Cisco 887 SIP passthrough

Hi,

I have a Cisco 887 and I need it to allow my SIP device to work properly.

At the moment I can place calls and that works fine, however incoming calls are not working. It all worked perfect before I changed to the 887.

I used the CP Express to do the config.

Attached is the config.

How do I fix this?

Thanks

Mark
Current configuration : 7498 bytes
!
! Last configuration change at 21:01:27 PCTime Fri Dec 16 2011 by mark
! NVRAM config last updated at 21:01:28 PCTime Fri Dec 16 2011 by mark
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname home
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2300806995
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2300806995
 revocation-check none
 rsakeypair TP-self-signed-2300806995
!
!
crypto pki certificate chain TP-self-signed-2300806995
 certificate self-signed 01
  (removed)
        quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.12.1 192.168.12.29
ip dhcp excluded-address 192.168.12.61 192.168.12.254
!

!
ip dhcp pool ccp-pool1
   import all
   network 192.168.12.0 255.255.255.0
   dns-server 203.12.160.35 203.12.160.36
   default-router 192.168.12.1
!
!
ip cef
no ip bootp server
ip name-server 203.12.160.35
ip name-server 203.12.160.36
no ipv6 cef
!
!
license udi pid CISCO887W-GN-A-K9 sn FGL154821B8
!
!
username mark privilege 15 secret 
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
 match protocol sip
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip flow ingress
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.12.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname 
 ppp chap password 
 ppp pap sent-username 
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip host 202.62.157.122 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

LVL 6
mark_06Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

EyeNoVoIPCommented:
SIP is a peer to peer protocol.  You don't have to be registered to make a call but you do have to be registered to receive a call.  It seems that the firewall may be blocking your SIP registration.  I would start by removing the SIP inspect command and rebooting your phone.  Below are the commands for the implementing this from the CLI.

config t
class-map type inspect match-any ccp-cls-insp-traffic
no match protocol sip
end
wr mem

If that doesn't work you can put the SIP inspection back:
config t
class-map type inspect match-any ccp-cls-insp-traffic
match protocol sip
end
wr mem

Also if that doesn't work can you state what model phone and provider you are using.  thanks.
0
mark_06Author Commented:
Didn't help.
The provider is an Asterisk box I have in the datacentre. The IP phone is a Linksys ATA.
0
mark_06Author Commented:
it was working fine before I put in the 877, I had a 1721 before.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

EyeNoVoIPCommented:
If that is the case then you probably didn't have Zoned based firewalls configured before.  Lets remove that to see if it's the issue and then we can open a hole for SIP.

config t
interface Vlan1
no zone-member security in-zone

interface Dialer0
no zone-member security out-zone

end


reboot the phone after that and then test inbound calls.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mark_06Author Commented:
I have done that and it works. However I now have no firewall :(
0
mark_06Author Commented:
how can I fix it?
0
mark_06Author Commented:
Thanks. This worked, however I had to configure STUN on the SIP client as well.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.