Sipgate, Cisco 1701 router and Cisco 7940

Regular readers or those with the power of search will know I managed to connect a Cisco 7940 to Sipgate. Those who know me in person will know that I changed my router/firewall combination out for a Cisco 1701 and it all stopped working on the Sipgate front.

In short, My Cisco was telling me it was connecting and registered.

SIP Phone> sh reg

LINE REGISTRATION TABLE
Proxy Registration: ENABLED, state: REGISTERED
line  APR  state          timer       expires     proxy:port
—-  —  ————-  ———-  ———-  —————————-
1     111  REGISTERED     3595        3512        sipgate.co.uk:5060

Outbound calling was fine as always. Inbound wasn’t working. Sipgate tech support told me I was not registering at all. Bugger.

Turned out it was down to layer-4 NAT. The Cisco it seems does a better job of dealing with NAT than my sonicwall. The Cisco is able to deal with the NAT translation in SIP messages whilst the Sonicwall I used before didn’t. The solution was simple: turn-off NAT support on the phone.

Dumb Firewall

In sipdefault.cnf, you can configure the phone behind a non-SIP friendly firewall running one-to-one NAT as follows. In effect, the phone sends outbound SIP messages with the public address and leaves the firewall to NAT only the packet source address:

nat_address : 194.223.x.x ; put the public address here

nat_received_processing : 0

nat_enable : 0

Smart Firewall

If you do not have a fixed one-to-one NAT on your router and your router is handling layer-4 NAT then change these lines in sipdefault.cnf:

nat_address : "" ; yes. Double quotes, no spaces

nat_received_processing : 1

nat_enable : 1

Example Config

For your pleasure and enjoyment, please find enclosed the useful bits from my router and phone configs  (shown here in the version where the router doesn’t handle layer-4 SIP NAT and you need to tell the phone the fixed external IP but the router config here can be left unchanged with the phone doing or not doing NAT.)

If you want to use these, copy-paste and make the following search-replacements:

10.x.x.1 – your LAN gateway
10.x.x.2 – your tftp server
10.x.x.3 – your phone ip on the LAN
y.y.y.y the static public IP that your phone is NATted out to
12345 – your sipgate login
sipgatepassword – your erm, password for sipgate

SIPDEFAULT.CNF

;begin
dhcp_server : Disabled
my_ip_addr : 10.x.x.3
subnet_mask : 255.255.255.0
defaultgw : 10.x.x.1
dyn_dns_addr_1 : 0.0.0.0
dyn_dns_addr_2 : 0.0.0.0
dns_addr : 208.67.220.220
dns_backup_1: 208.67.222.222
primary_tftp_addr : 10.x.x.2
dyn_tftp_addr : 0.0.0.0
domain_name : simkin.org
Status Flags : 12300001
image_version : P0S3-8-12-00
network_media_type : Auto
network_port2_type : Hub/Switch
phone_password : password
phone_prompt : “SIP Phone”
nat_enable : 0
nat_address : y.y.y.y
voip_control_port : 5060
start_media_port : 16384
end_media_port : 32766
messages_uri : “*97”
preferred_codec : g711ulaw
proxy1_address : “sipgate.co.uk”
proxy1_port : 5060
outbound_proxy : sipgate.co.uk
outbound_proxy_port : 5082
nat_received_processing : 0
;end

SIP<MACADDRESS>.CNF

;begin
phone_label : “Orange Teapot ”
line1_name : 12345
line1_authname : 12345
line1_password : sipgatepassword
line1_shortname : 12345
line1_displayname : 12345
line2_displayname : “”
line2_shortname : “”
line2_name: UNPROVISIONED
line2_authname : UNPROVISIONED
line2_password : UNPROVISIONED
;end

Running config on router:

ip inspect max-incomplete low 350
ip inspect max-incomplete high 400
ip inspect one-minute high 1000
ip inspect one-minute low 900
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name INSPECTOUT sip
ip inspect name INSPECTOUT tcp
ip inspect name INSPECTOUT udp
!
interface FastEthernet0
ip address 10.x.x.1 255.255.255.0
ip accounting output-packets
ip nbar protocol-discovery
ip nat inside
load-interval 30
hold-queue 100 out
!
interface ATM0.1 point-to-point
description Access to DSL Network
ip nat outside
!
interface Virtual-Template1
ip address negotiated
ip access-group ACL101 in
ip nat outside
ip inspect INSPECTOUT out
load-interval 30
!
ip nat inside source static 10.x.x.3 y.y.y.y
!
ip access-list extended ACL101
permit icmp any any echo-reply
permit icmp any any administratively-prohibited
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
deny tcp any any eq telnet
permit udp any host y.y.y.y eq 5060
deny ip any any

The “ip inspect” statements do most of the work. The inbound 5060 is possibly not needed but needs to be  open so no harm, no foul. I use a fixed one-to-one NAT as it is simple and I have a spare address. It should work with PAT as well but I don’t need that so have not tested for it.

If you get problems, remember a few things:

  • Don’t NAT in two places.
  • Change the nat_received_processing and nat_enabled values first. Empty the nat_address if you have nat_enable: 1 (i.e. the phone is told that NAT is being handled elsewhere).
  • Test using a softphone like Phonerlite without STUN to get your firewall settings right only then try to get the phone working
  • The sipgate server shows you register but is only a snapshot. If registration fails or falls over later, you won’t know. Your phone “sh reg” can also be misleading as it is in effect a snapshot from the last attempt which may have been 5 minutes ago.
  • Changing phone settings needs a restart. Telnet 10.x.x.3, type your password <cr> reset <cr> and go get another beer
  • Registration can be dropped and re-established with “reg 01” and “reg 1 1”
  • You can test your phone outbound by dialling 10000 to hear a sipgate recorded message.
  • If you run multiple phones, use different RTP mediaport and SIP ranges. The RTP ranges are usually good with 16 ports per handset, so try 46104-46120, 46204-46220 and for SIP 46160, 46260 [The public ports are always 5004-5020 and 5060]

Good luck!

For those wanting to fathom out how to run a phone behind a NAT router without giving it a fixed address, try reading here. (My thoughts are to enable NAT and give out a dyndns name rather than IP in nat_address but I have not tried it yet):


When network address translation (NAT) is enabled, the Cisco SIP IP
Phone provides support for SIP messages to traverse NAT/Firewall
networks. The Contact and Via headers are modified to reflect the NAT
parameters. The Cisco SIP IP Phone can also enable NAT received
processing. See the nat_enable, nat_address, and nat_received_processing
parameters in the section, "Modifying the Default SIP Configuration
File" in Chapter 3, "Managing Cisco SIP IP Phones," at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/sip7960/sipadm22/index.htm

To quote from that page:

* nat_enable—(Optional) Use 0 to disable network address translation (NAT) and 1 to enable NAT. Default is 0.

When NAT is enabled, the Contact header appears like this:

Contact: sip:lineN_name@nat_address:voip_control_port

If nat_address is invalid or UNPROVISIONED, then the Contact header appears like this:

Contact: sip:lineN_name@phone_ip_address:voip_control_port

and the Via header appears like this:

Via: SIP/2.0/UDP phone_ip_address:voip_control_port

If NAT is enabled, the SDP message uses the nat_address and a RTP port between the start_media_port
and the end_media_port range in the C and M fields. All RTP traffic is sourced from the port advertised
in the SDP.

* nat_address—The WAN IP address of the NAT or firewall server. You can use either a dotted IP address or a DNS name.

* nat_received_processing—Use 0 to disable NAT received processing and 1 to enable NAT received processing. Default is 0. If nat_received_processing is enabled, and received= tag is in the Via header of the 200 OK response from a REGISTER, the IP address in the received= tag is used instead of the nat_address in the Contact header.

If this switch occurs, the phone unregisters the old IP address and reregisters with the new IP address.

Leave a Reply