-
Cisco IOS XR Session Border Controller Configuration Guide Release 3.6
-
About This Guide
-
About SBC Deployment Models
-
SBC Configuration Prerequisites
-
Implementing SBC Adjacencies
-
Configuring SIP Method Profiles
-
Configuring Header Profiles
-
Restricting Codecs
-
SIP Tel URI Support
-
SIP Timer
-
H.323 Support
-
H.323-SIP Interworking
-
Implementing SBC Policies
-
Tracking Policy Failure Statistics
-
Implementing SBC Firewall Traversal and NAT
-
Implementing SBC Interworking DTMF
-
SIP 3xx Redirect Responses
-
SIP Call Hold
-
SIP Call Transfer
-
Encrypted SIP Signaling
-
SIP Outbound Authentication
-
SIP Inbound Authentication
-
SIP-I Transparency and Profile Support
-
SIP Configuration Flexibility
-
Implementing SBC QoS (Marking)
-
DoS Prevention and Dynamic Blacklisting
-
Unexpected Source Address Alerting
-
Implementing SBC Billing
-
Implementing SBC Redundancy (High Availability)
-
Implementing SBC Multi-VRF
-
Implementing SBC Transcoding
-
Configuring DBE Overload Reporting
-
Media Address Pools
-
Early Media
-
Fax Support
-
Nine-Tier Termination Name Hierarchy
-
Multiple Streams in a H.248.1 v3 Termination
-
DBE Signaling Pinhole Support
-
IPv6 Support on the DBE
-
Extension of H.248 Termination Wildcarding
-
Optional H.248 Ginfo Package
-
H.248.1 v3 Support
-
H.248 Traffic Management (Tman)
-
Context Attribute Descriptor Support
-
H.248 Historical Event Notification
-
H.248 Segmentation Package Support
-
H.248 Configurable T-Max
-
H.248 Configurable VRF
-
Implementing H.248 nt/qualert Events
-
H.248 Gateway Profile Configuration
-
Interim Authentication Header Support
-
IP NAPT Traversal Support
-
MGC-Controlled Gateway-Wide Properties
-
MGC-Specified Local Addresses and Ports
-
Optional Local and Remote Descriptors
-
Provisioned Inactivity Timer
-
Disabling RTP Flows
-
Discarded Packet Statistics
-
IPv4/IPv6 Voice Clipping Avoidance
-
Secure Media Support
-
RADIUS VPN Support
-
Configurable Base Root Package
-
MGC Information Package Support
-
Ia Profile Support
-
Integration of Resource Management and SIP
-
P-CSCF Support
-
IBCF Processing Support
-
End-to-End SBC Configuration Example on a Cisco XR 12000 Series Router
-
Additional Information about Billing Support
-
Index
-
Table Of Contents
Implementing SBC Firewall Traversal and NAT
Prerequisites for Implementing Firewall Traversal and NAT
Information About Firewall Traversal and NAT
Implementing Firewall Traversal and NAT
Configuration Example of Implementing Firewall Traversal and NAT
Implementing SBC Firewall Traversal and NAT
The SBC enables VoIP signaling and media to be received from and directed to a device behind a firewall and NAT (Network Address Translator) at the border of an adjacent network, without requiring the device or firewall to be upgraded. In brief, the SBC achieves this by rewriting the IP addresses and ports in the call signaling headers and the SDP blocks attached to these messages. SBC does not support options for keeping pinholes open. Instead, SBC registers messages for signaling pinhole maintenance and RTP packets for media.
SBC supports the SIP extension for Symmetric Response Routing (RFC 3581). (There is currently no support for H.323.)
Note
For a complete description of commands used in this chapter, refer to the Cisco IOS XR Session Border Controller Command Reference. To locate documentation for other commands that appear in this chapter, use the command reference master index, or search online.
Feature History for Implementing SBC Firewall Traversal and NAT
Contents
•
•
•
•
Prerequisites for Implementing Firewall Traversal and NAT
The following prerequisites are required to implement SBC firewall traversal and NAT:
•
•
For detailed information about PIE installation, refer to the Upgrading and Managing Cisco IOS XR Software module in the Cisco IOS XR Getting Started Guide.
•
•
Information About Firewall Traversal and NAT
The SBC enables VoIP signaling and media to be received from and directed to a device behind a firewall and NAT (Network Address Translator) at the border of an adjacent network, without requiring the device or firewall to be upgraded. In brief, the SBC achieves this by rewriting the IP addresses and ports in the call signaling headers and the SDP blocks attached to these messages.
Firewalls prevent unwanted traffic from entering, or leaving, a network by performing basic packet filtering. Firewalls filter packets purely by examining packet headers, and do not parse or understand the payload of the packets. Therefore, they do not filter out all types of unwanted traffic. For example, firewalls do not perform Call Admission Control—the SBC application does.
Firewalls, however, are valuable because they efficiently filter out large categories of unwanted traffic, leaving application-aware devices such as SBCs with much less work to do. An external firewall filters packets from the external network, but allows all packets from an internal network to pass through unfiltered. An internal firewall filters packets from the internal network, but allows all packets from the external network to pass through unfiltered (since they have already passed the external firewall).
Firewalls by default do not accept packets from the network, but are configured with rules that allow them to select and accept certain packets. Therefore, packets are admitted to (or from) the network based on explicit configuration, and not on default configuration.
The SBC application also incorporates the NAT function. With the enhancements of Release 3.5.1, the SBC now automatically detects whether an endpoint is behind a NAT device. NATs separate a network into distinct address spaces. The NAT component of the SBC separates the internal network address space from the external network address space. The NAT maintains a table of mappings from {external address, port} to {internal address, port} and vice versa. The table is a dual-index table, so a particular mapping can be looked up given either the internal or external addressing information. The NAT uses this table to rewrite the headers of the IP packets that it forwards.
On receiving an IP packet from the external network, the NAT looks in its table for the destination address and port of the packet (which will be an address from the external address space). If a mapping is found, then the destination address header in the IP packet is changed to contain the corresponding internal address and port from the table, and the packet is forwarded towards the internal network. If no mapping is found, the packet is discarded.
On receiving an IP packet from the internal network, the NAT looks in its table for the source address and port of the packet (which will be an address from the internal address space). If a mapping is found, then the source address header in the IP packet is changed to contain the corresponding external address and port from the table, and the packet is forwarded towards the external network. If no mapping is found, then a new mapping is created: the NAT dynamically allocates a new external address and port from the external address space for the packet (and all future packets from this source address and port tuple).
SBC does not support options for keeping pinholes open. Instead, SBC registers messages for signaling pinhole maintenance and RTP packets for media. The key to solving this problem is the fact that the customer's NAT has to open pinholes to allow the IP phone to send signaling packets and media packets to the public network, and the customer's firewall has to allow these packets through.
Inbound signaling and media from the public network can therefore be made to traverse the customer's firewall and NAT by directing them at the pinhole's address and port on the public network side of the customer's NAT. The pinholes for signaling and media have different lifetimes.
•
•
The signaling pinhole is ideally created when the IP phone first comes online, and then kept open until the phone goes offline again. Media pinholes are created when the IP phone first sends a media packet on each established media session.
Figure 14 illustrates the data path for support of firewall traversal and NAT with the SBC.
Figure 14 Firewall Traversal and NAT
Implementing Firewall Traversal and NAT
This task implements firewall traversal and configures the SBC to assume that all endpoints of the adjacency are behind a NAT device.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
DETAILED STEPS
Configuration Example of Implementing Firewall Traversal and NAT
The following example implements firewall traversal and NAT:
configuresbc mysbcsbeadjacency sip SIP_7301_1nat force-onsignaling-address ipv4 88.88.121.102signaling-port 5060remote-address ipv4 10.10.111.0/24signaling-peer 10.10.111.41signaling-peer-port 5060commitattachcommitAdditional References
The following sections provide references related to implementing SBC firewall traversal and NAT.
Related Documents
Standards
No new or modified standards are supported by this feature, and support from existing standards has not been modified by this feature.
—
MIBs
—
To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu:
RFCs
RFC 3581
An Extension to the Session Initiation Protocol (SIP) for Symmetric Response Routing
Technical Assistance
Related Command Summary
This section provides an alphabetical list of the commands related to firewall traversal and NAT configuration on the Cisco XR 12000 Series Router. For more information about the commands, see the Cisco IOS XR Session Border Controller Command Reference.
