[Serusers] Problems with Cisco ATA 186 + NAT and SER

18 Oct 2004


      Hi,
I know that this problem has been discussed before, but being new to SER
I am having difficulty making CISCO ATA 186 behind a CISCO 501 NAT work
with my SER setup. Here is how I have it set up.
+---------+    +----------------+
|cisco ata|----| cisco pix (NAT)|----+
+----------    +----------------+    |
    			  	   +---+     +-----------+
    			   |SER|--+--|asterisk vm|
    			   +---+  |  +-----------+
+--------------------------+	     |    |  +-------------+
|cisco 7960 and xten phones|---------+	  +--|cisco pstn gw|
+--------------------------+                 +-------------+
All the calls between 7960, xten, voice mail and pstn work great. When I
initiate a call from ata I get audio only one way I can hear ata user
but he cant hear anthing from 7960 phones or voicemail, and I am unable
to initiate calls from any device to ATA. Ok its quite obvious that NAT
is preventing this fom working. I tired setting up rtp proxy but that
doesn't even let me register the ATA phone correctly. Can anybody help
me make this work. I am including my ser.cfg file.
Thanks
fil
ser.cfg
------------ Initial global variables
debug=4         # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=yes        # (cmd line: -E)
check_via=no    # (cmd. line: -v)
dns=no          # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
port=5060
##children=4
fifo="/tmp/ser_fifo"
listen=a.b.c.d
mhomed=yes
memlog=3
sip_warning=yes
server_signature=yes
#syn_branch=yes
#reply_to_via=no
# ------------------ module loading ----------------------------------
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
loadmodule "/usr/local/lib/ser/modules/exec.so"
loadmodule "/usr/local/lib/ser/modules/group.so"
loadmodule "/usr/local/lib/ser/modules/print.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"
loadmodule "/usr/local/lib/ser/modules/uri_db.so"
##loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
modparam("rr", "enable_full_lr", 1)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 3)
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "timer_interval", 10)
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
##modparam("registrar", "nat_flag", 6)
##modparam("nathelper", "natping_interval", 10)
##modparam("nathelper", "ping_nated_only", 1)   # Ping only clients
behind NAT
# -------------------------  request routing logic -------------------
route{
         # messed up setup
         if (!mf_process_maxfwd_header("10")) {
                 sl_send_reply("483","Too Many Hops");
                 break;
         };
# someonw is doing something bad
         if (msg:len >=  max_len ) {
                 sl_send_reply("513", "Message too big");
                 break;
         };
# record all routes
         if (!method=="REGISTER")
                 record_route();
# separate the destination r-uri from the set of proxies that
must be traversed
         loose_route();
# if the host portion of the request uri is not local, send it
directly
         # to route processing.
         if (!(uri==myself)) {
                 route(2);
                 break;
         };
# we record-route all messages -- to make sure that
         # subsequent messages will go through our proxy; that's
         # particularly good if upstream and downstream entities
         # use different transport protocol
##        if(method=="REGISTER") {
##          setflag(1); # remember this is ATA
##          force_rport();
##          fix_nated_contact();
##          log("LOG: In NAT clause\n");
##          fix_nated_sdp("3");
##        };
# All REGISTER attempts are processed and must always be
authenticated
         if (method=="REGISTER")
         {
                 # make sure that users don't register infinite loops
                 if (search("^(Contact|m):
.*@(a.b.c.d|xxxxx.xxxxx.com)"))
                 {
                         log(1, "**************** LOG: alert: someone
trying to set aor==contact\n");
                         sl_send_reply("476", "No Server Address in
Contacts Allowed" );
                         break;
                 };
                 # digest authentcation
                 if (!www_authorize("xxxxx", "subscriber")) {
                         www_challenge("xxxxx", "0");
                         break;
                 };
# it is an authenticated request, update Contact
database now
                 if (!save("location"))
                 {
                         sl_reply_error();
                 };
                 break;
         };
# find canonical names
         lookup("aliases");
#if not local domain after alias lookup forward it away
         if
(!(uri=~"^sip:(.+@)?(a.b.c.d|xxxxx.)?xxxxx.com)([:;?].*)?$"))
         {
                 log(1, "**************** LOG: route(5)\n");
                 route(5);
                 break;
         };
#pstn  911, 9911, all number between 7 and 20 digits
         if ( (uri=~"^sip:911@.*") | (uri=~"^sip:9911@.*") |
(uri=~"sip:[0-9]{7,20}@.*") )
         {
                 log(1, "**************** LOG: route(3)\n");
                 route(3);
                 break;
         };
#voice mail
         if (is_user_in("Request-URI", "voicemail"))
         {
                 log(1, "**************** LOG: voicemail\n");
                 t_on_failure("4");
                 setflag(4);
         };
if (!lookup("location")) {
                 log(1, "**************** LOG: route(4)\n");
                 route(4);
                 break;
         };
# check whether some inventive user has uploaded gateway
         # contacts to usrloc to bypass authorization logic
         if (uri=~"@192.168.0.1|209.208.224.4([;:].*)*" )
         {
                 log(1, "**************** LOG: Gateway address in
UsrLoc\n");
                 route(3);
                 break;
         };
# this flag is used with the acc module to report missed calls
         # to syslog.
         setflag(3);
# do it (words to live by)
         append_hf("P-hint: usrloc applied\r\n");
         route(1);
}
# ------------- process all local traffic
route[1]
{
         if (!t_relay()) {
                 sl_reply_error();
                 break;
         };
}
# ------------- process traffic leaving fikus for Internet
route[2]
{
# outbound requests are allowed only for registered BigU users
         if (!(src_ip==a.b.c.d) & !(src_ip==192.168.0.15) &
!(proxy_authorize("fikus", "subscriber")))
         {
                 # ACK and CANCEL have no security mechanisms so they
are just
                 # noted
                 if (method=="ACK" | method=="BYE")
                 {
                         log("**************** LOG: failed outbound
authentication for ACK granted\n");
                 } else if (method=="CANCEL") {
                         log("**************** LOG: failed outbound
authentication for CANCEL granted\n");
                 } else {
                         proxy_challenge("fikus", "0");
                         break;
                 };
         };
# to maintain credibility of our proxy, we check From in INVITEs
         if (!src_ip==a.b.c.d & !src_ip==192.168.0.15 & method=="INVITE"
& !check_from()) {
                 log(1, "**************** LOG: Spoofed from attempt\n");
                 sl_send_reply("403", "Use From=id next time");
                 break;
         };
append_hf("P-hint: OUTBOUND ON INTERNET\r\n");
         if (!t_relay()) {
                 sl_reply_error();
                 break;
         };
}
# ------------- process traffic leaving Internet for PSTN
route[3]
{
         # all calls through the gateway must be record routed to assure
         # acl acceptance on the gateway
         record_route();
# send out emergency calls to pstn gateway immediately
         if ((uri=~"^sip:911@.*") | (uri=~"^sip:9911@.*"))
         {
                 rewritehostport("a.b.c.e:5060");
                 forward(uri:host, uri:port);
                 break;
         };
# seven digit numeric addresses are internal freebies sent to
the pbx
         # without authentication
         if
(uri=~"^sip:[0-9]{7}@(a.b.c.d|192.168.0.15|xxxxx|(xxxx,)?.xxxx.com)")
         {
                 rewritehostport("a.b.c.d.f:5060");
                 forward(uri:host, uri:port);
                 break;
         };
# all numeric addresses beginning with 9 go to the pbx on the way
         # to the PSTN
# first the caller needs to be authenticated
         if (uri=~"^sip:9[0-9]*@(a.b.c.d|xxxxx|192.168.0.15)")
         {
                 if (!(src_ip==209.208.224.15 | src_ip==192.168.0.15 |
method==ACK | method=="CANCEL" | method=="BYE"))
                 {
                         if (!proxy_authorize("xxxxx", "subscriber"))
                         {
                                 proxy_challenge("xxxxxx","0");
                                 break;
                         } else if (method=="INVITE" & !check_from()) {
                                 log(1, "**************** LOG: Spoofed
from attempt\n");
                                 sl_send_reply("403", "Use From=id next
time");
                                 break;
                         };
                 };
                 if (method=="INVITE")
                 {
                         # if the r-uri begins 91, does the
authenticated user have
                         # permission for long distance
                         if (uri=~"sip:91[0-9]*@.*")
                         {
                                 if (!is_user_in("credentials", "ld"))
                                 {
                                         sl_send_reply("403", "Local
calls only");
                                         break;
                                 };
                         };
                 };
# authenticated and authorized, now accounting is set
                 setflag(1);
         };
rewritehostport("a.b.c.f:5060");
         append_hf("P-hint: GATEWAY\r\n");
         if (!t_relay())
         {
                 sl_reply_error();
                 break;
         };
}
# ------------- process calls for users offline
route[4]
{
         log (1, "**************** INSIDE ROUTE[4]\n");
if (!t_newtran())
         {
                 sl_reply_error();
         };
         if (!t_reply("404", "Not Found"))
         {
                 sl_reply_error();
         };
         break;
}
# ------------- process aliased outbound traffic
# inbound requests that have been aliased to a non-fikus domain
# are not authenticated by fikus
route[5]
{
         append_hf("P-hint: ALIASED-OUTBOUND\r\n");
         if (!t_relay())
         {
                 sl_reply_error();
                 break;
         };
}
# ------------- CC-Diversion to voicemail
failure_route[4]
{
         log (1, "**************** FAILURE_ROUTE CALLING VOICEMAIL\n");
         # forward to voicemail now
         append_branch("sip:2000@a.b.c.d.e");
         append_urihf("CC-Diversion: ", "\r\n");
         append_hf("P-hint: OFFLINE-VOICEMAIL\r\n");
         t_relay();
}

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

[Serusers] Problems with Cisco ATA 186 + NAT and SER