Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

NAT & SIP

Locked
 
Yaroze
just joined
Topic Author
Posts: 5
Joined: Tue Aug 06, 2013 4:53 pm

NAT & SIP

Wed Jan 15, 2014 4:01 pm

I am trying to connect four Cisco IP 7960 Phones in to our office NAT setup. I'm currently using a NAT proxy to get outbound but however I am having issues. It's either one-way audio, or nothing at all.

I've already disabled both h323 and SIP
Code: Select all
    lags: X - disabled, I - invalid
    #   NAME        PORTS
    0 X ftp             21
    1 X tftp            69
    2 X irc             6667
    3 X h323         
    4 X sip            5060, 5061
    5  pptp
I have now got one phone to work which is great using the following line:
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.0.163 protocol=udp dst-address=81.x.x.114 src-port=16384-32766
As it stands this is my current /ip firewall nat layout
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
 1   ;;; VPN PC
     chain=srcnat action=src-nat to-addresses=81.x.x.126 src-address-list=VPN-PC out-interface=eth12-BT
 2  ;;; Assign IP 81.x.x.114 to Office
     chain=srcnat action=src-nat to-addresses=81.x.x.114 src-address=192.168.0.0/24 out-interface=eth12-BT
 3   ;;; HairPin
     chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.0/24
 4   ;;; NAT Redirect Port - JABBER
     chain=dstnat action=dst-nat to-addresses=192.168.0.7 to-ports=5222-5225 protocol=tcp dst-address=81.x.x.115 src-port="" dst-port=5222-5225
 5   ;;; NAT Incoming Port 1723 TCP - PPTP VPN
     chain=dstnat action=dst-nat to-addresses=192.168.0.7 to-ports=1723 protocol=tcp dst-address=81.x.x.114 dst-port=1723
 6   ;;; NAT Incoming Port 500 UDP - PPTP VPN
     chain=dstnat action=dst-nat to-addresses=192.168.0.7 to-ports=500 protocol=udp dst-address=81.x.x.114 dst-port=500
 7   ;;; SIP Phone Stuff
     chain=dstnat action=dst-nat to-addresses=192.168.0.121 to-ports=5060-7089 protocol=udp dst-address=81.x.x114 dst-port=5060,7070-7089
 8   chain=dstnat action=dst-nat to-addresses=192.168.0.163 protocol=udp dst-address=81.x.x.114 src-port=16384-32766
/ip firewall filter
Code: Select all
 0   ;;; allow established connections /  related connections
     chain=forward action=accept connection-state=established
 1   chain=forward action=accept connection-state=related
 2   ;;; Bypass WEB BLOCK - PC
     chain=forward action=accept src-address=192.168.0.108
 3   ;;; Bypass WEB BLOCK - PC
     chain=forward action=accept src-address=192.168.0.77 layer7-protocol=Facebook
 4   ;;; Bypass WEB BLOCK - PC
     chain=forward action=accept src-address=192.168.0.134 layer7-protocol=Facebook
 5   chain=forward action=accept src-address=192.168.0.168
 7   ;;; Enable GRE - PPTP VPN
     chain=forward action=accept protocol=gre in-interface=eth12-BT
 8   ;;; VPN2
     chain=forward action=accept src-address=192.168.0.7 out-interface=eth12-BT
 9   ;;; Block PROXY from outside
     chain=input action=drop protocol=tcp in-interface=eth12-BT dst-port=8080
10   ;;; Blocks BANNED sites - All Users on Network
     chain=forward action=drop src-address=192.168.0.0/24 layer7-protocol=AllSocialSites
11   ;;; drop invalid connections
     chain=forward action=drop connection-state=invalid
However I am now confused on how to get the other three phones working.

Any help / advice?
Last edited by Yaroze on Wed Jan 15, 2014 6:37 pm, edited 1 time in total.
Top
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: NAT & SIP

Wed Jan 15, 2014 5:33 pm

I would assume that you are using your 7960 with the SIP firmware?
Don't forget that for SIP in addition to the signalization channel (usually 5060) you also need to open the RTP range (the voice part of the communication). That's what you probably did for your other phone (src-port=16384-32766).
Check what ports your pbx is using for the incoming RTP, you can also check the RTP outbound ports that your cisco are using in their config.
Top
 
Yaroze
just joined
Topic Author
Posts: 5
Joined: Tue Aug 06, 2013 4:53 pm

Re: NAT & SIP

Wed Jan 15, 2014 6:36 pm

Thanks patrickmk,

Correct, 7960 with SIP 8.0 Firmware.

I'm currently not using a PBX/Trunking and just a commercial SIP Line in. I would like to avoid PBX but can you use PBX (asterisk / freeswitch) without a trunking account?

Whatever I set as the "Start Media" and "End Media" ports on the Cisco Phone (after reboot too) they all still seem to communicate between: 16384-32766 -- which is incredibly annoying.
I am currently running my own SIProxyd to allow it to REGISTER with the provider.

As I was going to assign each phone a #amount of ports and src-nat that way.
Top
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: NAT & SIP

Wed Jan 15, 2014 6:49 pm

I'm currently not using a PBX/Trunking and just a commercial SIP Line in. I would like to avoid PBX but can you use PBX (asterisk / freeswitch) without a trunking account?
Your 'commercial SIP line' is the PBX.
You can always add your own PBX if you need too, a PBX is not acting differently than a phone for the provider. You can use any sip line as trunk to an asterisk. You are just limited by the number of simultaneous channels that your provider authorizes on your account.

On my own system I prefer to have my own asterisk because then I can create redundancy with multiple sip provider and choose the best cost efficient route. I also just need to netmap all the ports to only my pbx. Also it allows me much more flexibility for all advanced features. Last but not least, when I'm roaming I'm using an IAX trunk that avoid all these firewall issues that we have with SIP.
Top
 
Yaroze
just joined
Topic Author
Posts: 5
Joined: Tue Aug 06, 2013 4:53 pm

Re: NAT & SIP

Wed Jan 15, 2014 7:03 pm

Then that may make more sense and worth to setup.
So my provider allows me to make four accounts within my account panel and assign four users with four different DID numbers.

I can plug those four accounts straight in to Asterik? And then I can assign each line on the phone an account from Asterisk?
Top
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: NAT & SIP

Wed Jan 15, 2014 11:08 pm

Then that may make more sense and worth to setup.
So my provider allows me to make four accounts within my account panel and assign four users with four different DID numbers.

I can plug those four accounts straight in to Asterik? And then I can assign each line on the phone an account from Asterisk?
Yes, or you can even have all four DID ringing on all four phones together, or one after each other. You also can with your Cisco right screen button decide which line you want to use from any phone too.
Top
 
Yaroze
just joined
Topic Author
Posts: 5
Joined: Tue Aug 06, 2013 4:53 pm

Re: NAT & SIP

Wed Jan 15, 2014 11:58 pm

The lines will come in handy at a different time that's for sure.

I hate to sound like a complete newbie, but what would I be best in to using, I got a elastix box setup but it's confusing. Should I just go for a simple Linux Distro and Asterix setup? Or can FreeSwitch/Elastix/ etc.. do the same features?

Thanks for your help, its really appreciated.
Top
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: NAT & SIP

Thu Jan 16, 2014 3:15 pm

The lines will come in handy at a different time that's for sure.

I hate to sound like a complete newbie, but what would I be best in to using, I got a elastix box setup but it's confusing. Should I just go for a simple Linux Distro and Asterix setup? Or can FreeSwitch/Elastix/ etc.. do the same features?

Thanks for your help, its really appreciated.
Elastix is a great asterix distrib. That's the one I'm using. In my view it's the right compromise between the completely bare asterisk and the full rookie mode where you can't do fine tuning in PBXinaFlash.
Top
Locked

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot], kikino, McSee, Valerio5000 and 37 guests
  4. RouterOS
  5. Beginner Basics