I have a Netvanta 3120 with a PBX behind it setup with a sip trunk. In-bound calls always work, but outbound calls occasionally fail. Working with the sip provider it looks like the Router is translating port 5060 coming from the pbx and sending it on a different port going to the provider. Even though the destination port is still 5060 the provider rejects the registration because the source port is not 5060, or what ever the PBX last registered with. I know the PBX is always trying to register with port 5060, at least that is how it's setup.. I have the inbound rules for port forwarding setup without issue. What can I do to ensure that the outbound port doesn't get translated?
The config in question:
hostname "frustrated_custmer"
enable password encrypted blahblah
!
!
ip subnet-zero
ip classless
ip routing
domain-proxy
name-server 8.8.8.8
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
service password-encryption
!
username "admin" password encrypted "nottherealpw"
!
ip policy-timeout udp all-ports 300
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.1.0 192.168.1.99
ip dhcp excluded-address 192.168.1.251 192.168.1.255
!
ip dhcp pool "Private"
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
!
interface eth 0/1
ip address 162.x.x.x 255.255.x.x
ip access-policy Public
no rtp quality-monitoring
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 192.168.1.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
!
!
ip access-list standard wizard-ics
remark NAT list wizard-ics
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-6
remark remote_MGMT
permit tcp host 104.x.x.x any eq telnet log
permit tcp host 104.x.x.x any eq https log
permit tcp host 104.x.x.x any eq ssh log
permit icmp any any echo log
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit udp host sip.provider.public.address host 162.x.x.x (public address) eq 5060 log
permit tcp any host 162.x.x.x eq 5090 log
permit tcp any host 162.x.x.x eq 5003 log
permit tcp any host 162.x.x.x eq ftp log
permit tcp any host 162.x.x.x eq 6001 log
permit udp host sip.provider.public.address host 162.x.x.x range 50000 50032 log
!
ip access-list extended wizard-remote-access
remark do not hand edit this ACL
permit icmp any any echo log
permit tcp host 104.x.x.x any eq https log
permit tcp host 104.x.x.x any eq telnet log
permit tcp host 104.x.x.x any eq ssh log
permit tcp 192.168.1.0 0.0.0.255 any log
deny tcp any any eq telnet log
deny tcp any any eq ssh log
!
!
ip nat pool web-nat-pool-1 static
local 192.168.1.15 192.168.1.15 global 162.x.x.x 162.x.x.x
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow list web-acl-6 self
nat destination list wizard-pfwd-1 address 192.168.1.15 (PBX local ip)
!
!
ip route 0.0.0.0 0.0.0.0 162.x.x.x
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login
password encrypted 3c309c0483da2eb36a6b04185252b73a3ad4
!
line telnet 0
login
password encrypted 3c30bd91036f03145b06eb5043d04123583b
no shutdown
line telnet 1 2
login
password encrypted 404cbd107d81c719bfca71ab72ba23dfd000
no shutdown
line telnet 3
login
password encrypted 3a362665a7ac45cbccdad29e0ded67275042
no shutdown
line telnet 4
login
password encrypted 222e281f65ba76f86e29db61b9bac75989bd
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
sntp server 0.north-america.pool.ntp.org
!
!
!
!
!
!
end
You already have SIP ALG disabled so that's good... I'm not certain this will resolve your issue but I'd definitely start by removing the SIP statements from your router's config:
!
ip sip udp 5060
ip sip tcp 5060
!
Your NAT overload is doing port translation when more than one session is established from the same inside to outside IP. You'll need a SIP b2bua configuration and not conventional NAT. Enable SIP ALG and transparent proxy, see if this works for you.
I'll give SIP ALG and Transparent proxy a shot at some point. For a quick work around I set the udp time out to a higher value to keep the pbx from trying to use a different port for registration when the re-register time comes.. Not the most secure solution, but it got them operational.
Thanks for the answers!
I am having the exact same issue, What was your resolution?