We are trying to send the outbound SIP traffic out the vlan3 interface so it stays within the private VOIP network. The SIP traffic is routing properly, but we can't get the RTP to source from the IP on the vlan 3 interface. We have tried setting up a loopback interface and using it for the media-gateway ip, but everything we try still won't source as the 172.16.16.10 address. How can this be done?
Here is the config for the interfaces involved.
interface eth 0/0
description WAN
ip address 68.65.123.10 255.255.255.0
ip access-policy Public
no shutdown
!
interface gigabit-eth 0/2
no shutdown
switchport access vlan 3
!
interface vlan 3
description SIP WAN
ip address 172.16.16.10 255.255.255.0
ip access-policy SIP_Private
media-gateway ip primary
no shutdown
!
ip route 0.0.0.0 0.0.0.0 68.65.123.1
ip route 172.17.0.0 255.255.255.0 172.16.16.1
The phones are in VLAN 2, which has the Private policy-class applied. Try adding a NAT statement overloading to vlan 3 above the catch all NAT out eth 0/0.
Thanks,
Matt
If you aren't traversing a NAT, the RTP will typically just route to the origin of the RTP and pass through the Adtran device as would any other layer 3 IP routed flow.
If you are traversing a NAT, make sure that you also have the media-gateway ip defined on the outside of the NAT which should fix the problem.
The phone network (vlan2) is NAT'ing out the "sip WAN" vlan 3 interface. The problem is the rtp is reporting the source address as the eth0/0 interface address and not the vlan 3 interface address.
Also and all interfaces that are doing SIP need a media-gateway set or it will fail altogether.
interface vlan 1
description Customer LAN
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
media-gateway ip primary
no shutdown
!
interface vlan 2
description VOIP Phones
ip address 10.10.20.1 255.255.255.0
ip access-policy Private
media-gateway ip primary
no shutdown
!
interface vlan 3
description SIP WAN
ip address 172.16.16.10 255.255.255.0
ip access-policy SIP_Private
media-gateway ip primary
no shutdown
!
Do you have the appropriate NAT rules in place between the Private and SIP_Private policy-classes?
Also, both of these are RFC1918 IP ranges, could there be double-NAT going on? If so, you will likely want to avoid doing this if at all possible.
The NAT is working as it should. The vlan 2 network is NAT overloading to the vlan 3 address. The problem is ONLY with the SIP RTP. I can't get it to source from the vlan 3 interface. So what ends up happening is the SIP RTP si sent to the SIP server living at 172.17.0.5; it sees the RTP coming from 68.65.123.10 so it sends the packets back to that address which isn't what we want. It needs to souce from 172.16.16.10 so the RTP can route back to it properly.
How is the eth 0/0 WAN interface involved? You don't have a media-gateway ip primary statement applied to that interface. Based on your interface descriptions you've got VoIP phones on interface VLAN 2, 10.10.20.0/24 and a SIP WAN on VLAN 3, 172.16.16.0/24. In your last posting you reference a SIP server on 172.17.0.5 which isn't directly connected. What's the route to that network?
Could you possibly post a config with sensitive information redacted? Also the results of:
with a voice call up.
Here is a diagram of how everything is setup.
Also here is the output of those commands
Gateway of last resort is 68.65.123.1 eth 0/0
S 0.0.0.0/0 [1/1/0] via 68.65.123.1, eth 0/0
C 10.10.10.0/24 is directly connected, vlan 1
C 10.10.20.0/24 is directly connected, vlan 2
C 68.65.123.0/24 is directly connected, eth 0/0
C 172.16.16.0/24 is directly connected, vlan 3
S 172.17.0.0/24 [1/1/0] via 172.16.16.1, vlan 3
Src Vrf (if not default), Src policy class:
Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class
Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port
--------------- -------- --------------- -------- ----------------- --------
Policy class "Private":
udp (53) -> self
10.10.20.2 5060 10.10.20.1 5060
udp (45) -> SIP_Private
10.10.20.2 3000 172.17.0.6 51064 s 68.65.123.10 50000
udp (38) -> SIP_Private
10.10.20.2 3001 172.17.0.6 51065 s 68.65.123.10 50001
Policy class "self":
udp (53) -> SIP_Private
172.16.16.9 5060 172.17.0.5 5060
ip access-list standard NAT
remark Internet Connection Sharing
permit any
!
!
ip access-list extended InterVLAN
remark Voice / Data VLAN Traffic
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip access-list extended self
remark Traffic to Netvanta
permit ip any any log
!
ip access-list extended tsc-sip-acl
permit ip 172.17.0.0 0.0.0.15 any
permit ip 172.17.0.16 0.0.0.15 any
permit ip 172.17.0.32 0.0.0.15 any
!
ip access-list extended web-acl-7
remark 1toMany
permit ip 10.10.20.0 0.0.0.255 any log
!
ip access-list extended web-acl-8
remark Traffic to Netvanta
permit ip any any log
!
!
!
!
ip policy-class Private
allow list self self
allow list InterVLAN stateless
nat source list NAT interface eth 0/0 overload
!
ip policy-class Public
allow list tsc-mgt-acl self
allow list tsc-sip-acl self
!
ip policy-class SIP_Private
allow list web-acl-8
nat source list web-acl-7 interface vlan 3 overload
!
!
!
ip route 0.0.0.0 0.0.0.0 68.65.105.1
ip route 172.17.0.0 255.255.255.0 172.16.16.1
!
The phones are in VLAN 2, which has the Private policy-class applied. Try adding a NAT statement overloading to vlan 3 above the catch all NAT out eth 0/0.
Thanks,
Matt