Announcement

Collapse
No announcement yet.

(C881) forward a single public ip to an internal host

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • (C881) forward a single public ip to an internal host

    I've got a Cisco 881 with a single routed public address, then a /29 delivered over that.

    currently, that /29 is an outbound rotary NAT pool.

    I've now got a need to dedicate one of those /29 addresses (let's call it 203.70.100.60) to an internal IP address.

    This is to allow a group of SIP based phones at a remote location to make a connection to an onsite IP PABX (adequately secured to allow traffic only from the specific location0

    I recognise one way this could be acheived is with an L2/IPSEC VPN, however the provider has asked that I just direct all traffic for one of the public addresses to their internal addresses.

    Obviously, I'll take it out of the NAT pool as that would just cause havoc.


    considering this will be carrying SIP traffic, I know I'm not supposed to NAT it.. but is that the only way?

    could I just do

    "ip nat inside source static inside_ip outside_ip"

    or is it a bit more involved?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: (C881) forward a single public ip to an internal host

    I figured out how to do this with NAT, but now the provider is telling me it's not good enough - it must be a routed entry direct to the internal host.


    Can I do that at all ?

    i
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: (C881) forward a single public ip to an internal host

      While I admit to zero experience myself with SIP traffic, a quick search came up with this link which may be beneficial:

      http://www.ag-projects.com/publicati...-nat-traversal

      It talks about signalling requirements and the development of the current state of the technology, and gives the various RFC references to compare. Maybe there's something in there which you can use? It reads like newer devices use symmetrical signalling, so only one port is used for both directions. Your approach certainly sounds reasonable, based on this.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: (C881) forward a single public ip to an internal host

        SIP is a peculiar protocol which doesn't like being NATed at all.

        Much like FTP, it sets up a control channel (UDP port 5060) where authentication and call setup takes place, but the call itself (voice and/or video) is sent over a secondary, negotiated connection using the RTP protocol. To make things really interesting, RTP uses random, high UDP ports.

        If there's a NATing router between a SIP client and a SIP server, the IP addresses inside the SIP packets will be wrong. The server may try to route the RTP stream to the wrong client IP (or vice versa), which means the phone will ring but there will be no sound or video.

        If this wasn't bad enough, SIP providers and router manufacturers have devised several incompatible schemes to deal with this problem. Router manufacturers have created SIP ALGs (Application Layer Gateways) that rewrite SIP packets on the fly to account for NATed addresses, while SIP providers and IP phone manufacturers have started using mechanisms like STUN to detect a NATing router in the signal path. Activate one, and things may work. Activate both, and you're back to square one.

        To answer your question, yes, you'll have to route the public IP directly. Your router doesn't even have a SIP ALG unless you're running a "firewall feature set" IOS.

        The best way to do this would be to create a separate DmZ network for the public IP addresses and put the SIP server in that network. Alternatively, an ugly hack involving a host route and binding the SIP server process to a loopback interface might work, but really, you should go with the DmZ.

        Comment


        • #5
          Re: (C881) forward a single public ip to an internal host

          but if i create a dmz and put the pool in there (and i assume i cannot split it)
          then I can't use it for outbound nat any more.. hmm.
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: (C881) forward a single public ip to an internal host

            Originally posted by tehcamel View Post
            but if i create a dmz and put the pool in there (and i assume i cannot split it)
            then I can't use it for outbound nat any more.. hmm.
            Actually, it seems that you can. I just tried it in Packet Tracer, and it worked.

            There's nothing stopping you from defining (part of) a connected IP network as a NAT pool. I even had an IP address assigned to a host in a DmZ network and as part of a NAT pool simultaneously, and it seemed to work. I would recommend using only non-assigned addresses in the pool, though, for obvious reasons.

            How many internal hosts are you NATing? Unless there are several thousand hosts, NAT overloading on the outbound interface address usually works.

            Comment

            Working...
            X