提出了一个简单的Internet SIP连接到SIP提供Goldline的请求。有涉及此任务的VoIP设备,例如Cisco Router AS5350和IP PBX,以及用于保护此连接的Check Point 1100防火墙。

拓扑结构

组态

思科通用网关AS5350 

思科公司 AS5300系列通用网关是唯一的通用端口就绪,一个机架单元(RU)双T1 / E1网关,以模块化设计提供运营商级的可靠性。还支持服务提供商的数据和语音应用程序,包括:

  • 宽带语音终结
  • 远距离
  • 预付费电话卡
  • 本地访问
  • 托管IP电话
  • 呼叫中心解决方案
  • ASP托管和终止
  • 统一通讯
  • 存取VPN
  • 拨号访问
  • TDM交换

r_voip#sh ver思科公司 Internetwork Operating System 软件 
IOS (tm) 5350 软件 (C5350-IS-M), Version 12.3(10e), RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 18-Aug-05 17:00 by ssearch
Image text-base: 0x60008AFC, data-base: 0x61700000

ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1)
BOOTLDR: 5350 软件 (C5350-BOOT-M), Version 12.2(2)XB2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

r_voip uptime is 20 hours, 11 minutes
System returned to ROM by power-on
System restarted at 14:34:21 EDT Wed Dec 6 2017
System image file is "flash:c5350-is-mz.123-10e.bin"

cisco AS5350 (R7K) processor (revision T) with 262144K/131072K bytes of memory.
Processor board ID JAE0940MBBX
R7000 CPU at 250MHz, Implementation 39, Rev 2.1, 256KB L2, 2048KB L3 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Primary Rate ISDN software, Version 1.1.
Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x32,
 Board Hardware Version 3.35, Item Number 800-5171-02,
 Board Revision D0, Serial Number JAE0940MBBX,
 PLD/ISP Version 2.2,  Manufacture Date 29-Sep-2005.
Processor 0x14, MAC Address 0x0141C3F6F2A
Backplane HW Revision 1.0, Flash Type 5V
2 FastEthernet/IEEE 802.3 interface(s)
54 Serial network interface(s)
60 terminal line(s)
2 Channelized T1/PRI port(s)
512K bytes of non-volatile configuration memory.
65536K bytes of processor board System flash (Read/Write)
16384K bytes of processor board Boot flash (Read/Write)

Configuration register is 0x2102
r_voip#sh run
Building configuration...

Current configuration : 7758 bytes
!
! Last configuration change at 10:42:03 EDT Thu Dec 7 2017 by gi-de
! NVRAM config last updated at 10:44:22 EDT Thu Dec 7 2017 by gi-de
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
!
hostname r_voip
!
boot-start-marker
no boot startup-test
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
logging console notifications
enable secret 5 $1$AqCc$Yws4cMk4IVz2yPhXrH2Y0
enable password 7 1531031E55393F7526600C72346
!
username yssso password 7 1531031E55393F7526600C72346
username gssss_gl password 7 052C572B7273692526347431B33252E262D2677
username gssss password 7 1069585421445F3D5C55A6A
username tadmin password 7 003001053B7C07393911D5E48
!
!
resource-pool disable
clock timezone EDT -5
spe default-firmware spe-firmware-1
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip name-server 8.8.8.8
!
isdn switch-type primary-dms100
isdn logging
!
voice call send-alert
voice call convert-discpi-to-prog
voice call carrier capacity active
voice rtp send-recv
!
voice service pots 
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
!
voice service voip 
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
 sip
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
 codec preference 3 g729r8
!
!
!         
!
!
!
!
!
!
!
fax interface-type fax-mail
!
!
trunk group  ALLT1
 description ALL T1 上 the system
!
!
!
controller T1 3/0
 framing esf
 linecode b8zs
 cablelength short 133
 pri-group timeslots 1-24
!
controller T1 3/1
 framing esf
 linecode b8zs
 cablelength short 133
 pri-group timeslots 1-24
!
class-map match-all voip
  match  dscp cs6 
  match not  dscp cs1 
!
!
policy-map QoS_VoIP
  class voip
   set dscp cs1
!
!
!
interface FastEthernet0/0
 description calls to and from Goldline
 ip address 100.100.100.26 255.255.255.0
 service-policy input QoS_VoIP
 service-policy output QoS_VoIP
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 ip address 172.16.9.222 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/0
 no ip address
 shutdown
 clockrate 2000000
!
interface Serial0/1
 no ip address
 shutdown
 clockrate 2000000
!
interface Serial3/0:23
 no ip address
 trunk-group ALLT1
 isdn switch-type primary-dms100
 isdn protocol-emulate network
 isdn incoming-voice modem
 isdn guard-timer 10000
 isdn T306 10000
 isdn T310 40000
 isdn send-alerting
 isdn sending-complete
 isdn channel-id invert extend-bit
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/1:23
 no ip address
 trunk-group ALLT1
 isdn switch-type primary-dms100
 isdn protocol-emulate network
 isdn incoming-voice modem
 isdn guard-timer 10000
 isdn T306 10000
 isdn T310 40000
 isdn send-alerting
 isdn sending-complete
 isdn channel-id invert extend-bit
 no keepalive
 no fair-queue
 no cdp enable
!
interface Async1/00
 no ip address
!
interface Async1/01
 no ip address
!
interface Async1/02
 no ip address
!
interface Async1/03
 no ip address
!
interface Async1/04
 no ip address
!
interface Async1/05
 no ip address
!
interface Async1/06
 no ip address
!
interface Async1/07
 no ip address
!
interface Async1/08
 no ip address
!
interface Async1/09
 no ip address
!
interface Async1/10
 no ip address
!
interface Async1/11
 no ip address
!
interface Async1/12
 no ip address
!
interface Async1/13
 no ip address
!
interface Async1/14
 no ip address
!
interface Async1/15
 no ip address
!
interface Async1/16
 no ip address
!
interface Async1/17
 no ip address
!
interface Async1/18
 no ip address
!
interface Async1/19
 no ip address
!
interface Async1/20
 no ip address
!
interface Async1/21
 no ip address
!
interface Async1/22
 no ip address
!
interface Async1/23
 no ip address
!
interface Async1/24
 no ip address
!
interface Async1/25
 no ip address
!
interface Async1/26
 no ip address
!
interface Async1/27
 no ip address
!
interface Async1/28
 no ip address
!
interface Async1/29
 no ip address
!
interface Async1/30
 no ip address
!
interface Async1/31
 no ip address
!
interface Async1/32
 no ip address
!
interface Async1/33
 no ip address
!
interface Async1/34
 no ip address
!
interface Async1/35
 no ip address
!
interface Async1/36
 no ip address
!
interface Async1/37
 no ip address
!
interface Async1/38
 no ip address
!
interface Async1/39
 no ip address
!
interface Async1/40
 no ip address
!
interface Async1/41
 no ip address
!
interface Async1/42
 no ip address
!
interface Async1/43
 no ip address
!
interface Async1/44
 no ip address
!
interface Async1/45
 no ip address
!
interface Async1/46
 no ip address
!
interface Async1/47
 no ip address
!
interface Async1/48
 no ip address
!
interface Async1/49
 no ip address
!
interface Async1/50
 no ip address
!
interface Async1/51
 no ip address
!
interface Async1/52
 no ip address
!
interface Async1/53
 no ip address
!
interface Async1/54
 no ip address
!
interface Async1/55
 no ip address
!
interface Async1/56
 no ip address
!
interface Async1/57
 no ip address
!
interface Async1/58
 no ip address
!
interface Async1/59
 no ip address
!
interface Group-Async0
 no ip address
 no group-range
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip route 100.100.100.0 255.255.255.0 FastEthernet0/0
ip route 172.16.9.0 255.255.255.0 FastEthernet0/1
no ip http server
!
!
access-list 1 permit 204.101.238.5
access-list 1 permit 162.248.168.71
access-list 1 permit 162.248.168.74
access-list 1 permit 162.248.168.73
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 1 deny   any
!
!
!
voice-port 3/0:D
!
voice-port 3/1:D
!
!
!
dial-peer voice 1 pots
 trunkgroup ALLT1
 description Incoming calls from GI-DE PRI accept
 incoming called-number .
 direct-inward-dial
!
dial-peer voice 100 voip
 tone ringback alert-no-PI
 description Outgoing calls to Goldline
 huntstop
 preference 1
 destination-pattern ..........T
 progress_ind setup enable 3
 voice-class sip rel1xx disable
 session protocol sipv2
 session target ipv4:162.248.168.71
 dtmf-relay rtp-nte
 fax rate 9600
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
 ip qos dscp cs1 media
 ip qos dscp cs1 signaling
 no vad
!
dial-peer voice 101 voip
 description Incoming calls from Goldline
 incoming called-number ....
 voice-class codec 1
 voice-class sip rel1xx disable
 session protocol sipv2
 session target ipv4:162.248.168.71
 dtmf-relay rtp-nte
 fax rate 9600
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
 ip qos dscp cs1 media
 ip qos dscp cs1 signaling
 no vad
!
dial-peer voice 11 pots
 trunkgroup ALLT1
 description Incoming call from Goldline to T1
 preference 1
 destination-pattern ....
 progress_ind setup enable 3
 progress_ind alert enable 8
 progress_ind progress enable 8
 progress_ind connect enable 8
 forward-digits all
!
!
num-exp ....# ....
num-exp .....# .....
num-exp ......# ......
num-exp .......# .......
num-exp ........# ........
num-exp .........# .........
num-exp ..........# ..........
num-exp ...........# ...........
num-exp ............# ............
num-exp .............# .............
num-exp ..............# ..............
num-exp ...............# ...............
gateway 
!
sip-ua 
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 logging synchronous level 5
 history size 256
line 1/00 1/59
 modem InOut
!
scheduler allocate 10000 400
ntp clock-period 17180072
ntp update-calendar
ntp server 206.108.0.133
ntp server 158.69.125.231
ntp server 162.213.212.10
end


检查点1100

基本配置记录在“检查点1100设备配置逐步”。在与Goldline的此SIP连接中,需要手动完成以下防火墙配置,而不是自动生成:

  • 手动进行NAT(端口转发):Check Point 1100 WAN接口IP 19.24.14.12将启用端口转发到100.100.100.26 
  • 允许从162.248.168.71到19.24.14.12的udp端口5060的入站连接
  • 允许从162.248.168.73和162.248.168.74到19.24.14.12的udp端口范围的入站连接5070-35000

  • 允许从100.100.100.26到Internet的出站连接,在Check Point WAN接口IP 19.24.14.12上定位(端口转发规则已使出站流量隐藏在网关的外部IP地址后面)
  • QoS规则:到Goldline voip网关ip地址(162.248.168.71,.73,.74)的流量,DSCP设置为8。 强烈建议验证rtp和SIP信号的Cisco和Check Point的TOS / QoS设置。默认情况下,该设置可以是DSCP EF(十进制46)或TOS IP优先级7。虽然这些设置在LAN上很好,但在Internet上,当路由器太忙时,介入的路由器将进行额外的处理以删除标签,然后转发,它将简单地丢弃数据包。这将导致间歇性的语音质量问题。对于将Internet连接到Gold线路的数据包,建议将边缘路由器上的DSCP设置为CS1(十进制8)或TOS IP优先级1,或者将Check Point防火墙流量整形设置为DSCP到CS1(十进制8)。 
  • 如果在防火墙/路由器上激活了SIP ALG功能,请关闭它。如果为udp数据包启用了日志记录,则路由器饱和时呼叫质量可能会下降
  • 服务器配置

笔记:
服务器访问规则和nat规则也可以通过自动生成的方式进行配置。但是我发现了一个问题,我可以静态地设置到与网关接口ip不同的公共ip地址。但是出站流量仍在使用网关接口ip,这会导致SIP与Goldline的连接出现问题。经过多次尝试,我放弃了服务器的静态NAT,而通过手动配置访问策略而不配置NAT来配置服务器。

故障排除

日志中出现错误,表明来自SIP提供程序Goldline的某些数据包已丢弃。

原因是由于单向连接损坏。

Check Point网站上有很多KB讨论此错误,尤其是  UDP Traffic 上 600 / 700 appliances is dropped due to “违反单向连接”.

在按照解决方案重新启动Cisco AS5350之后,问题似乎消失了。


参考:

通过 约翰

发表评论