IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T
Configuring Hosted NAT Traversal for Session Border Controller
Downloads: This chapterpdf (PDF - 1.33MB) The complete bookPDF (PDF - 4.46MB) | The complete bookePub (ePub - 1.09MB) | Feedback

Configuring Hosted NAT Traversal for Session Border Controller

Contents

Configuring Hosted NAT Traversal for Session Border Controller

The Cisco IOS Hosted NAT Traversal for Session Border Controller Phase-1 feature enables a Cisco IOS Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Level Gateway (ALG) router to act as a Session Border Controller (SBC) on a Cisco Multiservice IP-to-IP gateway, ensuring a seamless delivery of VoIP services.

The Cisco IOS Hosted NAT Traversal for Session Border Controller Phase-2 feature provides registration throttling, media flow-through, and Stateful NAT (SNAT) support.


Note


Effective January 31, 2014, Stateful NAT is not available in Cisco IOS software. For more information, see End-of-Sale and End-of-Life Announcement for the Cisco IOS Stateful Failover of Network Address Translation (SNAT).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller

  • Before you configure the Cisco IOS Hosted NAT Traversal for Session Border Controller feature, you should understand the concepts documented in “Cisco IOS Hosted NAT Traversal for Session Border Controller Overview” section.
  • All access lists required for use with the tasks in this module should be configured prior to beginning the configuration task. For information about how to configure an access list, see the “Creating an IP Access List and Applying It to an Interface” module in the Securing the Data Plane Configuration Guide.
  • Before performing the tasks in this module, you should verify that SIP has not been disabled. SIP is enabled by default.

Restrictions for Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller

  • Phase 1 supports flow-around mode for inside to inside media calls and flow-through for inside to outside media calls.
  • If the intermediate routers between the inside phones and the NAT SBC are configured for Port Address Translation (PAT), the user agents (phones and proxy) must support symmetric signaling and symmetric and early media. The override port must be configured on the NAT SBC router. In the absence of support for symmetric signaling and symmetric and early media, the intermediate routers must be configured for non-PAT and the override address should be configured in the NAT SBC.

Information About Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller

Voice and Multimedia over IP Networks

SIP is a protocol developed by the IETF Multiparty Multimedia Session Control (MMUSIC) Working Group. The Cisco SIP functionality equips Cisco routers to signal the setup of voice and multimedia calls over IP networks. SIP provides an alternative to the H.323 protocol within the VoIP internetworking software.

Session Description Protocol (SDP) describes multimedia sessions. SDP may be used in SIP message bodies to describe the multimedia sessions that are used for creating and controlling the multimedia sessions with two or more participants.

Cisco IOS Hosted NAT Traversal for Session Border Controller Overview

Private IP addresses and ports inserted in the packet payload by client devices, such as IP phones and video conferencing stations, are not routable in public networks using NAT. In addition, intermediate routers between the inside phones and the NAT SBC can have the non-ALG functionality. The hosted NAT traversal handles the signaling and the media streams involved in the setting up, conducting, and tearing down of calls that traverse these intermediate routers.

The figure below illustrates how the NAT SBC handles embedded SIP/SDP information for the address and port allocation by differentiating the overlapped embedded information.

Figure 1. NAT as a SIP Session Border Controller

The inside phones have the proxy configured as the NAT SBC’s preconfigured address and port. NAT SBC has the Softswitch’s address and port preconfigured as the proxy. The NAT SBC intercepts the packets destined from the inside phones to itself and translates the inside hosts and other information in the SIP/SDP payload and the IP/UDP destination address or port to the Softswitch’s address and port, and vice versa.

SIP/SDP information is either a NAT or a PAT in order for the Real-Time Transport Protocol (RTP) flow to be directly between the phones in the NAT SBC inside domain.

The address-only fields are not translated by the NAT SIP ALG. The address-only fields are handled by the NAT SBC, except for the proxy-authorization and authorization translation, because these will break the authentication.

If the intermediate routers between the inside phones and the NAT SBC are configured to do a PAT, the user agents (phones and proxy) must support symmetric signaling and symmetric and early media. You must configure the override port on the NAT SBC router. In the absence of support for symmetric signaling and symmetric and early media, the intermediate routers must be configured without PAT and the override address should be configured in the NAT SBC.

The registration throttling support enables you to define the parameters in the Expires: header and the expires= parameter. It allows you to elect to not forward certain registration messages to the Softswitch.

How to Configure Cisco IOS Hosted NAT for Session Border Controller

Configuring Cisco IOS Hosted NAT for Session Border Controller

Perform this task to configure NAT for SBC.


Note


When you use the NAT SBC feature and you want the call IDs to be translated, you must configure two address pools in such a way that the pool for SBC is accessed before the pool for the call IDs. Use the ip nat pool command to configure the address pools. Access lists are chosen in ascending order, so you should assign the list associated with the SBC pool a lower number than the list associated with the call ID pool.



Note


The proxy of the inside phones must be set to 200.1.1.1. The VPN routing and forwarding (VRF) instance configuration as shown is optional.


SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type number

    4.    ip nat inside

    5.    exit

    6.    interface type number

    7.    ip nat outside

    8.    exit

    9.    ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

    10.    ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

    11.    ip nat inside source list access-list-number pool name [vrf vrf-name] [overload]

    12.    ip nat outside source list access-list-number pool name

    13.    ip nat sip-sbc

    14.    proxy inside-address inside-port outside-address outside-port protocol udp

    15.    vrf-list

    16.    vrf-name vrf - name

    17.    exit

    18.    ip nat sip-sbc

    19.    call-id-pool call -id-pool

    20.    session -timeout seconds

    21.    mode allow -flow-around

    22.    override address

    23.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type number


    Example:
    Router(config)# interface ethernet 1/1
     

    Specifies an interface and returns to interface configuration mode.

     
    Step 4 ip nat inside


    Example:
    Router(config-if)# ip nat inside 
     

    Connects the interface to the inside network (the network subject to NAT translation).

     
    Step 5 exit


    Example:
    Router(config-if)# exit
     

    Exits interface configuration mode and enters global configuration mode.

     
    Step 6 interface type number


    Example:
    Router(config)# interface ethernet 1/3
     

    Specifies an interface and enters interface configuration mode.

     
    Step 7 ip nat outside


    Example:
    Router(config-if)# ip nat outside
     

    Connects the interface to the outside network.

     
    Step 8 exit


    Example:
    Router(config-if)# exit
     

    Exits interface configuration mode and returns to global configuration mode.

     
    Step 9 ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}


    Example:
    Router(config)# ip nat pool inside-pool-A 172.16.0.1 172.16.0.10 prefix-length 16
     

    Defines a pool of global addresses to be allocated for the inside network.

    Note   

    You must configure two address pools when you are using the NAT SBC feature and you want to translate the call IDs. In this step you are configuring the first address pool.

     
    Step 10 ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}


    Example:
    Router(config)# ip nat pool outside-pool 203.0.113.1 203.0.113.10 prefix-length 24
     

    Defines a pool of global addresses to be allocated for the outside network.

    Note   

    You must configure two address pools when you are using the NAT SBC feature and you want to translate the call IDs. In this step, you are configuring the second address pool.

     
    Step 11 ip nat inside source list access-list-number pool name [vrf vrf-name] [overload]


    Example:
    Router(config)# ip nat inside source list 1 pool inside-pool-A vrf vrfA overload
     

    Enables NAT of the inside source address and configures the access list for translation.

     
    Step 12 ip nat outside source list access-list-number pool name


    Example:
    Router(config)# ip nat outside source list 3 pool outside-pool
     

    Enables NAT of the outside source address and configures the access list for translation.

     
    Step 13 ip nat sip-sbc


    Example:
    Router(config)# ip nat sip-sbc
     

    Enters IP NAT SBC configuration mode.

     
    Step 14 proxy inside-address inside-port outside-address outside-port protocol udp


    Example:
    Router(config-ipnat-sbc)# proxy 200.1.1.1 5060 192.0.2.2 5060 protocol udp
     

    Configures the address or port that the inside phones will be referring to, and the outside proxy’s address and port to which the NAT SBC translates the destination IP address and port.

     
    Step 15 vrf-list


    Example:
    Router(config-ipnat-sbc)# vrf-list 
     

    (Optional) Enters IP NAT SBC VRF configuration mode.

     
    Step 16 vrf-name vrf - name


    Example:
    Router(config-ipnat-sbc-vrf)# vrf-name vrf1
     

    (Optional) Defines SBC VRF list names.

     
    Step 17 exit


    Example:
    Router(config-ipnat-sbc-vrf)# exit
     

    Exits IP NAT SBC VRF configuration mode and enters global configuration mode.

     
    Step 18 ip nat sip-sbc


    Example:
    Router(config)# ip nat sip-sbc
     

    Enters IP NAT SBC configuration mode.

     
    Step 19 call-id-pool call -id-pool


    Example:
    Router(config-ipnat-sbc)# call-id-pool pool-name
     

    Specifies a dummy pool name for the in to out SIP signaling packet’s call ID that it will be translated to, and that a 1:1 association will be maintained rather than using the regular NAT pool.

    • This pool can be used in an overload scenario:
      • NAT mapping with an appropriate access control list (ACL) and a NAT pool matching the pool name must be configured.
      • This pool is not used for any other NAT processing except for call ID processing.
     
    Step 20 session -timeout seconds


    Example:
    Router(config-ipnat-sbc)# session-timeout 300
     

    Configures the timeout duration for NAT entries pertaining to SIP signaling flows.

    • The default is 5 minutes.
     
    Step 21 mode allow -flow-around


    Example:
    Router(config-ipnat-sbc)# mode allow-flow-around
     

    Enables flow-around for RTP.

    • This flow applies to traffic between phones in the inside domain.
     
    Step 22 override address


    Example:
    Router(config-ipnat-sbc)# override address 
     

    Allows the NAT SBC to override the out to in traffic’s destination IP during signaling or RTP traffic, or to override the address and port.

     
    Step 23 end


    Example:
    Router(config-ipnat-sbc)# end
     

    Exits IP NAT SBC configuration mode and enters privileged EXEC mode.

     

    Configuration Examples for Configuring Cisco IOS Hosted NAT for Session Border Controller

    Example Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller

    The following example shows how to configure the Cisco IOS Hosted NAT Traversal as Session Border Controller feature:

    interface ethernet1/1
     ip nat inside
    !
    interface ethernet1/2
     ip nat inside
    !
    interface ethernet1/3
     ip nat outside
    !
    ip nat pool inside-pool-A 172.16.0.1 172.16.0.10 prefix-length 16
    ip nat pool inside-pool-B 192.168.0.1 192.168.0.10 prefix-length 24
    ip nat pool outside-pool 203.0.113.1 203.0.113.10 prefix-length 24
    ip nat inside source list 1 pool inside-pool-A vrf vrfA overload
    ip nat inside source list 2 pool inside-pool-B vrf vrfB overload
    ip nat outside source list 3 pool outside-pool
    !
    ! Access-list for VRF-A inside phones
    access-list 1 permit 172.16.0.0 255.255.0.0
    !
    ! Access-list for VRF-B inside phones
    access-list 2 permit 192.0.2.0 255.255.255.0
    !
    access-list 3 permit 203.0.113.0 255.255.255.0
    ip nat sip-sbc
     proxy 200.1.1.1 5060 192.0.2.2 5060 protocol udp
     vrf-list
      vrf-name vrfA
      vrf-name vrfB
      exit
     call-id-pool pool-name
     session-timeout 300
     mode allow-flow-around
     override address

    Additional References

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Commands List, All Releases

    NAT commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

    Cisco IOS IP Addressing Services Command Reference

    Configuring an IP access list

    “Creating an IP Access List and Applying It to an Interface” module in the Securing the Data Plane Configuration Guide

    Standards

    Standards

    Title

    None

    --

    MIBs

    MIBs

    MIBs Link

    None

    To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

    http:/​/​www.cisco.com/​go/​mibs

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for Configuring Hosted NAT Traversal for Session Border Controller

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for Configuring Hosted NAT Traversal for Session Border Controller

    Feature Name

    Releases

    Feature Information

    Cisco IOS Hosted NAT Traversal for Session Border Controller Phase-1

    12.4(9)T

    The Cisco IOS Hosted NAT Traversal for Session Border Controller feature provides transparency with the use of a proxy device on the NAT outside domain.

    Hosted NAT Support for Session Border Controller Phase-2

    12.4(15)T

    The Hosted NAT Support for Session Border Controller Phase-2 feature provides registration throttling, media flow-through, and SNAT support.

    Note    Effective January 31, 2014, Stateful NAT is not available in Cisco IOS software. For more information, see End-of-Sale and End-of-Life Announcement for the Cisco IOS Stateful Failover of Network Address Translation (SNAT).

    NAT as SIP Session Border Controller Media Flow

    12.4(9)T

    The NAT as SIP Session Border Controller Media Flow feature provides support for media flow-around for RTP or RTCP exchanges between phones on the inside domain of the SBC.

    NAT as SIP Session Border Controller Support for Address-Only Fields

    12.4(9)T

    The NAT as SIP Session Border Controller Support for Address-Only Fields feature provides support for the translation of SIP address-only fields.