cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Outbound translations

I have a Netvanta 3120 with a PBX behind it setup with a sip trunk. In-bound calls always work, but outbound calls occasionally fail. Working with the sip provider it looks like the Router is translating port 5060 coming from the pbx and sending it on a different port going to the provider. Even though the destination port is still 5060 the provider rejects the registration because the source port is not 5060, or what ever the PBX last registered with. I know the PBX is always trying to register with port 5060, at least that is how it's setup.. I have the inbound rules for port forwarding setup without issue. What can I do to ensure that the outbound port doesn't get translated? 

The config in question:

hostname "frustrated_custmer"

enable password encrypted blahblah

!

!

ip subnet-zero

ip classless

ip routing

domain-proxy

name-server 8.8.8.8

!

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

service password-encryption

!

username "admin" password encrypted "nottherealpw"

!

ip policy-timeout udp all-ports 300

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

ip dhcp excluded-address 192.168.1.0 192.168.1.99

ip dhcp excluded-address 192.168.1.251 192.168.1.255

!

ip dhcp pool "Private"

  network 192.168.1.0 255.255.255.0

  dns-server 192.168.1.1

  default-router 192.168.1.1

!

!

!

!

!

!

!

!

!

vlan 1

  name "Default"

!

!

interface eth 0/1

  ip address  162.x.x.x  255.255.x.x

  ip access-policy Public

  no rtp quality-monitoring

  no shutdown

  no lldp send-and-receive

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

!

!

interface vlan 1

  ip address  192.168.1.1  255.255.255.0

  ip access-policy Private

  no shutdown

!

!

!

!

ip access-list standard wizard-ics

  remark NAT list wizard-ics

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended web-acl-6

  remark remote_MGMT

  permit tcp host 104.x.x.x  any eq telnet   log

  permit tcp host 104.x.x.x  any eq https   log

  permit tcp host 104.x.x.x  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit udp host sip.provider.public.address  host 162.x.x.x (public address) eq 5060    log

  permit tcp any  host 162.x.x.x eq 5090   log

  permit tcp any  host 162.x.x.x eq 5003   log

  permit tcp any  host 162.x.x.x eq ftp   log

  permit tcp any  host 162.x.x.x eq 6001   log

  permit udp host sip.provider.public.address  host 162.x.x.x range 50000 50032    log

!

ip access-list extended wizard-remote-access

  remark do not hand edit this ACL

  permit icmp any  any  echo   log

  permit tcp host 104.x.x.x  any eq https   log

  permit tcp host 104.x.x.x  any eq telnet   log

  permit tcp host 104.x.x.x  any eq ssh   log

  permit tcp 192.168.1.0 0.0.0.255  any    log

  deny   tcp any  any eq telnet   log

  deny   tcp any  any eq ssh   log

!

!

ip nat pool web-nat-pool-1 static

  local 192.168.1.15 192.168.1.15 global 162.x.x.x 162.x.x.x

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

!

ip policy-class Public

  allow list web-acl-6 self

  nat destination list wizard-pfwd-1 address 192.168.1.15 (PBX local ip)

!

!

ip route 0.0.0.0 0.0.0.0 162.x.x.x

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

ip sip udp 5060

ip sip tcp 5060

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

line con 0

  login

  password encrypted 3c309c0483da2eb36a6b04185252b73a3ad4

!

line telnet 0

  login

  password encrypted 3c30bd91036f03145b06eb5043d04123583b

  no shutdown

line telnet 1 2

  login

  password encrypted 404cbd107d81c719bfca71ab72ba23dfd000

  no shutdown

line telnet 3

  login

  password encrypted 3a362665a7ac45cbccdad29e0ded67275042

  no shutdown

line telnet 4

  login

  password encrypted 222e281f65ba76f86e29db61b9bac75989bd

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

sntp server 0.north-america.pool.ntp.org

!

!

!

!

!

!

end

Labels (2)
0 Kudos
Reply
4 Replies
Highlighted
New Contributor II

Re: Outbound translations

You already have SIP ALG disabled so that's good... I'm not certain this will resolve your issue but I'd definitely start by removing the SIP statements from your router's config:

!

ip sip udp 5060

ip sip tcp 5060

!

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Outbound translations

Your NAT overload is doing port translation when more than one session is established from the same inside to outside IP. You'll need a SIP b2bua configuration and not conventional NAT. Enable SIP ALG and transparent proxy, see if this works for you.

0 Kudos
Highlighted
New Contributor

Re: Outbound translations

I'll give SIP ALG and Transparent proxy a shot at some point. For a quick work around I set the udp time out to a higher value to keep the pbx from trying to use a different port for registration when the re-register time comes.. Not the most secure solution, but it got them operational.

Thanks for the answers!

0 Kudos
Highlighted
New Contributor

Re: Outbound translations

I am having the exact same issue, What was your resolution?

0 Kudos