GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home

BookStore

StudyNotes

Links

[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: RE: problems with sip troug cbac router
From: "David Prall" <dcp@xxxxxxxxxxx>
Date: Fri, 22 Sep 2006 12:16:43 -0400
In-reply-to: <154206215-1158938464@start.no>
Thread-index: Acbdg/TSMazyCrdyRsqs0tIGhsqGnQAAaBUgAAcSHyAABI14UAApoGEgAAH1GKA=

In the no input you forgot sip

> Advokatene(config)#no ip nat service tcp port 5060 
>                                      ^
> % Invalid input detected at '^' marker.

Should be:
 no ip nat service sip tcp port 5060

David

--
David C Prall dcp@xxxxxxxxxxx http://dcp.dcptech.com
  

> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On 
> Behalf Of Jens Petter
> Sent: Friday, September 22, 2006 11:21 AM
> To: 'Church, Chuck'; 'Cisco certification'
> Subject: RE: problems with sip troug cbac router
> 
> One other thing i find strange..
> 
> I am able to enable this command doing :
> 
> Advokatene(config)#ip nat service sip tcp port 5060
> 
> But when I try to disable I get an error..
> 
> 
> Advokatene(config)#no ip nat service tcp port 5060 
>                                      ^
> % Invalid input detected at '^' marker.
> 
> JP
> 
> -----Original Message-----
> From: Church, Chuck [mailto:cchurch@xxxxxxxxxxxx] 
> Sent: 21. september 2006 21:32
> To: Jens Petter; Cisco certification
> Subject: RE: problems with sip troug cbac router
> 
> I had a similar problem.  CBAC wasn't the problem.  NAT was.  
> Try adding
> 
> 
> no ip nat service sip tcp port 5060
> no ip nat service sip udp port 5060
> 
> to the config.  This is despite the fact that NAT service (payload
> modification of addresses) should be off by default...
> 
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/product
> s_feature_
> guide09186a0080087d43.html#wp1031752
> 
> We spent a lot of time figuring this out...
> 
> Chuck Church
> Network Engineer
> CCIE #8776, MCNE, MCSE
> Multimax, Inc.
> Enterprise Network Engineering
> Home Office - 864-335-9473 
> Cell - 864-266-3978
> cchurch@xxxxxxxxxxxx
> 
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On 
> Behalf Of
> Jens Petter
> Sent: Thursday, September 21, 2006 1:30 PM
> To: 'Cisco certification'
> Subject: problems with sip troug cbac router
> 
> I have some sip phones that connects to an sip server on the 
> outside of
> the
> router.. I am using cbac on the router, this is the config :
> 
>  
> 
> ip inspect name FIREWALL tcp alert on
> 
> ip inspect name FIREWALL udp alert on timeout 30
> 
> ip inspect name FIREWALL icmp alert on
> 
> ip inspect name FIREWALL sip alert on timeout 350
> 
>  
> 
> interface FastEthernet4
> 
>  ip address 213.162.xxx.xxx 255.255.255.252
> 
>  ip access-group FIREWALL_ACL in
> 
>  ip verify unicast reverse-path
> 
>  no ip redirects
> 
>  no ip proxy-arp
> 
>  ip inspect FIREWALL out
> 
>  ip nat outside
> 
>  ip virtual-reassembly
> 
>  duplex auto
> 
>  speed auto
> 
>  
> 
> interface Vlan1
> 
>  ip address 192.168.1.1 255.255.255.0
> 
>  no ip unreachables
> 
>  ip nat inside
> 
>  ip virtual-reassembly
> 
>  ip tcp adjust-mss 1452
> 
>  
> 
> ip nat inside source list NAT interface FastEthernet4 overload
> 
>  
> 
> ip access-list extended NAT
> 
>  permit ip 192.168.1.0 0.0.0.255 any
> 
>  
> 
> ip access-list extended FIREWALL_ACL
> 
>  permit tcp 213.162.224.0 0.0.31.255 host 213.162.236.222 eq telnet
> 
>  permit icmp 213.162.224.0 0.0.31.255 host 213.162.236.222 echo
> 
>  permit icmp any host 213.162.236.222 echo-reply
> 
>  deny   ip any any log
> 
>  
> 
> I am encountering a problem with the phones, they keep 
> disconnecting. I
> am
> not sure why. You can have a look at the log under.. I was hoping some
> of your voice experts could lead me in the right direction for solving
> this.
> 
> 
>  
> 
> I read on cco that you should enable inspection in both direction, but
> that
> did not help here.. The timeout on the server is set to 300 sec
> 
>  
> 
> I am using version1 12.4.(4)T3 software
> 
>  
> 
>  
> 
> This is the log on sip server.. This is the Qualify traffic that does
> not
> work. :
> 
> Sep 21 14:44:51 NOTICE[25178] chan_sip.c: Peer '51213595' is now
> REACHABLE!
> (89ms / 2000ms)
> Sep 21 14:45:55 NOTICE[25178] chan_sip.c: Peer '51213595' is now
> UNREACHABLE!  Last qualify: 89
> Sep 21 15:01:31 NOTICE[25178] chan_sip.c: Peer '51213595' is now
> UNREACHABLE!  Last qualify: 120
> Sep 21 15:02:57 NOTICE[25178] chan_sip.c: Peer '51213595' is now
> REACHABLE!
> (147ms / 2000ms)
> Sep 21 15:04:01 NOTICE[25178] chan_sip.c: Peer '51213595' is now
> UNREACHABLE!  Last qualify: 147
> Sep 21 15:05:27 NOTICE[25178] chan_sip.c: Peer '51213595' is now
> REACHABLE!
> (149ms / 2000ms)
> 
> Sep 21 14:39:58 NOTICE[25178] chan_sip.c: Peer '51213596' is now
> REACHABLE!
> (28ms / 2000ms)
> Sep 21 14:41:02 NOTICE[25178] chan_sip.c: Peer '51213596' is now
> UNREACHABLE!  Last qualify: 28
> Sep 21 15:01:27 NOTICE[25178] chan_sip.c: Peer '51213596' is now
> UNREACHABLE!  Last qualify: 36
> Sep 21 15:06:19 NOTICE[25178] chan_sip.c: Peer '51213596' is now
> REACHABLE!
> (38ms / 2000ms)
> Sep 21 15:13:14 NOTICE[25178] chan_sip.c: Peer '51213596' is now
> UNREACHABLE!  Last qualify: 30
> Sep 21 15:18:12 NOTICE[25178] chan_sip.c: Peer '51213596' is now
> REACHABLE!
> (33ms / 2000ms)
> 
> ______________________________________________________________
> _________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
> 
> ______________________________________________________________
> _________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html

References:
- RE: problems with sip troug cbac router
  - From: Jens Petter

Prev by Date: Re: ccie voice Lab equipment
Next by Date: problems with L2TP pass thru ASA5520
Previous by thread: RE: problems with sip troug cbac router
Next by thread: VPN backup route question
Index(es):
- Date
- Thread