Cisco 7940 - NAT SIP port NDLB

Status
Not open for further replies.

CPav

Member
Dec 13, 2017
72
3
8
45
Hi all, hoping someone can help me with some NAT settings.

I have some Cisco 7940's, they're a nightmare with NAT, I can set them to work without issue just so long as they are the only device on the network registering with my colocated Fusion PBX. I can register as many Linphone apps with extensions as I like, but just one 7940, any subsequent 7940 will not register correctly.
My setup is client side is behind NAT and PBX side is also behind NAT. Looking at the registrations on FusionPBX I can see that each linphone app registers with a random port, the 7940's will only use my sip port 5080, so I'm no SIP guru here but I'm assuming that this is the reason additional 7940's won't reg as they are all forcing reg on 5080 - See attached

I've tried setting NDLB-received-in-nat-reg-contact under the extension "SIP Force Contact" to both v1 and v2
I've also tried setting <param name="NDLB-force-rport" value="true"/>, <param name="NDLB-received-in-nat-reg-contact" value="true"/> under the sip profile but all to no avail.
Is there a combination I can try here?? With the one phone registering on it's own it works fine, audio, incoming and outgoing calls....just need to find a way to get these 7940's to live together..

Any advice much appreciated!!!
Edit- sip firmware is 8-12(I believe it was the last one created so the latest).

Sip conf file for phone:
Outbound proxy: "myproxy"
# NAT/Firewall Traversal
nat_enable: "1"
nat_address: ""
voip_control_port: "5080"
start_media_port: "16384"
end_media_port: "32766"
nat_received_processing: "1"

Is using outbound proxy and NAT traversal together counter intuative? Should I be disabling the NAT since I have outbound proxy set?
 

Attachments

  • nat.jpg
    nat.jpg
    65.5 KB · Views: 8
Last edited:

taptech

Member
Mar 6, 2017
50
10
8
I don't have a ton of experience with these but do have about 8 or so that successfully register, all from one LAN. PBX is cloud hosted. Here's an example for the MAC.cnf files I use:
# Phone settings
phone_label: "Cisco7940G"
proxy_register: 1
timer_register_expires: 300
preferred_codec: g711ulaw
enable_vad: 0
dial_template: "dialplan"

# Registration information
reg.1.displayName="110"
proxy1_address: "mypxurl.com"
proxy1_port:"5060"
line1_name: "110"
line1_displayname: "110"
line1_shortname: "110"
line1_authname: "110"
line1_password: "$3aa5asdfdf3e5d3a"

# Emergency Proxy info
proxy_emergency: ""
proxy_emergency_port: ""

# Backup Proxy info
proxy_backup: ""
proxy_backup_port: ""

# Outbound Proxy info
outbound_proxy: ""
outbound_proxy_port: ""

# NAT/Firewall Traversal
voip_control_port: "5060"
start_media_port: "16384"
end_media_port: "32768"
nat_received_processing: "0"
nat_enable: "1"
nat_address: ""

# Sync value of the phone used for remote reset
sync: 1 ; Default 1

# Proxy Registration (0-disable (default), 1-enable)
proxy_register: "1"

# Phone Registration Expiration [1-3932100 sec] (Default - 3600)
timer_register_expires: "170"

# Codec for media stream (g711ulaw (default), g711alaw, g729)
preferred_codec: "none"

# TOS bits in media stream [0-5] (Default - 5)
tos_media: "5"

# Enable VAD (0-disable (default), 1-enable)
enable_vad: "0"

# Allow for the bridge on a 3way call to join remaining parties upon hangup
cnf_join_enable: "1" ; 0-Disabled, 1-Enabled (default)

# Allow Transfer to be completed while target phone is still ringing
semi_attended_transfer: "0" ; 0-Disabled, 1-Enabled (default)

# Telnet Level (enable or disable the ability to telnet into this phone
telnet_level: "2" ; 0-Disabled (default), 1-Enabled, 2-Privileged

# Inband DTMF Settings (0-disable, 1-enable (default))
dtmf_inband: "1"

# Out of band DTMF Settings (none-disable, avt-avt enable (default), avt_always - always avt )
dtmf_outofband: "avt"

# DTMF dB Level Settings (1-6dB down, 2-3db down, 3-nominal (default), 4-3db up, 5-6dB up)
dtmf_db_level: "3"

# SIP Timers
timer_t1: "500" ; Default 500 msec
timer_t2: "4000" ; Default 4 sec
sip_retx: "10" ; Default 11
sip_invite_retx: "6" ; Default 7
timer_invite_expires: "180" ; Default 180 sec

# Setting for Message speeddial to UOne box
messages_uri: "*97"

# TFTP Phone Specific Configuration File Directory
tftp_cfg_dir: ""

# Time Server
sntp_mode: "unicast"
sntp_server: "129.6.15.30"
time_zone: "EST"
dst_offset: "1"
dst_start_month: "Mar"
dst_start_day: ""
dst_start_day_of_week: "Sun"
dst_start_week_of_month: "2"
dst_start_time: "02"
dst_stop_month: "Nov"
dst_stop_day: ""
dst_stop_day_of_week: "Sunday"
dst_stop_week_of_month: "1"
dst_stop_time: "2"
dst_auto_adjust: "1"

# Do Not Disturb Control (0-off, 1-on, 2-off with no user control, 3-on with no user control)
dnd_control: "2" ; Default 0 (Do Not Disturb feature is off)
# Caller ID Blocking (0-disabled, 1-enabled, 2-disabled no user control, 3-enabled no user control)
callerid_blocking: "0" ; Default 0 (Disable sending all calls as anonymous)

# Anonymous Call Blocking (0-disbaled, 1-enabled, 2-disabled no user control, 3-enabled no user control)
anonymous_call_block: "0" ; Default 0 (Disable blocking of anonymous calls)

# Call Waiting (0-disabled, 1-enabled, 2-disabled with no user control, 3-enabled with no user control)
call_waiting: "1" ; Default 1 (Call Waiting enabled)

# DTMF AVT Payload (Dynamic payload range for AVT tones - 96-127)
dtmf_avt_payload: "101" ; Default 100

# XML file that specifies the dialplan desired
dial_template: "dialplan"

# Network Media Type (auto, full100, full10, half100, half10)
network_media_type: "auto"

#Autocompletion During Dial (0-off, 1-on [default])
autocomplete: "1"

#Time Format (0-12hr, 1-24hr [default])
time_format_24hr: "0"

# URL for external Phone Services
#services_url: "http://mypbxurl.com/app/provision/?file=services.xml&mac=0015F9C0D54A"

# URL for external Directory location
directory_url: "http://mypbxurl.com/app/provision/?file=directory.xml&mac=0015F9C0D54A"

# URL for branding logo
logo_url: "http://someurlforthelogo.com/images/logo.bmp"

# Remote Party ID
remote_party_id: 1 ; 0-Disabled (default), 1-Enabled

phone_password: "cisco"​
 

taptech

Member
Mar 6, 2017
50
10
8
This is an example of the SIPDefault.cnf file that I used:
# SIP Default Generic Configuration File

# Image Version
image_version: P0S3-8-12-00

# Proxy Server
proxy1_address: xxx.xxx.xxx.xxx put your pbx IP there

# Proxy Server Port (default - 5060)
proxy1_port: 5060

# Proxy Registration (0-disable (default), 1-enable)
proxy_register: 1

# Phone Registration Expiration [1-3932100 sec] (Default - 3600)
timer_register_expires: 170

# Codec for media stream (g711ulaw (default), g711alaw, g729)
preferred_codec: g711u

# TOS bits in media stream [0-5] (Default - 5)
tos_media: 7

# Inband DTMF Settings (0-disable, 1-enable (default))
dtmf_inband: 1

# Out of band DTMF Settings (none-disable, avt-avt enable (default), avt_always - always avt )
dtmf_outofband: avt

# DTMF dB Level Settings (1-6dB down, 2-3db down, 3-nominal (default), 4-3db up, 5-6dB up)
dtmf_db_level: 3

# SIP Timers
timer_t1: 500 ; Default 500 msec
timer_t2: 4000 ; Default 4 sec
sip_retx: 11 ; Default 11
sip_invite_retx: 3 ; Default 7
timer_invite_expires: 180 ; Default 180 sec

####### New Phase 4 Parameters #######

# Dialplan template (.xml format file relative to the TFTP root directory)
dial_template: dialplan

# TFTP Phone Specific Configuration File Directory
# tftp_cfg_dir: "./sip_phone/" ; Example: ./sip_phone/
tftp_cfg_dir: ./

#logo_url: http://logourl.com/images/logo.bmp

# Time Server (There are multiple values and configurations refer to Admin Guide for Specifics)
sntp_server: 12.39.208.194 ; SNTP Server IP Address
sntp_mode: directedbroadcast ; unicast, multicast, anycast, or directedbroadcast (default)
time_zone: EST ; Time Zone Phone is in
dst_offset: 1 ; Offset from Phone's time when DST is in effect
dst_start_month: April ; Month in which DST starts
dst_start_day: "" ; Day of month in which DST starts
dst_start_day_of_week: Sun ; Day of week in which DST starts
dst_start_week_of_month: 1 ; Week of month in which DST starts
dst_start_time: 02 ; Time of day in which DST starts
dst_stop_month: Oct ; Month in which DST stops
dst_stop_day: "" ; Day of month in which DST stops
dst_stop_day_of_week: Sunday ; Day of week in which DST stops
dst_stop_week_of_month: 8 ; Week of month in which DST stops 8=last week of month
dst_stop_time: 2 ; Time of day in which DST stops
dst_auto_adjust: 1 ; Enable(1-Default)/Disable(0) DST automatic adjustment

# Do Not Disturb Control (0-off, 1-on, 2-off with no user control, 3-on with no user control)
dnd_control: 0 ; Default 0 (Do Not Disturb feature is off)

# Caller ID Blocking (0-disbaled, 1-enabled, 2-disabled no user control, 3-enabled no user control)
callerid_blocking: 0 ; Default 0 (Disable sending all calls as anonymous)


# Anonymous Call Blocking (0-disbaled, 1-enabled, 2-disabled no user control, 3-enabled no user control)
anonymous_call_block: 0 ; Default 0 (Disable blocking of anonymous calls)

# DTMF AVT Payload (Dynamic payload range for AVT tones - 96-127)
dtmf_avt_payload: 101 ; Default 100

# Speed Dial Key for Message Key
messages_uri: *97

# NAT/Firewall Traversal
nat_enable: 1 ; 0-Disabled (default), 1-Enabled
nat_address: "" ; WAN IP address of NAT box (dotted IP or DNS A record only)
voip_control_port: 5060 ; UDP port used for SIP messages (default - 5060)
start_media_port: 16384 ; Start RTP range for media (default - 16384)
end_media_port: 32766 ; End RTP range for media (default - 32766)
nat_received_processing: 0 ; 0-Disabled (default), 1-Enabled

# Outbound Proxy Support
# outbound_proxy: "" ; restricted to dotted IP or DNS A record only
outbound_proxy_port: 5060 ; default is 5060

proxy_backup: ""

proxy_emergency: ""

####### New Parameter added in Release 3.0 #######

# Allow for the bridge on a 3way call to join remaining parties upon hangup
cnf_join_enable : 1 ; 0-Disabled, 1-Enabled (default)

####### New Parameters added in Release 3.1 #######

# Allow Transfer to be completed while target phone is still ringing
semi_attended_transfer: 1 ; 0-Disabled, 1-Enabled (default)

# Telnet Level (enable or disable the ability to telnet into the phone)
telnet_level: 2 ; 0-Disabled (default), 1-Enabled, 2-Privileged
phone_password: cisco
 

CPav

Member
Dec 13, 2017
72
3
8
45
Thanks. I'll give these settings a try. Is your cloud pbx also fusionpbx?

Ive got domain reg on my fusionpbx so in place of proxy I have to use the domain name and then stipulate the outbound proxy. What interests me with your settings is the nat received processing.
 
Last edited:

CPav

Member
Dec 13, 2017
72
3
8
45
Doesn't seem to work for me, I think it's because I'm using Domain auth on my FusPBX which then forces me to use the Outbound proxy, and perhaps that coupled with NAT is my issue. Multiple 7940's on my LAN connecting directly to the PBX work fine, over NAT the first device to reg is the only device to reg.

My MAC.cnf - Only showing the relevant NAT and Proxy settings

proxy1_address: "aventier"

line1_name: "507"
line1_displayname: "507"
line1_authname: "507"
line1_password: "Password"

# Emergency Proxy info
proxy_emergency: ""
proxy_emergency_port: "5080"

# Backup Proxy info
proxy_backup: ""
proxy_backup_port: "5080"

# Outbound Proxy info
outbound_proxy: "IP-internal/external PBX"
outbound_proxy_port: "5080"

# NAT/Firewall Traversal
nat_enable: "1"
nat_address: ""
voip_control_port: "5080"
start_media_port: "16384"
end_media_port: "32766"
nat_received_processing: "0"

My Sipdefault - Only showing the relevant NAT and Proxy settings

image_version: P0S3-8-12-00
proxy1_address: "PBX_IP(set to internal/external depending"
proxy1_port: 5080
proxy_register: 1
timer_register_expires: 180
preferred_codec: g729a

# Backup Proxy Support
proxy_backup: ""
proxy_backup_port: 5080

# Emergency Proxy Support
proxy_emergency: ""
proxy_emergency_port: 5080

# NAT/Firewall Traversal
nat_enable: 1
nat_address: ""
voip_control_port: 5080
start_media_port: 16384
end_media_port: 32766
nat_received_processing: 0

# Outbound Proxy Support
outbound_proxy: "IP-Internal/External"
outbound_proxy_port: 5080
 

CPav

Member
Dec 13, 2017
72
3
8
45
Of course it is Fusionpbx, I wouldn't have it any other way! :)
Of course!
Ok but are you using domains? If so then perhaps its your sip profile that's doing the trick? What are your NDLB settings?
Thanks for the help thus far.
 

taptech

Member
Mar 6, 2017
50
10
8
I am using domains. To be honest, I was surprised that these phones didn't get picked up by the default firewall rules... so that must be set properly somewhere else. Let me double check for you when I get back to the office later. Why are you trying to register on port 5080? By default that is for carriers, not phone registrations.
 
  • Like
Reactions: DigitalDaz

CPav

Member
Dec 13, 2017
72
3
8
45
@DigitalDaz To be honest I wasn't aware that 5080 was for unauthed calls and carriers only. I used it because back at the start I didn't want to use 5060 as it was being port scanned continuously, and I use voip.ms which had as an alternate 5080...so I thought to use it throughout...I had no idea it was used for unauthed calls and carriers...so I guess a mistake I've made here is not separating sip profiles...one for user access and one for upstream provider access. I guess I'll have to change this now that I know. However, I don't believe that would have any bearing on my original issue right? I'll be changing this port shortly to something random higher up. - Just to clarify here though, I'm only using the internal sip profile and have just changed it's port from 5060 to 5080...does this mean that it's still using auth?

@taptech I'd love to know your sip profile settings relating to NAT, and if you use sip-force-contact and/or and NDLB to get your 7940's working, I may try downgrading the firmware so that it's equivilent to yours so that I'm certain it's not a firmware issue of any sort. Also the only way I can stipulate Domain for sip auth is to use it as the proxy1 address and set the outbound proxy to the pbx ip.
 
Last edited:

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
The software I used for years is: P0S3-8-12-00

I never actually got it working without port forwarding.

I think I may also have used it with: nat_received_processing: 1
 

CPav

Member
Dec 13, 2017
72
3
8
45
Guys, I've managed to get this working now...
The param voip_control_port: in the SIPDEF and MAC.CNF, was set to 5080, by changing this to something random like 55555 for phone 1 and 55556 on phone two...rinse repeat per phone, this works as it now should. I'm not sure if this will have any other knock-on effects but for the moment it's working and I'll carry out some further testing later.
 

taptech

Member
Mar 6, 2017
50
10
8
I use the default 5060, but it sounds like you would need to do some work on your server's SIP profiles to accomplish what you're looking for. I wouldn't suggest relying on setting a different control port on each phone as it would become difficult to manage later... the server should be able to deal with communicating with devices on negotiated ports. I think that's how it works anyways!
 

taptech

Member
Mar 6, 2017
50
10
8
oh, guys. Mine works without port forwarding. Maybe I should share my firmware and stuff! Give me some time and I will get that together.
 

CPav

Member
Dec 13, 2017
72
3
8
45
oh, guys. Mine works without port forwarding. Maybe I should share my firmware and stuff! Give me some time and I will get that together.
Yeah agreed, I'm not port forwarding though either and to be honest it's no big thing to set the vcontrol port, but yes, please share what you have...the easier I can make this the better.

Edit - come to think of it, perhaps I shouldn't put anything into the voice control port setting and see if it randomizes on it's own...will come back with the result

Ok, just defaults to 5060 if not set.
 
Last edited:

taptech

Member
Mar 6, 2017
50
10
8
FAIR WARNING! I cobbled this stuff together at least a year ago and have FORGOTTEN EVERYTHING ABOUT IT. So please proceed with caution. I believe if you put all of these files on a TFTP server, the phone will pickup the firmware file and flash it. This is for Cisco 7940G units. I think, but don't remember, this will flash your UCM units over to SIP if you point them to the TFTP using a DHCP option. Don't quote me on that... I don't remember.

The result is that the phones work and register to a cloud hosted fusionpbx. On my server, I do get some notices in the log about register attempts via IP but it does not trigger a firewall ban. I'm using the default rules. I'm not well versed enough to tell you why. I have not tried the built-in provisioning files from fusionpbx though. If Mark made them, he knows his stuff, I'm sure they work. Not sure about the specific environment though- maybe he made them with a local PBX in mind.

https://drive.google.com/open?id=1zhbZF9DSEsTPghqmrXRTeAJ9ZSt_tMKf
 
  • Like
Reactions: CPav

CPav

Member
Dec 13, 2017
72
3
8
45
FAIR WARNING! I cobbled this stuff together at least a year ago and have FORGOTTEN EVERYTHING ABOUT IT. So please proceed with caution. I believe if you put all of these files on a TFTP server, the phone will pickup the firmware file and flash it. This is for Cisco 7940G units. I think, but don't remember, this will flash your UCM units over to SIP if you point them to the TFTP using a DHCP option. Don't quote me on that... I don't remember.

The result is that the phones work and register to a cloud hosted fusionpbx. On my server, I do get some notices in the log about register attempts via IP but it does not trigger a firewall ban. I'm using the default rules. I'm not well versed enough to tell you why. I have not tried the built-in provisioning files from fusionpbx though. If Mark made them, he knows his stuff, I'm sure they work. Not sure about the specific environment though- maybe he made them with a local PBX in mind.

https://drive.google.com/open?id=1zhbZF9DSEsTPghqmrXRTeAJ9ZSt_tMKf
Thank you! I can dust off the 100 or so Cisco's I bought!
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
Granted they are very popular and a very, very good phone. I'm sure many will will work for years to come. I had one on my desk for 5 years and only replaced it with a T46S when it packed up though I have to admit, I personally liked my 7960 better.

So let there be a forum to honor these great beasts :D http://www.pbxforums.com/forums/cisco-79xx-series.45/
 
  • Like
Reactions: CPav
Status
Not open for further replies.