Cisco NAT and udp forwarding weirdnes

[Oldcomputerman]

Hi gurus,
I have been beating my head against the screen on this.
Here's a short history.
Netgear RT311 was doing the job, sortof, forwarding inbound SIP extensions to my Asterisk server, but would screwup its NAT tables after awhle, and have to be rebooted. (annoying as hell). The router crashed badly 2 weeks ago, so I decided to replace the router with a Cisco 1721. Everything works great except inbound SIP.
The router is at Version 12.3(4)T2 firmware, I suspect there maybe a bug here. I am using a 1 entry address pool, and access-list to forward services through the 1 to many NAT (Full cone). If I froward a TCP port with "access-l 111 permit tcp any any eq 23" as an example, this works.
Any attempts to do the same with udp doesn't work.
like :"access-l 111 permit udp any any eq 5060"
or the next line access-l 111 permit range 10001 20000
Any ideas??
Thanks!

 

[CiscoGuy33]

Welcome oldcomputerman,

First, don't break the screen

For you and anyone else asking a question it always helps to post a "scrubbed" version of the show run so we can see exactly what you have configed on the router.

Then you will see lots of suggestions based on what you have already done!!


E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[burtsbees]

That is not how to forward a port. You are simply allowing them to pass with an acl. A static NAT would be

ip nat inside source static udp 192.168.1.21 5060 int s0 5060

This statically NATs the inside server at 192.168.1.21 to the IP address on interface serial0, with port 5060, so that users on the outside can hit that server via port 5060, using the IP address of interface serial0.

Also, you may be able to clear xlates every day or so with a kron config. Like Gene says---post a scrubbed config...

Burt

 

[Oldcomputerman]

Thanks guys for the replies. As Burtsbees said, the "standard" ip nat inside static udp does work, but only opens a single port. I did that method when the access list didn't work, and the sip signalling did work. Then problem with this is the number of udp ports that have to be open for the SIP RTP voice path to be available.
Attached is the running config currently on the router.
The access-list on an IP pool is the only way I have found that will open a block of ports using the range qualifier.
It does work perfectly on TCP ports.


!
! Last configuration change at 02:03:56 UTC Mon Mar 2 2009
! NVRAM config last updated at 01:49:38 UTC Mon Mar 2 2009
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname MyVaxNet
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gJkQ$Zwd9nCoUnT42EjM6IeXxx
!
memory-size iomem 20
no aaa new-model
ip subnet-zero
!
!
ip name-server 207.136.100.40
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.13.1
!
ip dhcp pool basic
network 192.168.13.0 255.255.255.0
domain-name vaxland
dns-server 192.168.13.100
default-router 192.168.13.1
!
!
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh break-string
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
class-map match-any voice
match access-group 101
class-map match-any signaling
match access-group 102
!
!
policy-map VoicePolicy
class voice
priority 38
class signaling
priority percent 7
class class-default
fair-queue
!
!
!
interface Ethernet0
no ip address
service-policy output VoicePolicy
no ip mroute-cache
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 192.168.13.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp pap sent-username ISPusername password 0 Password
!
ip nat pool VAX 192.168.13.100 192.168.13.100 netmask 255.255.255.0 type rotary
ip nat pool Asterisk 192.168.13.200 192.168.13.200 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.13.200 80 interface Dialer0 85
ip nat inside source static tcp 192.168.13.254 80 interface Dialer0 80 !254 don't exist
! The above is temp block of port 80
ip nat inside destination list 110 pool VAX
ip nat inside destination list 111 pool Asterisk
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
!
access-list 1 permit 192.168.13.0 0.0.0.255
access-list 101 permit udp any any dscp ef
access-list 102 permit udp any any dscp af41
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq telnet
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq 64215
access-list 110 permit tcp any any eq ftp-data
access-list 111 permit udp any any range 10001 20000
access-list 111 permit udp any any eq 4569
access-list 111 permit udp any any dscp ef
access-list 111 permit udp any any dscp af41
access-list 111 permit udp any any eq 5060
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password PaSsWoRd
login
!
no scheduler allocate
ntp clock-period 17180004
ntp master
ntp server 209.146.237.97 prefer
!
end

 

[burtsbees]

I can't keep my eyes open.
VAX, eh? Like MicroVAX II, PDP-11, that sort of thing? Don't tell me you're on the East Coast...

Burt

 

[Oldcomputerman]

Yes Burt, I still do software support, and hardware services on old DEC stuff, including chip level repairs. My Email server is a microvax 3100. In the Cisco router access-list port 64215 is open for, get ready for it, Decnet over IP.

 

[burtsbees]

Why not just the regular C.I. bus?lol

Burt

 

[bluaero]

Having the same problem here. Using a 2621 with an asterisk server behind. TCP ports seem to be forwarded just fine; it's the SIP registrations coming from phones off-site that aren't getting through. A packet capture on a PC running a softphone shows the outgoing registration, and a "port unreachable" response from the router's IP.

I am also banging my head on my desk at this point... I don't see what the problem could be - it's fairly straightforward (or so it appears to me).

Thanks, and here's my current config:

version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 **********
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
!
ip cef
!
interface FastEthernet0/0
 ip address dhcp
 ip access-group 101 in
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.31.0.254 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
ip nat pool voip 172.31.0.1 172.31.0.1 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside destination list 111 pool voip
no ip http server
ip classless
!
logging facility news
logging source-interface FastEthernet0/1
logging 172.31.0.1
access-list 1 permit 172.31.0.0 0.0.0.255
access-list 101 deny   tcp any any eq telnet
access-list 101 deny   udp any any eq snmp
access-list 101 permit ip any any
access-list 111 permit tcp any any range 5060 5089
access-list 111 permit udp any any range 5060 5089
access-list 111 permit udp any any range 10000 20000
access-list 111 permit tcp any any eq 22
!
snmp-server engineID local 00000009020000055EBC28C0
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
 password ******
 login
!
end

 

[burtsbees]

This is taking precedence...

"ip nat inside source list 1 interface FastEthernet0/0 overload"

and therefore PATting with whatever port it feels like. If you have VoIP servers, you'll want to make static NAT ranges...

ip nat inside source list 111 int xxx

no overload keyword. Try that...

/

 

[Oldcomputerman]

I gave up on the ACL method, and just used a script to generate a S**t load of ip nat insides for the udp ports I needed. I truncated the port numbers from the default 10001-20000 for RTP, as this is a home asterisk server, that number of ports really isn't needed. I changed to port range in the asterisk server rtp.conf file and matched it to the ports forwarded. All are straight nat's no overload.
I hard coded the wifi phones, and external ATA's to use a specific udp port so they don't overlap. Note the ATA should request on an even port, the server will use the next available odd port for your voice path.

 

[bluaero]

Ouch. That's a bit of hassle... After searching around as much as I have, I decided to give up. Since there's no elegant way to deal with it, I chose to put the linux box back in as the router/gateway. We've been using this setup for years; I know it inside & out, it's very stable and it just works. I may go with a PIX or SonicWall later on, but for now, I'll just keep things as they've been.

Thanks for the input, though.

 

[unclerico]

Have you guys looked at the IOS ALG support for SIP?? Since it is an Application Layer Gateway it will dynamically open and close the required ports needed per session:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_alg_aic.html

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)