Getting the Cisco 871w to do UDP Nat

I’ve been trying to test the Cisco 871w for use as a firewall/router at client sites that are doing hosted VOIP. Unfortunately, the SDM configuration tool that Cisco ships doesn’t setup the router in a way that handles UDP Nat properly. As a result, the phones behind the firewall often do not ring when a call is sent to them.

Cisco has a new Zone-Based Firewall Design and not many of the rusty old Cisco pros are familiar with it yet which means that I had a hard time getting solutions to this problem.

Even though all of the NAT rules and timeout values were set correctly, and despite the fact that the NAT debugging showed that the router was handling the translations exactly correct, still a packet trace revealed that no packets were making it to the phone.

After much reading and experimentation I did hit on the solution. The firewall has its own indepenent timeout values for NAT traffic which default to only 30 seconds.

In order to fix the problem you have to create a new parameter-map and apply it to the policy-map. Here are the exact steps (the router still has the default name ‘yourname’):

yourname#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
yourname(config)#parameter-map type inspect sdm-inspect
yourname(config-profile)#udp idle-time 300
yourname(config-profile)#exit
yourname(config)#policy-map type inspect sdm-inspect
yourname(config-pmap)#class type inspect sdm-insp-traffic
yourname(config-pmap-c)#inspect sdm-inspect
yourname(config-pmap-c)#exit

udp packet inpsection timeout is now 300. It works!

The Cisco Zone-Based Policy Firewall Design and Application Guide has all the details.

Comments (0) Trackbacks (0) Leave a comment Trackback

No comments yet.

No trackbacks yet.

t.rolled