Wired Intelligent Edge

last person joined: 8 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

MSR 954 NAT for VOIP Client sanity check / advice

This thread has been viewed 3 times

  • 1.  MSR 954 NAT for VOIP Client sanity check / advice

    Posted Sep 17, 2016 07:49 PM

    Dear Community,

     

    I am attempting to configure a HPE MSR 954 router (Comware V7) to allow some voip clients to work. I am hoping (and assuming) this forum can assist although there don't appear to be any MSR router related discussions thus far, if not please feel free to point me in the right direction.

     

    Basically, there is an issue with inbound calls whihc appears to be caused by lack of NAT. Outbound calls are working fine.

     

    In summary, voip handsets will sit within a designated VLAN hosted from an Aruba 2920 switch with uplink to the MSR. The VOIP network 10.2.40.0 is routable from from the MSR.

     

    The hosted VOIP provider has issued a number of external IP addresses from which SIP calls will be initiated along with required protocols, there will be a handful of VOIP handsets on the VOIP VLAN.

     

    Reading the MSR documentataion, it would appear 2 things are required for this to work. Please correct me if im wrong here..

     

    1) Firstly an ACL to permit the source IP adresses and port numbers to the desitnation (desitnation being the WAN port of the MSR to which NAT is to be configured). Suggested commands below.

     

    system-view
    acl advanced 3001 description INBOUNDVOIP

    rule 0 permit ip destination [wan ip] 0 source [ip address] source-port 3478 5060

     

    *Question, is this OK to use both ports as shown above or do I need to issue a rule step command for each

     

    Secondly, Static NAT applied to the WAN interface, suggested command below:

     

    2) NAT configuration (net-to-net) using the ACL (example of one of the rules below)

    system-view
    nat static inbound net-to-net [WAN IP] [WAN IP] local 10.2.40.0 255.255.255.240 acl 3001 reversible
    quit
    interface GE0/0
    nat static enable

    quit

     

    I am just hoping for a sanity check for this config please based on my interpretation of the documentation, any help would be greatly appreciated.

     

    Final question, does anyone have reccomendations for hardenting the MSR platform, already i see brute force attacks happening on the WAN interface, apart form the obvious is there a guide to cover off all bases.

     

    Thanks for taking the time to read and for any help you can offier.



  • 2.  RE: MSR 954 NAT for VOIP Client sanity check / advice

    EMPLOYEE
    Posted Oct 04, 2016 10:21 AM

    My first thinking is that the NAT/PAT sessions are timing out, we can increase the NAT timers..

     

    Is this a SIP based VoIP client?  The call control should come in via the TCP session that SIP has established and then they will establish the voice path via UDP/RTP. 

     

    For NAT to work you'll have to have a 1:1 NAT mapping from external to internal. 

     

    Lots of different avenues can be taken to help, but think about the above statements and we can progress from there.