Dear Community,
I am attempting to configure a HPE MSR 954 router (Comware V7) to allow some voip clients to work. I am hoping (and assuming) this forum can assist although there don't appear to be any MSR router related discussions thus far, if not please feel free to point me in the right direction.
Basically, there is an issue with inbound calls whihc appears to be caused by lack of NAT. Outbound calls are working fine.
In summary, voip handsets will sit within a designated VLAN hosted from an Aruba 2920 switch with uplink to the MSR. The VOIP network 10.2.40.0 is routable from from the MSR.
The hosted VOIP provider has issued a number of external IP addresses from which SIP calls will be initiated along with required protocols, there will be a handful of VOIP handsets on the VOIP VLAN.
Reading the MSR documentataion, it would appear 2 things are required for this to work. Please correct me if im wrong here..
1) Firstly an ACL to permit the source IP adresses and port numbers to the desitnation (desitnation being the WAN port of the MSR to which NAT is to be configured). Suggested commands below.
system-view
acl advanced 3001 description INBOUNDVOIP
rule 0 permit ip destination [wan ip] 0 source [ip address] source-port 3478 5060
*Question, is this OK to use both ports as shown above or do I need to issue a rule step command for each
Secondly, Static NAT applied to the WAN interface, suggested command below:
2) NAT configuration (net-to-net) using the ACL (example of one of the rules below)
system-view
nat static inbound net-to-net [WAN IP] [WAN IP] local 10.2.40.0 255.255.255.240 acl 3001 reversible
quit
interface GE0/0
nat static enable
quit
I am just hoping for a sanity check for this config please based on my interpretation of the documentation, any help would be greatly appreciated.
Final question, does anyone have reccomendations for hardenting the MSR platform, already i see brute force attacks happening on the WAN interface, apart form the obvious is there a guide to cover off all bases.
Thanks for taking the time to read and for any help you can offier.