Campus Switching and Routing

Reply
Contributor I
Posts: 21
Registered: ‎06-14-2016

MSR 954 NAT for VOIP Client sanity check / advice

[ Edited ]

Dear Community,

 

I am attempting to configure a HPE MSR 954 router (Comware V7) to allow some voip clients to work. I am hoping (and assuming) this forum can assist although there don't appear to be any MSR router related discussions thus far, if not please feel free to point me in the right direction.

 

Basically, there is an issue with inbound calls whihc appears to be caused by lack of NAT. Outbound calls are working fine.

 

In summary, voip handsets will sit within a designated VLAN hosted from an Aruba 2920 switch with uplink to the MSR. The VOIP network 10.2.40.0 is routable from from the MSR.

 

The hosted VOIP provider has issued a number of external IP addresses from which SIP calls will be initiated along with required protocols, there will be a handful of VOIP handsets on the VOIP VLAN.

 

Reading the MSR documentataion, it would appear 2 things are required for this to work. Please correct me if im wrong here..

 

1) Firstly an ACL to permit the source IP adresses and port numbers to the desitnation (desitnation being the WAN port of the MSR to which NAT is to be configured). Suggested commands below.

 

system-view
acl advanced 3001 description INBOUNDVOIP

rule 0 permit ip destination [wan ip] 0 source [ip address] source-port 3478 5060

 

*Question, is this OK to use both ports as shown above or do I need to issue a rule step command for each

 

Secondly, Static NAT applied to the WAN interface, suggested command below:

 

2) NAT configuration (net-to-net) using the ACL (example of one of the rules below)

system-view
nat static inbound net-to-net [WAN IP] [WAN IP] local 10.2.40.0 255.255.255.240 acl 3001 reversible
quit
interface GE0/0
nat static enable

quit

 

I am just hoping for a sanity check for this config please based on my interpretation of the documentation, any help would be greatly appreciated.

 

Final question, does anyone have reccomendations for hardenting the MSR platform, already i see brute force attacks happening on the WAN interface, apart form the obvious is there a guide to cover off all bases.

 

Thanks for taking the time to read and for any help you can offier.

Aruba Employee
Posts: 11
Registered: ‎03-23-2016

Re: MSR 954 NAT for VOIP Client sanity check / advice

My first thinking is that the NAT/PAT sessions are timing out, we can increase the NAT timers..

 

Is this a SIP based VoIP client?  The call control should come in via the TCP session that SIP has established and then they will establish the voice path via UDP/RTP. 

 

For NAT to work you'll have to have a 1:1 NAT mapping from external to internal. 

 

Lots of different avenues can be taken to help, but think about the above statements and we can progress from there.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: