Friday, 23 March 2012

Kludging NAT for Communications Manager SIP Trunks

Ideally when using a SIP trunk to an external provider for PSTN connectivity with Communications Manager you'd use a Unified Border Element (UBE) in media flow-through mode to handle SIP to SIP inter-working & present a single IP address for NATing on your Internet router. But what happens when the customer is too cheap to pay for a UBE? Well if the SIP trunk requires registration or the SIP headers formatting in a way the CUCM doesn't like then you're out of luck! Otherwise you can kludge an IOS router into handling the NATing to a single IP address.
The problem stems from the fact that unless you enable "MTP required" Communications Manager handles a SIP trunk like an UBE in media flow-around mode - it handles protocol inter-working but the RTP audio streams pass directly between endpoints. This means that you have to NAT port 5060 to the CUCM server for the SIP traffic, but also NAT the phone's subnet too. Even if you do enable using an MTP, with multiple servers there could be multiple MTPs with different IP addresses.
The configuration below works assuming your IP address for NAT is 1.2.3.4, the CUCM server is 10.1.1.2, the phones reside in the 10.1.1.0/24 network & the SIP trunk is 4.3.2.1:

ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL sip
!
interface FastEthernet0
 description Outside interface
 ip address 1.2.3.1 255.255.255.248
 ip access-group OUTSIDE_IN in
 ip nat outside
 ip inspect FIREWALL in
 ip inspect FIREWALL out
interface FastEthernet1
 description Inside interface
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
!
ip access-list extended OUTSIDE_IN
 permit tcp host 4.3.2.1 host 1.2.3.4 eq 5060
 permit udp host 4.3.2.1 host 1.2.3.4 eq 5060
 deny   ip any any log
access-list 2 remark Voice subnet
access-list 2 permit 10.1.1.0 0.0.0.255
!
ip nat pool phones 1.2.3.4 1.2.3.4 netmask 255.255.255.252
ip nat inside source list 2 pool phones overload
ip nat inside source static udp 10.1.1.2 5060 1.2.3.4 5060 extendable


This kludge works as we've done a static port NAT to the CUCM server & allowed it in the access-list, this allows call control messages in & out. The SIP inspect punches holes in the access-list to allow the RTP inbound (outbound is allowed anyway). The SIP NAT ALG (application layer gateway) fixes the SIP headers to have the right IP addresses & port numbers. You can confirm this via show ip nat translations which shows the phone's being NATed as well as the CUCM server:

Pro Inside global   Inside local          Outside local   Outside global
udp 1.2.3.4:5060    10.1.1.2:5060         4.3.2.1:5060    4.3.2.1:5060
udp 1.2.3.4:5060    10.1.1.2:5060         ---                   ---
udp 1.2.3.4:32366   10.1.1.21:32366       4.3.2.1:30118   4.3.2.1:30118
udp 1.2.3.4:32367   10.1.1.21:32367       4.3.2.1:30119   4.3.2.1:30119
udp 1.2.3.4:26642   10.1.1.24:26642       4.3.2.1:21068   4.3.2.1:21068
udp 1.2.3.4:26643   10.1.1.24:26643       4.3.2.1:21069   4.3.2.1:21069
udp 1.2.3.4:19462   10.1.1.26:19462       4.3.2.1:31900   4.3.2.1:31900
udp 1.2.3.4:19463   10.1.1.26:19463       4.3.2.1:31901   4.3.2.1:31901
udp 1.2.3.4:29940   10.1.1.26:29940       4.3.2.1:20970   4.3.2.1:20970
udp 1.2.3.4:29941   10.1.1.26:29941       4.3.2.1:20971   4.3.2.1:20971
udp 1.2.3.4:25306   10.1.1.28:25306       4.3.2.1:25398   4.3.2.1:25398
udp 1.2.3.4:25307   10.1.1.28:25307       4.3.2.1:25399   4.3.2.1:25399

No comments:

Post a Comment