One request came up for a simple internet SIP connection to SIP provide Goldline. There are VoIP devices involved in this task, such as Cisco Router AS5350 and IP PBX, also Check Point 1100 firewall used to protect this connection.
Topology
Configuration
Cisco Universal Gateway AS5350
|
r_voip#sh ver Cisco Internetwork Operating System Software IOS (tm) 5350 Software (C5350-IS-M), Version 12.3(10e), RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Thu 18-Aug-05 17:00 by ssearch Image text-base: 0x60008AFC, data-base: 0x61700000 ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1) BOOTLDR: 5350 Software (C5350-BOOT-M), Version 12.2(2)XB2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) r_voip uptime is 20 hours, 11 minutes System returned to ROM by power-on System restarted at 14:34:21 EDT Wed Dec 6 2017 System image file is "flash:c5350-is-mz.123-10e.bin" cisco AS5350 (R7K) processor (revision T) with 262144K/131072K bytes of memory. Processor board ID JAE0940MBBX R7000 CPU at 250MHz, Implementation 39, Rev 2.1, 256KB L2, 2048KB L3 Cache Last reset from power-on Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). Primary Rate ISDN software, Version 1.1. Manufacture Cookie Info: EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x32, Board Hardware Version 3.35, Item Number 800-5171-02, Board Revision D0, Serial Number JAE0940MBBX, PLD/ISP Version 2.2, Manufacture Date 29-Sep-2005. Processor 0x14, MAC Address 0x0141C3F6F2A Backplane HW Revision 1.0, Flash Type 5V 2 FastEthernet/IEEE 802.3 interface(s) 54 Serial network interface(s) 60 terminal line(s) 2 Channelized T1/PRI port(s) 512K bytes of non-volatile configuration memory. 65536K bytes of processor board System flash (Read/Write) 16384K bytes of processor board Boot flash (Read/Write) Configuration register is 0x2102
r_voip#sh run
Building configuration...
Current configuration : 7758 bytes
!
! Last configuration change at 10:42:03 EDT Thu Dec 7 2017 by gi-de
! NVRAM config last updated at 10:44:22 EDT Thu Dec 7 2017 by gi-de
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
!
hostname r_voip
!
boot-start-marker
no boot startup-test
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
logging console notifications
enable secret 5 $1$AqCc$Yws4cMk4IVz2yPhXrH2Y0
enable password 7 1531031E55393F7526600C72346
!
username yssso password 7 1531031E55393F7526600C72346
username gssss_gl password 7 052C572B7273692526347431B33252E262D2677
username gssss password 7 1069585421445F3D5C55A6A
username tadmin password 7 003001053B7C07393911D5E48
!
!
resource-pool disable
clock timezone EDT -5
spe default-firmware spe-firmware-1
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip name-server 8.8.8.8
!
isdn switch-type primary-dms100
isdn logging
!
voice call send-alert
voice call convert-discpi-to-prog
voice call carrier capacity active
voice rtp send-recv
!
voice service pots
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
!
voice service voip
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
sip
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
!
!
!
!
!
!
!
!
!
!
fax interface-type fax-mail
!
!
trunk group ALLT1
description ALL T1 on the system
!
!
!
controller T1 3/0
framing esf
linecode b8zs
cablelength short 133
pri-group timeslots 1-24
!
controller T1 3/1
framing esf
linecode b8zs
cablelength short 133
pri-group timeslots 1-24
!
class-map match-all voip
match dscp cs6
match not dscp cs1
!
!
policy-map QoS_VoIP
class voip
set dscp cs1
!
!
!
interface FastEthernet0/0
description calls to and from Goldline
ip address 100.100.100.26 255.255.255.0
service-policy input QoS_VoIP
service-policy output QoS_VoIP
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 172.16.9.222 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
no ip address
shutdown
clockrate 2000000
!
interface Serial0/1
no ip address
shutdown
clockrate 2000000
!
interface Serial3/0:23
no ip address
trunk-group ALLT1
isdn switch-type primary-dms100
isdn protocol-emulate network
isdn incoming-voice modem
isdn guard-timer 10000
isdn T306 10000
isdn T310 40000
isdn send-alerting
isdn sending-complete
isdn channel-id invert extend-bit
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/1:23
no ip address
trunk-group ALLT1
isdn switch-type primary-dms100
isdn protocol-emulate network
isdn incoming-voice modem
isdn guard-timer 10000
isdn T306 10000
isdn T310 40000
isdn send-alerting
isdn sending-complete
isdn channel-id invert extend-bit
no keepalive
no fair-queue
no cdp enable
!
interface Async1/00
no ip address
!
interface Async1/01
no ip address
!
interface Async1/02
no ip address
!
interface Async1/03
no ip address
!
interface Async1/04
no ip address
!
interface Async1/05
no ip address
!
interface Async1/06
no ip address
!
interface Async1/07
no ip address
!
interface Async1/08
no ip address
!
interface Async1/09
no ip address
!
interface Async1/10
no ip address
!
interface Async1/11
no ip address
!
interface Async1/12
no ip address
!
interface Async1/13
no ip address
!
interface Async1/14
no ip address
!
interface Async1/15
no ip address
!
interface Async1/16
no ip address
!
interface Async1/17
no ip address
!
interface Async1/18
no ip address
!
interface Async1/19
no ip address
!
interface Async1/20
no ip address
!
interface Async1/21
no ip address
!
interface Async1/22
no ip address
!
interface Async1/23
no ip address
!
interface Async1/24
no ip address
!
interface Async1/25
no ip address
!
interface Async1/26
no ip address
!
interface Async1/27
no ip address
!
interface Async1/28
no ip address
!
interface Async1/29
no ip address
!
interface Async1/30
no ip address
!
interface Async1/31
no ip address
!
interface Async1/32
no ip address
!
interface Async1/33
no ip address
!
interface Async1/34
no ip address
!
interface Async1/35
no ip address
!
interface Async1/36
no ip address
!
interface Async1/37
no ip address
!
interface Async1/38
no ip address
!
interface Async1/39
no ip address
!
interface Async1/40
no ip address
!
interface Async1/41
no ip address
!
interface Async1/42
no ip address
!
interface Async1/43
no ip address
!
interface Async1/44
no ip address
!
interface Async1/45
no ip address
!
interface Async1/46
no ip address
!
interface Async1/47
no ip address
!
interface Async1/48
no ip address
!
interface Async1/49
no ip address
!
interface Async1/50
no ip address
!
interface Async1/51
no ip address
!
interface Async1/52
no ip address
!
interface Async1/53
no ip address
!
interface Async1/54
no ip address
!
interface Async1/55
no ip address
!
interface Async1/56
no ip address
!
interface Async1/57
no ip address
!
interface Async1/58
no ip address
!
interface Async1/59
no ip address
!
interface Group-Async0
no ip address
no group-range
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip route 100.100.100.0 255.255.255.0 FastEthernet0/0
ip route 172.16.9.0 255.255.255.0 FastEthernet0/1
no ip http server
!
!
access-list 1 permit 204.101.238.5
access-list 1 permit 162.248.168.71
access-list 1 permit 162.248.168.74
access-list 1 permit 162.248.168.73
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 1 deny any
!
!
!
voice-port 3/0:D
!
voice-port 3/1:D
!
!
!
dial-peer voice 1 pots
trunkgroup ALLT1
description Incoming calls from GI-DE PRI accept
incoming called-number .
direct-inward-dial
!
dial-peer voice 100 voip
tone ringback alert-no-PI
description Outgoing calls to Goldline
huntstop
preference 1
destination-pattern ..........T
progress_ind setup enable 3
voice-class sip rel1xx disable
session protocol sipv2
session target ipv4:162.248.168.71
dtmf-relay rtp-nte
fax rate 9600
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
ip qos dscp cs1 media
ip qos dscp cs1 signaling
no vad
!
dial-peer voice 101 voip
description Incoming calls from Goldline
incoming called-number ....
voice-class codec 1
voice-class sip rel1xx disable
session protocol sipv2
session target ipv4:162.248.168.71
dtmf-relay rtp-nte
fax rate 9600
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
ip qos dscp cs1 media
ip qos dscp cs1 signaling
no vad
!
dial-peer voice 11 pots
trunkgroup ALLT1
description Incoming call from Goldline to T1
preference 1
destination-pattern ....
progress_ind setup enable 3
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
forward-digits all
!
!
num-exp ....# ....
num-exp .....# .....
num-exp ......# ......
num-exp .......# .......
num-exp ........# ........
num-exp .........# .........
num-exp ..........# ..........
num-exp ...........# ...........
num-exp ............# ............
num-exp .............# .............
num-exp ..............# ..............
num-exp ...............# ...............
gateway
!
sip-ua
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous level 5
history size 256
line 1/00 1/59
modem InOut
!
scheduler allocate 10000 400
ntp clock-period 17180072
ntp update-calendar
ntp server 206.108.0.133
ntp server 158.69.125.231
ntp server 162.213.212.10
end
Check Point 1100
Basic configuration is recorded at the post “Check Point 1100 Appliance Configuration Step by Step“. In this SIP connection to Goldline, there are following firewall configuration to be done manually, not auto generated:
- Manually NAT-ing (port-forwarding) :Check Point 1100 WAN Interface IP 19.24.14.12 will have port forwarding enabled to 100.100.100.26
- Allow Inbound Connection from 162.248.168.71 to 19.24.14.12’s udp port 5060
- Allow Inbound Connection from 162.248.168.73 and 162.248.168.74 to 19.24.14.12’s udp port range 5070-35000
- Allow Outbound Connection from 100.100.100.26 to Internet, nat-ing on Check Point WAN interface IP 19.24.14.12 (Port-forwarding rule has enabled outbound traffic hiding behind the Gateway’s external ip address)
- QoS Rule: Traffic to Goldline voip gateway ip addresses (162.248.168.71, .73, .74), DSCP set to 8. It is strongly recommended to verify Cisco and Check Point for TOS/QoS settings for both rtp and SIP signal. By default, the setting may be either DSCP EF (decimal 46) or TOS IP precedence 7. While these settings are fine on LAN, on Internet, the invervening routers will extra processing to remove the tags and then forward, when routers are too busy, it will simply discard packets. This will result in intermittent voice quality issues. the recommendation is either set the DSCP to CS1 (decimal 8) or TOS IP precedence 1 on the edge routers , or on the Check Point firewall traffic shaping to DSCP to CS1 (decimal 8), for the packets for Internet connection to Gold line.
- If SIP ALG feature is activated on the firewall/router, please turn it off. if logging is enabled for udp packets, call quality may degrade when router is saturated
- Server Configurations
Notes:
Server access rules and nat rules also can be configured by auto generated way. But there was an issue I found, I could do statically nat to a different public ip address than gateway interface ip. But outbound traffic is still using gateway interface ip, which caused problem on SIP connection to Goldline. After many try, I gave up with statically NAT for server, and configured server with manually configuration of access policy and no NAT configuration.
Troubleshooting
There was an error in logs which shows some packets from SIP provider Goldline was dropped .
The reason is because of voilated unidirectional connection.
There are quite a few KB from Check Point website to discuss this error, especially UDP Traffic on 600 / 700 appliances is dropped due to “Violated Unidirectional Connection”.
After I followed the solution to reboot the Cisco AS5350, the issue seems gone.
Reference: