提出了一个简单的Internet SIP连接到SIP提供Goldline的请求。有涉及此任务的VoIP设备,例如Cisco Router AS5350和IP PBX,以及用于保护此连接的Check Point 1100防火墙。
拓扑结构
组态
思科通用网关AS5350
思科公司 AS5300系列通用网关是唯一的通用端口就绪,一个机架单元(RU)双T1 / E1网关,以模块化设计提供运营商级的可靠性。还支持服务提供商的数据和语音应用程序,包括:
|
r_voip#sh ver思科公司 Internetwork Operating System 软件 IOS (tm) 5350 软件 (C5350-IS-M), Version 12.3(10e), RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Thu 18-Aug-05 17:00 by ssearch Image text-base: 0x60008AFC, data-base: 0x61700000 ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1) BOOTLDR: 5350 软件 (C5350-BOOT-M), Version 12.2(2)XB2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) r_voip uptime is 20 hours, 11 minutes System returned to ROM by power-on System restarted at 14:34:21 EDT Wed Dec 6 2017 System image file is "flash:c5350-is-mz.123-10e.bin" cisco AS5350 (R7K) processor (revision T) with 262144K/131072K bytes of memory. Processor board ID JAE0940MBBX R7000 CPU at 250MHz, Implementation 39, Rev 2.1, 256KB L2, 2048KB L3 Cache Last reset from power-on Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). Primary Rate ISDN software, Version 1.1. Manufacture Cookie Info: EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x32, Board Hardware Version 3.35, Item Number 800-5171-02, Board Revision D0, Serial Number JAE0940MBBX, PLD/ISP Version 2.2, Manufacture Date 29-Sep-2005. Processor 0x14, MAC Address 0x0141C3F6F2A Backplane HW Revision 1.0, Flash Type 5V 2 FastEthernet/IEEE 802.3 interface(s) 54 Serial network interface(s) 60 terminal line(s) 2 Channelized T1/PRI port(s) 512K bytes of non-volatile configuration memory. 65536K bytes of processor board System flash (Read/Write) 16384K bytes of processor board Boot flash (Read/Write) Configuration register is 0x2102
r_voip#sh run
Building configuration...
Current configuration : 7758 bytes
!
! Last configuration change at 10:42:03 EDT Thu Dec 7 2017 by gi-de
! NVRAM config last updated at 10:44:22 EDT Thu Dec 7 2017 by gi-de
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
!
hostname r_voip
!
boot-start-marker
no boot startup-test
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
logging console notifications
enable secret 5 $1$AqCc$Yws4cMk4IVz2yPhXrH2Y0
enable password 7 1531031E55393F7526600C72346
!
username yssso password 7 1531031E55393F7526600C72346
username gssss_gl password 7 052C572B7273692526347431B33252E262D2677
username gssss password 7 1069585421445F3D5C55A6A
username tadmin password 7 003001053B7C07393911D5E48
!
!
resource-pool disable
clock timezone EDT -5
spe default-firmware spe-firmware-1
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip name-server 8.8.8.8
!
isdn switch-type primary-dms100
isdn logging
!
voice call send-alert
voice call convert-discpi-to-prog
voice call carrier capacity active
voice rtp send-recv
!
voice service pots
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
!
voice service voip
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
sip
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
!
!
!
!
!
!
!
!
!
!
fax interface-type fax-mail
!
!
trunk group ALLT1
description ALL T1 上 the system
!
!
!
controller T1 3/0
framing esf
linecode b8zs
cablelength short 133
pri-group timeslots 1-24
!
controller T1 3/1
framing esf
linecode b8zs
cablelength short 133
pri-group timeslots 1-24
!
class-map match-all voip
match dscp cs6
match not dscp cs1
!
!
policy-map QoS_VoIP
class voip
set dscp cs1
!
!
!
interface FastEthernet0/0
description calls to and from Goldline
ip address 100.100.100.26 255.255.255.0
service-policy input QoS_VoIP
service-policy output QoS_VoIP
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 172.16.9.222 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
no ip address
shutdown
clockrate 2000000
!
interface Serial0/1
no ip address
shutdown
clockrate 2000000
!
interface Serial3/0:23
no ip address
trunk-group ALLT1
isdn switch-type primary-dms100
isdn protocol-emulate network
isdn incoming-voice modem
isdn guard-timer 10000
isdn T306 10000
isdn T310 40000
isdn send-alerting
isdn sending-complete
isdn channel-id invert extend-bit
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/1:23
no ip address
trunk-group ALLT1
isdn switch-type primary-dms100
isdn protocol-emulate network
isdn incoming-voice modem
isdn guard-timer 10000
isdn T306 10000
isdn T310 40000
isdn send-alerting
isdn sending-complete
isdn channel-id invert extend-bit
no keepalive
no fair-queue
no cdp enable
!
interface Async1/00
no ip address
!
interface Async1/01
no ip address
!
interface Async1/02
no ip address
!
interface Async1/03
no ip address
!
interface Async1/04
no ip address
!
interface Async1/05
no ip address
!
interface Async1/06
no ip address
!
interface Async1/07
no ip address
!
interface Async1/08
no ip address
!
interface Async1/09
no ip address
!
interface Async1/10
no ip address
!
interface Async1/11
no ip address
!
interface Async1/12
no ip address
!
interface Async1/13
no ip address
!
interface Async1/14
no ip address
!
interface Async1/15
no ip address
!
interface Async1/16
no ip address
!
interface Async1/17
no ip address
!
interface Async1/18
no ip address
!
interface Async1/19
no ip address
!
interface Async1/20
no ip address
!
interface Async1/21
no ip address
!
interface Async1/22
no ip address
!
interface Async1/23
no ip address
!
interface Async1/24
no ip address
!
interface Async1/25
no ip address
!
interface Async1/26
no ip address
!
interface Async1/27
no ip address
!
interface Async1/28
no ip address
!
interface Async1/29
no ip address
!
interface Async1/30
no ip address
!
interface Async1/31
no ip address
!
interface Async1/32
no ip address
!
interface Async1/33
no ip address
!
interface Async1/34
no ip address
!
interface Async1/35
no ip address
!
interface Async1/36
no ip address
!
interface Async1/37
no ip address
!
interface Async1/38
no ip address
!
interface Async1/39
no ip address
!
interface Async1/40
no ip address
!
interface Async1/41
no ip address
!
interface Async1/42
no ip address
!
interface Async1/43
no ip address
!
interface Async1/44
no ip address
!
interface Async1/45
no ip address
!
interface Async1/46
no ip address
!
interface Async1/47
no ip address
!
interface Async1/48
no ip address
!
interface Async1/49
no ip address
!
interface Async1/50
no ip address
!
interface Async1/51
no ip address
!
interface Async1/52
no ip address
!
interface Async1/53
no ip address
!
interface Async1/54
no ip address
!
interface Async1/55
no ip address
!
interface Async1/56
no ip address
!
interface Async1/57
no ip address
!
interface Async1/58
no ip address
!
interface Async1/59
no ip address
!
interface Group-Async0
no ip address
no group-range
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip route 100.100.100.0 255.255.255.0 FastEthernet0/0
ip route 172.16.9.0 255.255.255.0 FastEthernet0/1
no ip http server
!
!
access-list 1 permit 204.101.238.5
access-list 1 permit 162.248.168.71
access-list 1 permit 162.248.168.74
access-list 1 permit 162.248.168.73
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 1 deny any
!
!
!
voice-port 3/0:D
!
voice-port 3/1:D
!
!
!
dial-peer voice 1 pots
trunkgroup ALLT1
description Incoming calls from GI-DE PRI accept
incoming called-number .
direct-inward-dial
!
dial-peer voice 100 voip
tone ringback alert-no-PI
description Outgoing calls to Goldline
huntstop
preference 1
destination-pattern ..........T
progress_ind setup enable 3
voice-class sip rel1xx disable
session protocol sipv2
session target ipv4:162.248.168.71
dtmf-relay rtp-nte
fax rate 9600
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
ip qos dscp cs1 media
ip qos dscp cs1 signaling
no vad
!
dial-peer voice 101 voip
description Incoming calls from Goldline
incoming called-number ....
voice-class codec 1
voice-class sip rel1xx disable
session protocol sipv2
session target ipv4:162.248.168.71
dtmf-relay rtp-nte
fax rate 9600
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
ip qos dscp cs1 media
ip qos dscp cs1 signaling
no vad
!
dial-peer voice 11 pots
trunkgroup ALLT1
description Incoming call from Goldline to T1
preference 1
destination-pattern ....
progress_ind setup enable 3
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
forward-digits all
!
!
num-exp ....# ....
num-exp .....# .....
num-exp ......# ......
num-exp .......# .......
num-exp ........# ........
num-exp .........# .........
num-exp ..........# ..........
num-exp ...........# ...........
num-exp ............# ............
num-exp .............# .............
num-exp ..............# ..............
num-exp ...............# ...............
gateway
!
sip-ua
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous level 5
history size 256
line 1/00 1/59
modem InOut
!
scheduler allocate 10000 400
ntp clock-period 17180072
ntp update-calendar
ntp server 206.108.0.133
ntp server 158.69.125.231
ntp server 162.213.212.10
end
检查点1100
基本配置记录在“检查点1100设备配置逐步”。在与Goldline的此SIP连接中,需要手动完成以下防火墙配置,而不是自动生成:
- 手动进行NAT(端口转发):Check Point 1100 WAN接口IP 19.24.14.12将启用端口转发到100.100.100.26
- 允许从162.248.168.71到19.24.14.12的udp端口5060的入站连接
- 允许从162.248.168.73和162.248.168.74到19.24.14.12的udp端口范围的入站连接5070-35000
- 允许从100.100.100.26到Internet的出站连接,在Check Point WAN接口IP 19.24.14.12上定位(端口转发规则已使出站流量隐藏在网关的外部IP地址后面)
- QoS规则:到Goldline voip网关ip地址(162.248.168.71,.73,.74)的流量,DSCP设置为8。 强烈建议验证rtp和SIP信号的Cisco和Check Point的TOS / QoS设置。默认情况下,该设置可以是DSCP EF(十进制46)或TOS IP优先级7。虽然这些设置在LAN上很好,但在Internet上,当路由器太忙时,介入的路由器将进行额外的处理以删除标签,然后转发,它将简单地丢弃数据包。这将导致间歇性的语音质量问题。对于将Internet连接到Gold线路的数据包,建议将边缘路由器上的DSCP设置为CS1(十进制8)或TOS IP优先级1,或者将Check Point防火墙流量整形设置为DSCP到CS1(十进制8)。
- 如果在防火墙/路由器上激活了SIP ALG功能,请关闭它。如果为udp数据包启用了日志记录,则路由器饱和时呼叫质量可能会下降
- 服务器配置
笔记:
服务器访问规则和nat规则也可以通过自动生成的方式进行配置。但是我发现了一个问题,我可以静态地设置到与网关接口ip不同的公共ip地址。但是出站流量仍在使用网关接口ip,这会导致SIP与Goldline的连接出现问题。经过多次尝试,我放弃了服务器的静态NAT,而通过手动配置访问策略而不配置NAT来配置服务器。
故障排除
日志中出现错误,表明来自SIP提供程序Goldline的某些数据包已丢弃。
原因是由于单向连接损坏。
Check Point网站上有很多KB讨论此错误,尤其是 UDP Traffic 上 600 / 700 appliances is dropped due to “违反单向连接”.
在按照解决方案重新启动Cisco AS5350之后,问题似乎消失了。
参考: