09-17-2016 04:49 PM - edited 09-17-2016 05:46 PM
I am attempting to configure a HPE MSR 954 router (Comware V7) to allow some voip clients to work. I am hoping (and assuming) this forum can assist although there don't appear to be any MSR router related discussions thus far, if not please feel free to point me in the right direction.
Basically, there is an issue with inbound calls whihc appears to be caused by lack of NAT. Outbound calls are working fine.
In summary, voip handsets will sit within a designated VLAN hosted from an Aruba 2920 switch with uplink to the MSR. The VOIP network 10.2.40.0 is routable from from the MSR.
The hosted VOIP provider has issued a number of external IP addresses from which SIP calls will be initiated along with required protocols, there will be a handful of VOIP handsets on the VOIP VLAN.
Reading the MSR documentataion, it would appear 2 things are required for this to work. Please correct me if im wrong here..
1) Firstly an ACL to permit the source IP adresses and port numbers to the desitnation (desitnation being the WAN port of the MSR to which NAT is to be configured). Suggested commands below.
acl advanced 3001 description INBOUNDVOIP
rule 0 permit ip destination [wan ip] 0 source [ip address] source-port 3478 5060
*Question, is this OK to use both ports as shown above or do I need to issue a rule step command for each
Secondly, Static NAT applied to the WAN interface, suggested command below:
2) NAT configuration (net-to-net) using the ACL (example of one of the rules below)
nat static inbound net-to-net [WAN IP] [WAN IP] local 10.2.40.0 255.255.255.240 acl 3001 reversible
nat static enable
I am just hoping for a sanity check for this config please based on my interpretation of the documentation, any help would be greatly appreciated.
Final question, does anyone have reccomendations for hardenting the MSR platform, already i see brute force attacks happening on the WAN interface, apart form the obvious is there a guide to cover off all bases.
Thanks for taking the time to read and for any help you can offier.
10-04-2016 07:20 AM
My first thinking is that the NAT/PAT sessions are timing out, we can increase the NAT timers..
Is this a SIP based VoIP client? The call control should come in via the TCP session that SIP has established and then they will establish the voice path via UDP/RTP.
For NAT to work you'll have to have a 1:1 NAT mapping from external to internal.
Lots of different avenues can be taken to help, but think about the above statements and we can progress from there.