Any cisco gurus out there? NAT problem... (Linux, server, working)

[swagger]

I'm working on replacing our linux pbx system with a cisco 2621 as our border router. It needs to do nat, and also has to allow and forward incoming connections on certain ports. Primarily, these have to do with the phones, but I'm also forwarding ssh and will be doing more later, after I get this problem worked out.

The standard nat functionality is working fine - we can browse the 'net, check our mail, etc. The phone system seems to be doing fine, too. We can make and receive calls, and everyone can hear each other.

The problem I'm having is with phone registrations from outside our network. When I try connecting by using a softphone on my PC that's connected to the net via my cellphone (local network cable disconnected), I get a "port unreachable" response back from the cisco. I thought that maybe Sprint was blocking SIP on their data network (wouldn't want those pesky customers using free data time & voip instead of costly cellular minutes!), so I connected to a VPN elsewhere on the 'net and tried it from there, with the same result.

The really odd thing is that the other ports, e.g. ssh, work as expected. The only thing that seems to be borken is SIP registrations. I'm quite befuddled...

Here's the relevant config from the cisco, with the stuff that shouldn't be posted in a forum masked out. The public facing interface is FastEthernet0/0, and the LAN interface is FastEthernet0/1. Access-list 111 shows what needs to get through and forwarded to the pbx machine.

Quote:

version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 *************
!
memory-size iomem 20
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip access-group 101 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.31.0.254 255.255.255.0
ip nat inside
speed auto
full-duplex
!
ip nat pool voip 172.31.0.1 172.31.0.1 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside destination list 111 pool voip
no ip http server
ip classless
!
!
logging facility news
logging source-interface FastEthernet0/1
logging 172.31.0.1
access-list 1 permit 172.31.0.0 0.0.0.255
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
access-list 111 permit tcp any any range 5060 5089
access-list 111 permit udp any any range 5060 5089
access-list 111 permit udp any any range 10000 20000
access-list 111 permit tcp any any eq 22
!
line con 0
line aux 0
line vty 0 4
password *********
login
!
!
end

I know, the 101 acl is too loose - I'll tighten it down later. Right now I'm more concerned about getting the external phones to register. If I don't get this resolved today, I probably won't be able to work on it again until next weekend and I'll have to undo all the reconfiguring I did today.

It's also worth noting that I tried a static 1:1 mapping, forwarding all traffic that wasn't part of an existing nat session on to the pbx system, and had the exact same issue.

Any idears?

[Asheville Native]

Nothing jumps out at me.

Have you ran "debug ip nat sip" or are you not wanting to run debug on a production router?

[swagger]

I have, and nothing shows at all when a registration from outside the LAN is attempted.

I'm thinking that IOS just isn't the right tool for the job in this scenario. It's supposed to be able to be done, either this way or with route maps, but both are hacks to get it to do something it wasn't designed to do, and neither are working for me.

I'm looking at PIXs on eBay right now... Wanna buy a router?

[macroy]

Ok - I've not worked on routing/switching in years... and never on VoIp implementations... but:

Try adding static routes just to see if that works....
i.e.

ip nat inside source static udp 172.16.31.1 <port> interface Ethernet0 <port>

I'd also log the ACL's just to see what's being hit....