51213595' is now
REACHABLE!
(89ms / 2000ms)
Sep 21 14:45:55 NOTICE[25178] chan_sip.c: Peer '51213595' is now
UNREACHABLE! Last qualify: 89
Sep 21 15:01:31 NOTICE[25178] chan_sip.c: Peer '51213595' is now
UNREACHABLE! Last qualify: 120
Sep 21 15:02:57 NOTICE[25178] chan_sip.c: Peer '51213595' is now
REACHABLE!
(147ms / 2000ms)
Sep 21 15:04:01 NOTICE[25178] chan_sip.c: Peer '51213595' is now
UNREACHABLE! Last qualify: 147
Sep 21 15:05:27 NOTICE[25178] chan_sip.c: Peer '51213595' is now
REACHABLE!
(149ms / 2000ms)
Sep 21 14:39:58 NOTICE[25178] chan_sip.c: Peer '51213596' is now
REACHABLE!
(28ms / 2000ms)
Sep 21 14:41:02 NOTICE[25178] chan_sip.c: Peer '51213596' is now
UNREACHABLE! Last qualify: 28
Sep 21 15:01:27 NOTICE[25178] chan_sip.c: Peer '51213596' is now
UNREACHABLE! Last qualify: 36
Sep 21 15:06:19 NOTICE[25178] chan_sip.c: Peer '51213596' is now
REACHABLE!
(38ms / 2000ms)
Sep 21 15:13:14 NOTICE[25178] chan_sip.c: Peer '51213596' is now
UNREACHABLE! Last qualify: 30
Sep 21 15:18:12 NOTICE[25178] chan_sip.c: Peer '51213596' is now
REACHABLE!
(33ms / 2000ms)
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART