adding sip ip addresses and ports from sip provider

Unknown

I have a crap load of ip address provided by the sip provider. For sip 5060 udp/tcp, sip tls tcp 5061, media 1024-65355. In the docs they stated to get the incoming working I have to allow those ports/ip address on my firewall or nat. I wondered how does everyone define those. I created new port maps for the 3 protocols and added them to a class policy from outzone -> inzone source ip to my gateway ip. Doesn't seem to be working should I create another acl for each one ip access permit (sip ip add) 5060 (gateway ip add ) 5060 and place the ip nat inside in the gateway interface. I get the call sending an invite going out to the sip server but don't get any session or ringing on the incoming in the debug.

networker050184

You are going to want 5060/61 allowed in both directions for SIP communication. You are then going to want the media ports allowed through. If you have a SIP aware firewall it can read the SPD and automagically open the audio ports for you.

Legacy User

Can you give me an example? I'm on the verge of taking this damn firewall down. I found this config online:

A simple WAN access-list that allows SIP connections from the Bandwidth.com peers, and RTP (UDP >1024)

The RTP traffic can come from anywhere, not just from the SIP peers.
!
ip access-list extended WAN-SIP
permit tcp host 216.82.224.202 host 10.10.100.88 range 5060 5061
permit tcp host 216.82.225.202 host 10.10.100.88 range 5060 5061
permit udp host 216.82.224.202 host 10.10.100.88 range 5060 5061
permit udp host 216.82.225.202 host 10.10.100.88 range 5060 5061
permit ip host 75.151.219.185 host 10.10.100.88
deny tcp any any eq telnet
deny tcp any any eq 22
permit udp any host 10.10.100.88 gt 1024
deny ip any any log

interface FastEthernet0/1
ip address 10.10.100.88 255.255.255.0
ip access-group WAN-SIP in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
service-policy output SDM-Pol-Ethernet1


After adding the access-group to my gw interface all it did was block the internet and surely nothing worked. This is my current

interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address x.x.x.x 255.255.255.0
ip nat outside
ip access-group WAN-SIP
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
auto qos voip

networker050184

Well, that configuration blocked the internet because you didn't allow it through!

I'm not too familiar with the ZBF stuff so I can't really provide an example, but your ACL looks about right.

shodown

How is your sip connection coming in?

Legacy User

Its coming in over verizon fios. It sends an invite outwards and my cell phone rings and once I pick up it hangs up. But on the 7945g I just get busy tone it never rings on the headset.

shodown

I usually use a setup similar to what you have right now with the ACL and I use a IOS firewall config. Do a debug ccsip messages to see whats happening with the call.

Legacy User

I send an invite out but get nothing back.

networker050184

Have you ever had this working? It would make sense to ensure it works without the security piece in place before pulling your hair out on ACLs.

Legacy User

I'm thinking my numbers are still being ported and they provided me a test DID. I looked at the debug ccsip messages and i noticed FROM: sipmy actual phone number@my gw ip add). Should I set it to the test DID number?

CORErouter#sh run | s translation
voice translation-rule 1
rule 1 /2015551000/ /2003/
rule 2 /2015551270/ /2003/
rule 3 /2015551271/ /2003/
rule 4 /2145556460/ /2003/ ---2003 is AA THIS IS MY TEST DID
voice translation-rule 2
rule 1 /^911$/ /911/
rule 2 /^8\(.*\)/ /\1/
voice translation-rule 3
rule 1 /^.*/ /2016841000/
voice translation-rule 4
rule 1 /^8(.......)$/ /201\1/
rule 2 /2000/ /2015551000/
rule 3 /2003/ /2015551000/
rule 4 /^8(...)$/ /2015551\1/
rule 5 /^8(.*)/ /\1/
voice translation-profile CUE_Voicemail/AutoAttendant
translate called 1
voice translation-profile PSTN_CallForwarding
translate redirect-target 4
translate redirect-called 4
voice translation-profile PSTN_Outgoing
translate calling 3
translate called 2
translate redirect-target 4
translate redirect-called 4
translation-profile incoming CUE_Voicemail/AutoAttendant
translation-profile outgoing PSTN_Outgoing
translation-profile outgoing PSTN_Outgoing
translation-profile outgoing PSTN_Outgoing
translation-profile outgoing PSTN_Outgoing
translation-profile outgoing PSTN_Outgoing
translation-profile outgoing PSTN_Outgoing
translation-profile outgoing PSTN_CallForwarding
translation-profile outgoing PSTN_CallForwarding


CORErouter#sh run | s dial-peer
dial-peer voice 1 voip
description **Incoming Call from SIP Trunk**
translation-profile incoming CUE_Voicemail/AutoAttendant
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
incoming called-number .%
dtmf-relay rtp-nte
no vad
dial-peer voice 3 voip
description **Outgoing Call to SIP Trunk**
translation-profile outgoing PSTN_Outgoing
destination-pattern 8[2-9]..[2-9]......
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
dtmf-relay rtp-nte
no vad
dial-peer voice 4 voip
description **Outgoing Call to SIP Trunk**
translation-profile outgoing PSTN_Outgoing
destination-pattern 81[2-9]..[2-9]......
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
dtmf-relay rtp-nte
no vad
dial-peer voice 5 voip
description **911 Outgoing Call to SIP Trunk**
translation-profile outgoing PSTN_Outgoing
destination-pattern 911
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
dtmf-relay rtp-nte
no vad
dial-peer voice 8 voip
description **International Outgoing Call to SIP Trunk**
translation-profile outgoing PSTN_Outgoing
destination-pattern 8011T
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
dtmf-relay rtp-nte
no vad
dial-peer voice 6 voip
description **Emergency Outgoing Call to SIP Trunk**
translation-profile outgoing PSTN_Outgoing
destination-pattern 8911
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
dtmf-relay rtp-nte
no vad
dial-peer voice 7 voip
description **911/411 Outgoing Call to SIP Trunk**
translation-profile outgoing PSTN_Outgoing
destination-pattern 8[2-9]11
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
dtmf-relay rtp-nte
no vad
dial-peer voice 9 voip
description **Star Code to SIP Trunk**
destination-pattern *..
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target dnssip server address)
dtmf-relay rtp-nte
no vad

dial-peer voice 10 voip
description **CUE Voicemail**
translation-profile outgoing PSTN_CallForwarding
destination-pattern 2000
b2bua
session protocol sipv2
session target ipv4:10.10.100.5
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 11 voip
description **CUE Auto Attendant**
translation-profile outgoing PSTN_CallForwarding
destination-pattern 2003
b2bua
session protocol sipv2
session target ipv4:10.10.100.5
dtmf-relay sip-notify
codec g711ulaw

Legacy User

Got it to work!!! removed this policy:

no policy-map type inspect ccp-permit
class type inspect ccp-cls-ccp-permit-1
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop

Funny thing is when going through the wizard in ccp the wizard detects its voice so it automatically allows for "voice traffic" but in turn it blocked it.