Support
Community

The phone network (vlan2) is NAT'ing out the "sip WAN" vlan 3 interface. The problem is the rtp is reporting the source address as the eth0/0 interface address and not the vlan 3 interface address.

Also and all interfaces that are doing SIP need a media-gateway set or it will fail altogether.

interface vlan 1

  description Customer LAN

  ip address 10.10.10.1 255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no shutdown

!

interface vlan 2

  description VOIP Phones

  ip address 10.10.20.1 255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no shutdown

!

interface vlan 3

  description SIP WAN

  ip address 172.16.16.10 255.255.255.0

  ip access-policy SIP_Private

  media-gateway ip primary

  no shutdown

!

The NAT is working as it should. The vlan 2 network is NAT overloading to the vlan 3 address. The problem is ONLY with the SIP RTP. I can't get it to source from the vlan 3 interface. So what ends up happening is the SIP RTP si sent to the SIP server living at 172.17.0.5; it sees the RTP coming from 68.65.123.10 so it sends the packets back to that address which isn't what we want. It needs to souce from 172.16.16.10 so the RTP can route back to it properly.

Here is a diagram of how everything is setup.

Also here is the output of those commands

Gateway of last resort is 68.65.123.1 eth 0/0

S    0.0.0.0/0 [1/1/0] via 68.65.123.1, eth 0/0

C    10.10.10.0/24 is directly connected, vlan 1

C    10.10.20.0/24 is directly connected, vlan 2

C    68.65.123.0/24 is directly connected, eth 0/0

C    172.16.16.0/24 is directly connected, vlan 3

S    172.17.0.0/24 [1/1/0] via 172.16.16.1, vlan 3

Src Vrf (if not default), Src policy class:

Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

  Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

  --------------- -------- --------------- -------- ----------------- --------

Policy class "Private":

udp (53) -> self

  10.10.20.2      5060     10.10.20.1      5060

udp (45) -> SIP_Private

  10.10.20.2      3000     172.17.0.6      51064    s 68.65.123.10   50000

udp (38) -> SIP_Private

  10.10.20.2      3001     172.17.0.6      51065    s 68.65.123.10   50001

Policy class "self":

udp (53) -> SIP_Private

  172.16.16.9     5060     172.17.0.5      5060

ip access-list standard NAT

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended InterVLAN

  remark Voice / Data VLAN Traffic

  permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255

!

ip access-list extended self

  remark Traffic to Netvanta

  permit ip any  any     log

!

ip access-list extended tsc-sip-acl

  permit ip 172.17.0.0 0.0.0.15  any

  permit ip 172.17.0.16 0.0.0.15  any

  permit ip 172.17.0.32 0.0.0.15  any

!

ip access-list extended web-acl-7

  remark 1toMany

  permit ip 10.10.20.0 0.0.0.255  any     log

!

ip access-list extended web-acl-8

  remark Traffic to Netvanta

  permit ip any  any     log

!

!

!

!

ip policy-class Private

  allow list self self

  allow list InterVLAN stateless

  nat source list NAT interface eth 0/0 overload

!

ip policy-class Public

  allow list tsc-mgt-acl self

  allow list tsc-sip-acl self

!

ip policy-class SIP_Private

  allow list web-acl-8

  nat source list web-acl-7 interface vlan 3 overload

!

!

!

ip route 0.0.0.0 0.0.0.0 68.65.105.1

ip route 172.17.0.0 255.255.255.0 172.16.16.1

!