Cisco 877 SIP / VPN Issue

Hi I hope an expert can help, I have a odd issue,

We have to Sites A and B running a IPSEC VPN, each site has its's own PABX which make calls to each other via SIP, this works fine, now the issue comes at Site A, the ADSL this this uses has incoming SIP trunk for external calls, now when I had the static NAT for port 5060 this works fine, customer can receive SIPP calls fine, but as soon as I do this when Site B rings Site A the calls go dead, this i presume is because the sip traffic is then translated bak out dialer 1 instead of going from Site A back To site B, I hope this meakes sense,

I have enclosed the config of both sites, Newton Abbot is Site A and Hayle is Site B,

So to recap, everything works fine without the static NAT at Site A, but as soon as I put the Nat in Site B cannot ring Site A, I beleive I need to implement PBR but not sure.

I did have access list (130) applied to the dialer but I have taken these of as a temp measure

Site A
-------
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname Newton_Abbot_SIte_A
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 10000
enable secret 5 $1$o0L7$fsgxX.tB1q20QD.Ul0WMi0
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-39019907
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-39019907
 revocation-check none
 rsakeypair TP-self-signed-39019907
!
!
crypto pki certificate chain TP-self-signed-39019907
 certificate self-signed 03
  30820243 308201AC A0030201 02020103 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33393031 39393037 301E170D 31303033 31393131 30363134
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D333930 31393930
  3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B4A6
  27735D8C C33E3C63 6A2DA7E1 A7332417 3BBEDC0C 62F4FDF6 B188D02E 20C5A22F
  237D6822 3C695D70 31869946 6207C00B C103DCEC 2393BB6B 400D8FF2 7B27E30B
  B6329B73 12FA0DE2 1752A117 2A31527D 3B7FCD76 0EFCED77 AD3D3D5D 8FC392D8
  E06FF166 F6DDB55A 4053A772 4147DE8D 67D09EB7 1AD68790 C9A1E456 61D10203
  010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603 551D1104
  13301182 0F414753 5F4E6577 746F6E41 62626F74 301F0603 551D2304 18301680
  142BE7C2 2743D0C3 77EFFF50 316AFE92 E17D7588 23301D06 03551D0E 04160414
  2BE7C227 43D0C377 EFFF5031 6AFE92E1 7D758823 300D0609 2A864886 F70D0101
  04050003 81810087 3759168A E9550415 27548F22 97446EC7 8109BEDB AAA8A559
  DCF6BBAE 5AB47942 368D3118 3413D1B4 707E26DE 7A9314A3 1079224C DE301640
  49E853D1 3007F2D9 530F07A4 3A2056E7 574D9971 6EE074C0 EF80F328 AE59BE44
  FE5E8238 EDBD43D3 F1D5FC89 B063852C 51D324C6 0A9D4DE7 00167792 95D0A95A
  D2C2E515 CBA1DB
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Ags123! address 79.121.204.153
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set AGS esp-3des esp-sha-hmac
!
crypto map AGS 1 ipsec-isakmp
 set peer 79.121.204.153
 set transform-set AGS
 match address 120
 qos pre-classify
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
!
!
!
class-map match-all voice
 match access-group 110
!
!
policy-map LLQ
 class voice
    priority 256
 class class-default
    fair-queue
!
!
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 10.0.0.70 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 bandwidth 800
 ip address 82.151.236.65 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxx
 ppp chap password xxxxxxxxx
 ppp pap sent-username xxxxxxxx passwordxxxxx
 crypto map AGS
 service-policy output LLQ
 hold-queue 224 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http secure-server
!
!
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static udp 192.168.1.248 5060 interface Dialer1 5060
!
access-list 100 remark *** NAT'ing rules ***
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark *** Remote Access Rules ***
access-list 101 permit tcp host 81.17.65.226 any eq telnet
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq telnet
access-list 110 permit ip any any dscp ef
access-list 110 permit ip any any precedence critical
access-list 120 remark *** IPSec VPN Tunnels ***
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 permit udp any any eq isakmp
access-list 130 permit udp any any eq non500-isakmp
access-list 130 permit esp any any
access-list 130 permit icmp any any
access-list 130 permit udp host 158.43.128.33 host 82.151.236.65 eq ntp
access-list 130 permit udp host 158.43.128.66 host 82.151.236.65 eq ntp
access-list 130 permit tcp host 81.17.65.226 host 82.151.236.65 eq telnet
access-list 130 permit gre any any
access-list 130 permit ip 88.215.60.0 0.0.0.255 host 82.151.236.65
access-list 130 permit ip 88.215.61.0 0.0.0.255 host 82.151.236.65
access-list 130 permit ip 88.215.62.0 0.0.0.255 host 82.151.236.65
access-list 130 deny   ip any any
access-list 140 deny   tcp any any eq www
access-list 140 deny   tcp any any eq 443
access-list 140 permit ip any any
access-list 140 permit gre any any
access-list 140 permit esp any any
access-list 140 permit icmp any any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
 password xxxxxxxxx
 logging synchronous
 login
 modem enable
line aux 0
 password xxxxxxxxxx
 login
 modem Dialin
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password xxxxxxxxxx
 logging synchronous
 login
!
scheduler max-task-time 5000
ntp server 158.43.128.33 prefer source Dialer1
ntp server 158.43.128.66 source Dialer1
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!



Site B
-------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname AGS_Hayle_Site_B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 10000
enable secret 5 $1$9cMI$WL.APXj5QE.jwUi2bStk80
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3132161378
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3132161378
 revocation-check none
 rsakeypair TP-self-signed-3132161378
!
!
crypto pki certificate chain TP-self-signed-3132161378
 certificate self-signed 01
  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33313332 31363133 3738301E 170D3130 30333235 31303339
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31333231
  36313337 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D633 FF20CB49 D605696F 29D0792C 52075A71 95CEB0C8 5B29C18C 1048975A
  0217032C 7440DD8C FB8883D8 0F51C820 8D2302C8 87EEF24E 3BAEF778 F1C3E674
  E9BCF013 B1D7984B 3AB9D26D 1D68FB95 3E416D3B E74018EA 7340DBE8 062DF6DC
  20576656 562656B3 A84A9178 071713EB 37049884 12A33C8E 4F932991 BF7F3CD1
  82650203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
  551D1104 0D300B82 09414753 5F486179 6C65301F 0603551D 23041830 16801416
  5795F2BA 77F9A417 A80B3541 B26033B0 A13E1E30 1D060355 1D0E0416 04141657
  95F2BA77 F9A417A8 0B3541B2 6033B0A1 3E1E300D 06092A86 4886F70D 01010405
  00038181 00A5E862 E696D950 A57E65D5 358B5A36 B4834833 7B5D60D8 91CE2119
  05470034 F3524446 6DBE8D68 27796977 6769D6A0 480BBF1E BD4832EF 9B057AF7
  53BE4F78 D073F7D4 FE2464D2 6E6B9C7B 2DD5D56D 12A28263 9D17DC64 8E000F1F
  9C860B53 5171C389 D61E2421 BA2AD305 91D4BBA8 F2B0D6A7 143E2255 BA325F40
  7D7124B3 5E
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Ags123! address 82.151.236.65
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set AGS esp-3des esp-sha-hmac
!
crypto map AGS 1 ipsec-isakmp
 set peer 82.151.236.65
 set transform-set AGS
 match address 120
 qos pre-classify
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
!
!
!
class-map match-all voice
 match access-group 110
!
!
policy-map LLQ
 class voice
    priority 256
 class class-default
    fair-queue
!
!
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 description
 bandwidth 800
 ip address 79.121.204.153 255.255.255.248
 ip access-group 130 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxxxx
 ppp chap password xxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxx password xxxxxxxxxxx
5544435B
 crypto map AGS
 service-policy output LLQ
 hold-queue 224 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http secure-server
!
!
ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 remark *** NAT'ing rules ***
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark *** Remote Access Rules ***
access-list 101 permit tcp host 81.17.65.226 any eq telnet
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq telnet
access-list 110 permit ip any any dscp ef
access-list 110 permit ip any any precedence critical
access-list 120 remark *** IPSec VPN Tunnels ***
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 130 permit udp any any eq isakmp
access-list 130 permit udp any any eq non500-isakmp
access-list 130 permit esp any any
access-list 130 permit icmp any any
access-list 130 permit udp host 158.43.128.33 host 79.121.204.153 eq ntp
access-list 130 permit udp host 158.43.128.66 host 79.121.204.153 eq ntp
access-list 130 permit tcp host 81.17.65.226 host 79.121.204.153 eq telnet
access-list 130 permit gre any any
access-list 130 permit ip 88.215.60.0 0.0.0.255 host 79.121.204.153
access-list 130 permit ip 88.215.61.0 0.0.0.255 host 79.121.204.153
access-list 130 permit ip 88.215.62.0 0.0.0.255 host 79.121.204.153
access-list 130 deny   ip any any
access-list 140 deny   tcp any any eq www
access-list 140 deny   tcp any any eq 443
access-list 140 permit ip any any
access-list 140 permit gre any any
access-list 140 permit esp any any
access-list 140 permit icmp any any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
 password 7 045A0C151C36480F
 logging synchronous
 login
 modem enable
line aux 0
 password xxxxxxxxxx
 login
 modem Dialin
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 access-class 101 in
 password xxxxxxxxxxx
 logging synchronous
 login
!
scheduler max-task-time 5000
ntp server 158.43.128.33 prefer source Dialer1
ntp server 158.43.128.66 source Dialer1
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end


Thankyou,
webleyaxsorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brain2000Commented:
You are correct.  It's messing with 5060 traffic. I would remove the static NAT and allow port 5060 in for access-group 130.  Right now the only thing allowing UDP to travel to non-VPN clients is the static NAT.  So that will have to be addressed in the access-group.

access-list 130 permit udp any any eq 5060

I might not leave it open to everyone like that, but it would work for testing.  Also, how are you getting RTP traffic through?

Another way, since you have GRE open, you could set up a VPN service on the PBX and have the users connect directly to that.  That will ease the NAT traversal as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brain2000Commented:
I have another theory that could be a problem..  The PBX is receiving traffic from the router's IP address for all external calls, 192.168.1.254 on port 5060.  So essentially the PBX will see all remote customers as coming from the same IP address.  Ugh.

I wonder what this would do to the nat translation table....

ip inspect name UDP_INSP udp
Interface Dialer1
 ip inspect UDP_INSP in

0
webleyaxsorAuthor Commented:
Hi Brian 2000,

I will try changing access list 130, and let you know.

With the type of pabx i have i am unable to configure a vpn on it, (french rubbish) lol

thanks

andy ..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

OzNetNerdCommented:
I'd say that this line is the issue:
ip nat inside source static udp 192.168.1.248 5060 interface Dialer1 5060

Although you deny NATing between 192 addresses with ACL 100, I'd say the above line overrides it.

Try this:
no ip nat inside source static udp 192.168.1.248 5060 interface Dialer1 5060

And, add the following line to access-list 100:
access-list 100 permit udp 192.168.1.248 5060 any
0
webleyaxsorAuthor Commented:
hi the acces list you stated would not work,
i had to use permit udp host 192.168.1.248 any eq 50

would that be correct
0
Brain2000Commented:
bbd00 restated what I said about removing the static nat entry.  However, adding that line to access list 100 will not work.  The pbx needs to be able to send 5060 across the VPN un'natted and that will make it NAT all the time.

I think the only way to resolve this is to set up SIP on the router so it can perform NAT traversal properly.  Otherwise the phone server is only going to see 192.168.1.248 for all remote connections.

I've not set up SIP/NAT traversal, but I'll research and post back.
0
Brain2000Commented:
Try this:

ip nat sip-sbc
 proxy  192.168.1.248 5060 79.121.204.153 5060 protocol udp
 session-timeout 300
 mode allow-flow-around
 override address
!
0
OzNetNerdCommented:
After taking another look at your config my additional line (see below) is not necessary:
access-list 100 permit udp 192.168.1.248 eq 5060 any

Because it is covered by the another line that you already had in your ACL:
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

Can you please post a the output from the following command: "show ip nat trans | inc 192.168.1.248"

Brian, because the VPN traffic is denied being NAT'ed earlier in ACL100, the NAT statement I suggested (and the one that was already in the ACL) should work AOK.
0
Brain2000Commented:
Ah, true.  You're right because it's after the deny.  That will work if you only have one remote client connecting to make calls.  But once you add in multiple remote callers, that breaks down because the PBX will see all callers coming from 192.168.1.248.
0
OzNetNerdCommented:
I'm not too sure what you mean by this:
"But once you add in multiple remote callers, that breaks down because the PBX will see all callers coming from 192.168.1.248."

Because it is NAT'ed, wouldn't all of the remote hosts see the public IP address rather then the private one?
0
Brain2000Commented:
Ack!! I'm all mixed up today.  You're right, I am getting inside local and global mixed up.  The PBX will see the remote host addresses, so that should not be an issue.

So after thinking about it, this should be working as it is (minus the static nat entry)...

I have two more ideas, then I'm stumped.

Idea 1: How many calls are on when they start getting dumped?  I noticed that you have "priority 256".  If you exceed more than 256kbits of that class of traffic, it will turn into a rate limiter and drop packets.  If you are using G711, then that's only 4 active extensions.

Idea 2: This one is a longshot, but I've seen it happen once or twice.  CEF can cause routing/NAT issues in some configurations.  Try turning off cef temporarily and test the calls again.  It can be disabled by running "no ip cef".
0
OzNetNerdCommented:
"Ack!! I'm all mixed up today"

hehe no probs, it happens to all of us :)

webleyaxsor, just so we are all on the same page, when you implement my ACL 100 above, what happens?

Do calls work between the two sites? Do external calls work?

By the way, good thought with idea 1 Brain, that is a strong possibility.
0
slipponzCommented:
Hi,
You are correct in thinking that the NAT translation is causing the problem. I have found that this happens to all traffic which you have a NAT rule for and also want to send over the VPN. The solution is pretty straight forward when you know how:

Create a loopback:

interface Loopback0
 description INSIDELoop
 ip address 1.1.1.1 255.255.255.0

Create a route-map:
route-map lanint permit 10
 match ip address 199
 set ip next-hop 1.1.1.2

Create the ACL:
access-list 199 permit ip 10.0.11.0 0.0.0.255 10.0.7.0 0.0.0.255
(in this example saying anything from inside network 10.0.11.0/24 going to 10.0.7.0/24)

Attach this ACL to the LAN interface:
interface FastEthernet0
ip policy route-map lanint

So in summary we are saying any traffic destined for the other network make the next hop a loop back interface and stop the traffic trying to go back our of the dialer.

Hope this helps.

0
Brain2000Commented:
PBR is another approach, but this should be handling it?

ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 remark *** NAT'ing rules ***
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
0
slipponzCommented:
Yeah, Brain2000 is correct also that you need to deny VPN traffic from being NAT'd. But you will also need to do what I said about traffic which has a NAT rule but also needs to go down the VPN.
0
Brain2000Commented:
What I mean is the access-list is excluding traffic going through the VPN from NAT'ing.

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

This line should make traffic from 192.168.1.0 ---> 192.168.2.0 through the VPN to skip the NAT.
If "ip nat inside source list" does not allow for deny statements to exclude NAT'ing, then we'll need PBR.
0
webleyaxsorAuthor Commented:
Hi Guys,

thanks for your help, In the end i resolved the issue by configuring a gre tunnel, then hey presto eveything worked a treat, the natting was causing chaos
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.