Regular readers or those with the power of search will know I managed to connect a Cisco 7940 to Sipgate. Those who know me in person will know that I changed my router\/firewall combination out for a Cisco 1701 and it all stopped working on the Sipgate front.<\/p>\n
In short, My Cisco was telling me it was connecting and registered.<\/p>\n
SIP Phone> sh reg<\/p>\n
LINE REGISTRATION TABLE
\nProxy Registration: ENABLED, state: REGISTERED
\nline\u00c2\u00a0 APR\u00c2\u00a0 state\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 timer\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 expires\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 proxy:port
\n—-\u00c2\u00a0 —\u00c2\u00a0 ————-\u00c2\u00a0 ———-\u00c2\u00a0 ———-\u00c2\u00a0 —————————-
\n1\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 111\u00c2\u00a0 REGISTERED\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 3595\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 3512\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 sipgate.co.uk:5060<\/p>\n
Outbound calling was fine as always. Inbound wasn’t working. Sipgate tech support told me I was not registering at all. Bugger.<\/p>\n
Turned out it was down to layer-4 NAT. The Cisco it seems does a better job of dealing with NAT than my sonicwall. The Cisco is able to deal with the NAT translation in SIP messages whilst the Sonicwall I used before didn’t. The solution was simple: turn-off NAT support on the phone.<\/p>\n
Dumb Firewall<\/strong><\/p>\n In sipdefault.cnf, you can configure the phone behind a non-SIP friendly firewall running one-to-one NAT as follows. In effect, the phone sends outbound SIP messages with the public address and leaves the firewall to NAT only the packet source address:<\/p>\n Smart Firewall<\/strong><\/p>\n If you do not have a fixed one-to-one NAT on your router and your router is handling layer-4 NAT then change these lines in sipdefault.cnf:<\/p>\n Example Config<\/strong><\/p>\n For your pleasure and enjoyment, please find enclosed the useful bits from my router and phone configs\u00c2\u00a0 (shown here in the version where the router doesn’t handle layer-4 SIP NAT and you need to tell the phone the fixed external IP but the router config here can be left unchanged with the phone doing or not doing NAT.)<\/p>\n If you want to use these, copy-paste and make the following search-replacements:<\/p>\n 10.x.x.1 – your LAN gateway SIPDEFAULT.CNF<\/strong><\/p>\n ;begin SIP<MACADDRESS>.CNF<\/strong><\/p>\n ;begin Running config on router:<\/strong><\/p>\n ip inspect max-incomplete low 350 \n The “ip inspect” statements do most of the work. The inbound 5060 is possibly not needed but needs to be\u00c2\u00a0 open so no harm, no foul. I use a fixed one-to-one NAT as it is simple and I have a spare address. It should work with PAT as well but I don’t need that so have not tested for it.<\/p>\n If you get problems, remember a few things:<\/p>\n Good luck!<\/p>\n For those wanting to fathom out how to run a phone behind a NAT router without giving it a fixed address, try reading here. (My thoughts are to enable NAT and give out a dyndns name rather than IP in nat_address but I have not tried it yet):<\/p>\n \n http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/voice\/c_ipphon\/sip7960\/sipadm22\/index.htm\r\n\r\n<\/p>\r\n\r\n<\/span><\/pre>\n To quote from that page:<\/span><\/p>\n * nat_enable<\/strong>\u00e2\u20ac\u201d(Optional) Use 0 to disable network address translation (NAT) and 1 to enable NAT. Default is 0.<\/p>\n When NAT is enabled, the Contact header appears like this:<\/p>\n Contact: sip:lineN_name@nat_address:voip_control_port<\/p>\n If nat_address is invalid or UNPROVISIONED, then the Contact header appears like this:<\/p>\n Contact: sip:lineN_name@phone_ip_address:voip_control_port<\/p>\n and the Via header appears like this:<\/p>\n Via: SIP\/2.0\/UDP phone_ip_address:voip_control_port<\/p>\n If NAT is enabled, the SDP message uses the nat_address and a RTP port between the start_media_port * nat_address<\/strong>\u00e2\u20ac\u201dThe WAN IP address of the NAT or firewall server. You can use either a dotted IP address or a DNS name.<\/p>\n * nat_received_processing<\/strong>\u00e2\u20ac\u201dUse 0 to disable NAT received processing and 1 to enable NAT received processing. Default is 0. If nat_received_processing is enabled, and received= tag is in the Via header of the 200 OK response from a REGISTER, the IP address in the received= tag is used instead of the nat_address in the Contact header.<\/p>\n If this switch occurs, the phone unregisters the old IP address and reregisters with the new IP address.<\/p>\n","protected":false},"excerpt":{"rendered":"nat_address : 194.223.x.x ; put the public address here\r\n\r\nnat_received_processing : 0\r\n\r\nnat_enable : 0<\/pre>\n
nat_address : \"\" ; yes. Double quotes, no spaces\r\n\r\nnat_received_processing : 1\r\n\r\nnat_enable : 1<\/pre>\n
\n10.x.x.2 – your tftp server
\n10.x.x.3 – your phone ip on the LAN
\ny.y.y.y the static public IP that your phone is NATted out to
\n12345 – your sipgate login
\nsipgatepassword – your erm, password for sipgate<\/p>\n
\ndhcp_server : Disabled
\nmy_ip_addr : 10.x.x.3
\nsubnet_mask : 255.255.255.0
\ndefaultgw : 10.x.x.1
\ndyn_dns_addr_1 : 0.0.0.0
\ndyn_dns_addr_2 : 0.0.0.0
\ndns_addr : 208.67.220.220
\ndns_backup_1: 208.67.222.222
\nprimary_tftp_addr : 10.x.x.2
\ndyn_tftp_addr : 0.0.0.0
\ndomain_name : simkin.org
\nStatus Flags : 12300001
\nimage_version : P0S3-8-12-00
\nnetwork_media_type : Auto
\nnetwork_port2_type : Hub\/Switch
\nphone_password : password
\nphone_prompt : “SIP Phone”
\nnat_enable : 0
\nnat_address : y.y.y.y
\nvoip_control_port : 5060
\nstart_media_port : 16384
\nend_media_port : 32766
\nmessages_uri : “*97”
\npreferred_codec : g711ulaw
\nproxy1_address : “sipgate.co.uk”
\nproxy1_port : 5060
\noutbound_proxy : sipgate.co.uk
\noutbound_proxy_port : 5082
\nnat_received_processing : 0
\n;end<\/p>\n
\nphone_label : “Orange Teapot ”
\nline1_name : 12345
\nline1_authname : 12345
\nline1_password : sipgatepassword
\nline1_shortname : 12345
\nline1_displayname : 12345
\nline2_displayname : “”
\nline2_shortname : “”
\nline2_name: UNPROVISIONED
\nline2_authname : UNPROVISIONED
\nline2_password : UNPROVISIONED
\n;end<\/p>\n
\nip inspect max-incomplete high 400
\nip inspect one-minute high 1000
\nip inspect one-minute low 900
\nip inspect tcp max-incomplete host 100 block-time 0
\nip inspect name INSPECTOUT sip
\nip inspect name INSPECTOUT tcp
\nip inspect name INSPECTOUT udp
\n!
\ninterface FastEthernet0
\nip address 10.x.x.1 255.255.255.0
\nip accounting output-packets
\nip nbar protocol-discovery
\nip nat inside
\nload-interval 30
\nhold-queue 100 out
\n!
\ninterface ATM0.1 point-to-point
\ndescription Access to DSL Network
\nip nat outside
\n!
\ninterface Virtual-Template1
\nip address negotiated
\nip access-group ACL101 in
\nip nat outside
\nip inspect INSPECTOUT out
\nload-interval 30
\n!
\nip nat inside source static 10.x.x.3 y.y.y.y
\n!
\nip access-list extended ACL101
\npermit icmp any any echo-reply
\npermit icmp any any administratively-prohibited
\npermit icmp any any packet-too-big
\npermit icmp any any time-exceeded
\npermit icmp any any unreachable
\ndeny icmp any any
\ndeny tcp any any eq telnet
\npermit udp any host y.y.y.y eq 5060
\ndeny ip any any<\/p>\n\n
<\/a>\r\nWhen network address translation (NAT) is enabled, the Cisco SIP IP\r\nPhone provides support for SIP messages to traverse NAT\/Firewall\r\nnetworks. The Contact and Via headers are modified to reflect the NAT\r\nparameters. The Cisco SIP IP Phone can also enable NAT received\r\nprocessing. See the nat_enable, nat_address, and nat_received_processing\r\nparameters in the section, \"Modifying the Default SIP Configuration\r\nFile\" in Chapter 3, \"Managing Cisco SIP IP Phones,\" at the following URL:\r\n
\nand the end_media_port range in the C and M fields. All RTP traffic is sourced from the port advertised
\nin the SDP.<\/p>\n