I read the posts in this thread and was wondering what to do if the carrier was expecting and sending traffic to a public IP address that a secondary address on the public facing interface on a 3448. So without the outbound NAT specifying the secondary address the proxy is always going to use the primary address on the interface which the carrier won't accept.
thanks,
Paolo
Paolo:
Thank you for asking this question in the support community. If the carrier is expecting traffic from an IP address, other than the primary IP address assigned to the public facing interface, then the firewall will need a NAT statement to that address. Also, the media-gateway command should specify the secondary IP address. Here is an example configuration of the interface and firewall configuration:
interface eth 0/1
description INTERNET CONNECTION
ip address 1.1.1.1 255.255.255.248
ip address 2.2.2.2 255.255.255.255 secondary
ip access-policy PUBLIC
media-gateway ip secondary 2.2.2.2
no shutdown
!
interface eth 0/2
description LAN CONNECTION
ip address 3.3.3.1 255.255.255.0
ip access-policy PRIVATE
media-gateway ip primary
no shutdown
!
ip policy-class PRIVATE
allow list SIP self
nat source list VOICE address 2.2.2.2 overload
nat source list MATCHALL interface eth 0/1 overload
!
ip policy-class PUBLIC
allow list SIP self
I hope that makes sense, but please do not hesitate to reply to this post with any additional questions. I will be happy to help in any way I can.
Levi
Paolo:
Thank you for asking this question in the support community. If the carrier is expecting traffic from an IP address, other than the primary IP address assigned to the public facing interface, then the firewall will need a NAT statement to that address. Also, the media-gateway command should specify the secondary IP address. Here is an example configuration of the interface and firewall configuration:
interface eth 0/1
description INTERNET CONNECTION
ip address 1.1.1.1 255.255.255.248
ip address 2.2.2.2 255.255.255.255 secondary
ip access-policy PUBLIC
media-gateway ip secondary 2.2.2.2
no shutdown
!
interface eth 0/2
description LAN CONNECTION
ip address 3.3.3.1 255.255.255.0
ip access-policy PRIVATE
media-gateway ip primary
no shutdown
!
ip policy-class PRIVATE
allow list SIP self
nat source list VOICE address 2.2.2.2 overload
nat source list MATCHALL interface eth 0/1 overload
!
ip policy-class PUBLIC
allow list SIP self
I hope that makes sense, but please do not hesitate to reply to this post with any additional questions. I will be happy to help in any way I can.
Levi
Do exactly what Levi says, or just swap the primary and secondary IPs in the configuration so that the voice traffic uses the primary.
Do this from a device on the inside or from the console or you're likely to lock yourself out of the box. Configuring the interface or route via which you are connected is risky at best.
"reload in 15" first can save your butt if you have no other choice. If you lock yourself out, just wait. 15 minutes later the box reboots and your unsaved changes are gone.
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor