SIP Traffic in CRS-3 Carrier Grade NAT (CGN) with PAT

Similar Messages

• Carrier Grade NAT (CGN)

  Verizon,
  Verizon has announced some DSL customers will move to Carrier Grade NAT (CGN) which uses IPv6 instead fo the old standard IPv4 we use today (see verizon link below).
  This basically means you can no longer port forward. IP cameras and many other applications require port forwarding so they can accessible from the internet outside the home. Many gamers also require this ability.
  Eventually everyone will be on IPv6. My question is how will Verizon customers on IPv6 be able to port forward? Or will it just not be allowed?
  I understand DSL customers can currently opt-out of CGN, but the point is at some point everyone will be moved to it.
  Please See:
  http://www22.verizon.com/support/residential/internet/highspeedinternet/networking/troubleshooting/p...
  Thank you for your time
  - Adam
  Solved!
  Go to Solution.

  ADAM619,
  At the moment we're unable to answer these questions.  When we have more information we will provide it here in the forums, and make it available at www.verizon.com.  Thanks for your patience during this transition. ~Ian
  Ian_VZ
  Verizon Support
  Notice: Content posted by Verizon employees is meant to be informational and does not supersede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or Plan.

• Carrier Grade NAT

  Hi Every one, I wish you can help me with this inquiry. we are adding Fibre tails to our network and need to do per user queuing  and shaping for PPPoE using Radius and I have selected 7603 with IOS15.3(3.)S to do this for me . Noe since we are running out of IPs, we need to do Carrier Grade NAT (CGN) , and based on Cisco Feature navigator only ME3600 and ME3800 (Remote Switches) are able to perform it. I need to come up with a confirmed decision before purchasing the devices. I would appreciate any help. 

  Hi Adiyudha,
  in a general manner, consider these interfaces as SVI or "tunnels" to connect your router to the service blade.
  When loaded with a CGN image, the ServiceInfra interface is used for the management of the card. It's mandatory to have it configured to be able to boot properly the card.
  The ServiceApp interfaces are used to send traffic (to be NATed or CGv6ed for instance) to and from your router.
  It's necessary to configure an IP address on the serviceApp interface, we configure the router side of the tunnel. All other addresses in the range will be considered to be part of the service card side.
  So if you define serviceApp1 10.1.1.1/30, 10.1.1.2 will be answered by the CGN card automatically.
  These serviceApps must be part of different VRFs (vrf-lite generally) or at least one in the Global routing table and another in a VRF, to avoid routing loops ----> because you'll have to use static routes to send your i2o traffic into the CGN card and to attract back your o2i traffic to guarantee a symetrical path (important in the case of stateful translation).
  So, let's take an example if you define a map pool of 20.1.1.0/24 where the external addresses will be allocated to your translations.
  You define serviceApp1 in VRF "Inside" with 1.1.1.1/30.
  You define serviceApp2 in VRF "Outside" with 1.1.1.5/30.
  You need to configure a default route in the VRF Inside pointing to serviceApp1 (or 1.1.1.2), it will send the traffic to the CGN card to be NATed.
  And you need to configure a static route 20.1.1.0/24 to serviceApp2 (or 1.1.1.6) to attract the traffic in the o2i direction.
  As you said, the serviceApp addresses are only significant locally to the router and don't need to be advertised to the outside, so they can be RFC1918.
  Hope it clarifies a bit (not easy without diagrams to describe such principles).
  Cheers,
  N.
  i2o = input to output
  o2i = output to intput

• Carrier grade nat - static port block allocation.

  Hello,
  Is it possible to configure nat (cgn) on ASR 1k to permit the same private address always  get the same port block allocation from the same public address? With that You dont need nat logging.
  regards

  ADAM619,
  At the moment we're unable to answer these questions.  When we have more information we will provide it here in the forums, and make it available at www.verizon.com.  Thanks for your patience during this transition. ~Ian
  Ian_VZ
  Verizon Support
  Notice: Content posted by Verizon employees is meant to be informational and does not supersede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or Plan.

• Carrier Grade Network Address Translation (CG-NAT)

  Hello,
  I live in the UK.  One of the largest ISPs, BT, has begun trialling carrier grade network address translation (CG-NAT).  In a nutshell, this introduces double NAT - first your broadband router, then the ISP's "router".  This is before the ISP has introduced IPv6.
  I fear it is only a matter of time before my ISP also introduces CG-NAT.  Will/does Skype work in a CG-NAT scenario?  If not, what are my options?
  Kind regards,
  Anwar

  I am new to Oracle VM. The dom0 and domU are set up by someone else. So I don't know the details. In the domU, I can't even ping the 10.244.69.35 address of the dom0.
  # ping 10.244.69.35
  PING 10.244.69.35 (10.244.69.35) 56(84) bytes of data.
  From 192.168.200.50 icmp_seq=2 Destination Host Unreachable
  From 192.168.200.50 icmp_seq=3 Destination Host Unreachable
  From 192.168.200.50 icmp_seq=4 Destination Host Unreachable
  The Cisco switch on the 10.*.*.* network is owned by IT and I can't change anything on it. This is why I try to set up NAT on the dom0. I would appreciate any help so that I can access the 10.*.*.* network from the domU.

• Help troubleshoot sip traffic

  Hello,
  I have a problem with a small IP telephony system (sip) and i'm using a cisco 881 router as router/firewall.
  The problem is that sometimes you can not call in. It happens only occasionally and when it does our ip phone provider says that there is no response from our ip phone/switch back to them on the internet.
  We have an ip-phone/switch-device on our local network. We we receive calls they are first routed to our ip phone provider which then sends it to us.
  It can work 20 times and then it is a call that can not get to us.
  How should I start debugging? Is there any logging for SIP traffic so I can send logs to a syslog server?
  Thanks for any suggestions.

  So if was troubleshooting this the first question I would ask would be is this a new set up or something that was working fine and is now having problems.
  If new set up post the configs and strip out passwords.
  If was working and you now have problems start running debugs to see if you can isolate issue.
  SIP Debug Commands that Support Output Filtering
  debug ccsip all
  debug ccsip calls
  debug ccsip events
  debug ccsip messages
  debug ccsip preauth
  debug ccsip states

• ASA5500 blocking SPA504G SIP traffic?

  (Apologies if this is a reposting)
  I've a client using an ASA5500 firewall - which I don't manage or have admin access to - at a new remote office. They'd like to use the same Cisco SPA504G handsets used in their other office to connect to a Hosted PBX (on public IP).
  It appears as if the ASA5500 is still - despite inspection being turned off - dropping or somehow redirecting SIP traffic from the SPA504G handsets. Annoyingly, a PC on the same (internal) VLAN running X-Lite (softphone, using the same SIP settings as the handsets) is working fine. But the Cisco handsets just aren't connecting. The same configs on handsets in the other office (Netgear firewall) have worked fine for 6+ months.
  We've tried changing handset source and PBX server ports (e.g. 5063, 5099) using both UDP and TCP - works fine from remote office, no connections from the ASA5500-powered office. We've also turned syslogging on for the handsets and verified they are sending the correct REGISTER etc SIP messages. But they aren't arriving at the PBX, or seemingly external to the firewall at all.
  It appears as if the firewall is detecting the Cisco-originating SIP traffic specifically, and dropping it somewhere. And ignoring SIP traffic from the PC softphone. Is this possible?
  If anyone can suggest any posts, diagnostic tools, documentation or other hints that I can point the remote sites' system administrators at, I'd be very grateful.
  Thanks in advance,
  Mark

  Hello,
  You sure the traffic is not being innittiated on the other side and the SIP inspection is kicking in????
  Doble check that via a show policy-map
  Remember to rate all of my posts

• NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

  Hello fellow engineers!
  I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
  Scenario description:
  2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).    The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.
  Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:
  VLAN 11 -> 10.0.1.x
  VLAN 12 -> 10.0.2.x
  VLAN 13 -> 10.0.3.x
  VLAN 71 -> 192.168.17.x
  VLAN 204 -> 172.16.204.x
  and – last but not least ! – VLAN 10 -> 10.0.0.x
  All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
  Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
  What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
  Could pls someone spot what I’m missing !!
  To help you I also attach the router config and some command outputs…
  All help is appreciated.
  Thanx
  Costas

  That last PBR statement
  (route-map 10.0.0.X_hosts_PBR permit 70
   description *** rest of 10.0.0.x net --> Oxygen ***
   match ip address rest_of_10.0.0.x
   set ip next-hop 212.251.64.153)
  was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !
  (route-map 10.0.0.X_hosts_PBR, permit, sequence 255
    Match clauses:
      ip address (access-lists): rest_of_10.0.0.x
    Set clauses:
      ip next-hop 212.251.64.153
    Policy routing matches: 0 packets, 0 bytes)

• RMI-NAT Problem with random ports

  Hi,
  I had a RMI server in a machine with the private IP 10.XX.XX.XX and a firewall with the public IP 196.XX.XX.XX
  I am using the property: java.rmi.server.hostname to 196.XX.XX.XX and a small test application. The server is behind the firewall/NAT machine with a limited set of open ports (including the non standard 8001 port that I am using instead 1099)
  1. The server start perfectly
  2. The client can connect to the server and execute the method Naming.list() successfully
  3. At the moment that the client attempt to perform the bind, the client hang up for almost 7 minutes and finally throws and exception due time-outs.
  According a "strace" and "netstat" commands under Linux and also the flag: java.rmi.server.logCalls we obtain the next data:
  1. The server open the port 8001 (PERFECT)
  2. But also open a random port and the client -at the bind moment- use that port (in the range 34000-35000). And of course our firewall block all the ports except 8001.
  So, is that the expect behaviour? If that is true then RMI is not functional under NAT/Firewall.
  Am I missing something?
  Thanks!!
  Gerardo

  Hello,
  Let me see if I got it right:
  1. You're starting the registry (programatically) in port 8001.
  2. You're creating a server implementation object.
  3. Next you bind/rebind your server to this registry.
  4. Your client hangs at Naming.lookup().
  If this is the problem then that random port you mentioned is the server's attributed port (a ServerSocket that is hanging on accept) at the time of creation. You can avoid this by instead of using the super() call in you serverimpl constructor using the UnicastRemoteObject constructor that specifies a port (check the interface). That way you can configure your firewall to allow traffic through that port too.
  However, what puzzles me is the fact that it hangs on step 4 instead of in a subsequent remote call. step 4 should be using port 8001. Can you confirm that it's hanging in Naming.lookup ?
  (two other sources of data you may find usefull are the Firewall logs and a tcpdump analisys of the traffic between the firewall and the server machine)
  Nuno

• I'm going to another country for a year and I would like to unlock my phone to take another sim other than my carrier. My contract with my present carrier is finished yet they still wouldnt unlock the iphone 4 for me. How can I be able to unlock it?t

  I'm going to another country for a year and I would like to unlock my phone to take another sim other than my carrier. My contract with my present carrier is finished yet they still wouldnt unlock the iphone 4 for me. How can I be able to unlock it?t

  Only the carrier to whom the device is locked can unlock it.
  If you do not meet their requirements or they do not offer unlocking there is no official way to unlock the device.
  Who is your carrier?

• Can apple tell me the carrier my iphone is with?

  can apple tell me the carrier my iphone is with?
  can apple tell me the carrier my phone network is lock to?

  Malignance wrote:
  Settings > General > About > Carrier
  This should show you what network it's on
  this will only show the active network that the iPhone is connected to at that point in time
  If the iPhone is locked to a network that does not correspond to the sim the iPhone will not work
  end of

• Incoming sip calls are not working but outgoing is working with cme

  I have CME setup with voip.ms on my 2800 router, my outgoing calls are working  but my incoming calls are not.  Below is my config, please let me know if it is something with my config:
  voice translation-rule 3
   rule 1 /^9142281\(...\)$/ /\1/
  voice translation-profile INCOMING_CALL_1
   translate called 3
  dial-peer voice 1 voip
   translation-profile incoming INCOMING_CALL_1
   session protocol sipv2
   session target sip-server
   incoming called-number .%
   voice-class codec 1
   dtmf-relay rtp-nte
   no vad

  I made the change, but I am getting no output from debug voip ccapi inout.  What does concern me from debug ccsip messages is:
  Aug 31 12:42:04.195: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
  Sent:
  SIP/2.0 400 Bad Request - 'Invalid Host'
  Via: SIP/2.0/UDP 107.6.67.238:5060;branch=z9hG4bK000d3c36;rport
  From: "+19144410197" <sip:[email protected]>;tag=as7439b9c1
  To: <sip:[email protected]:1061>;tag=829C8-2532
  Date: Sun, 31 Aug 2014 12:42:04 GMT
  Call-ID: [email protected]:5060
  CSeq: 102 INVITE
  Allow-Events: telephone-event
  Reason: Q.850;cause=100
  Server: Cisco-SIPGateway/IOS-12.x
  Content-Length: 0
  I also am getting this:
  voicertr2#debug ccsip error
  SIP Call error tracing is enabled
  voicertr2#
  Aug 31 12:45:07.359: //-1/xxxxxxxxxxxx/SIP/Error/sipSPI_validate_own_ip_addr: ReqLine IP addr does not match with host IP addr
  Aug 31 12:45:07.359: //-1/78AE76E98009/SIP/Error/sact_idle_new_message_invite: Invalid URL in incoming INVITE

• Is there a way not to have to use the disk to start or exit Adobe Premiere Elements 13. I do not want to have to carry a disk around with me all the time.

  Is there a way not to have to use the disk to start or exit Adobe Premiere Elements 13. I do not want to have to carry a disk around with me all the time.

  tljtommy
  There is a known No Disc error using Premiere Elements 13.
  The fix is to delete the OldFilm.AEX file which is found in Window 8.1 64 bit
  Local Disk C
  Program Files
  Adobe
  Adobe Premiere Elements 13
  Plug-ins
  Common
  NewBlue
  and in the NewBlue Folder is the OldFilm.AEX file that you delete.
  Adobe first posted this information in one of the threads here, and it has worked for essentially all who have
  gotten the No Disc error in Premiere Elements 13.
  Please let us know if this works for you also.
  Thank you.
  ATR

• TS4020 "cannot get mail" The connection to the server failed. My mail account from Icloud will work if I only disconnect my wifi in my iphone and use internet plan from carrier. Anybody else with this proble??

  My mail account from icloud will work if I only disconnect my wifi in my iphone and only use internet plan from my carrier. Anybody else with this problem??

  I've been having the same problem since iCloud appeared and complicated an otherwise trouble-free system. Doubling frustrating is that iCloud duplicates my .Mac account so I get two of everything in my Inbox. I turned off iCloud and now mail at least goes out but I can't delete the duplicate account.

• I have a carrier unlocked iPhone 4 with iOS 6.1. The carrier is Straight Talk. I want to restore it, if I do so, will it delete my APN profile?

  I have a carrier unlocked iPhone 4 with iOS 6.1. The carrier is Straight Talk. I want to restore it, if I do so, will it delete my APN profile?

  Yep, but just add it back when you're done restoring.