Updated May 2015
- The Cisco 861 is designed for a small office of up to five people. The 871 and 881 support up to twenty users. The 891 support fifty users.
- A SIP ALG is turned on automatically when NAT is enabled as of IOS version 12.2(8).
- We discovered the SIP ALG to be broken in 12.4(20)T, but an upgrade to 12.4(24)T2 resolved the issue. We have also successfully tested 12.4(15)T9.
Step 1: Start fresh. The 800 series ships with a number of preconfigured options that are unnecessary to a basic setup, so the first thing we did was "write erase" and "reload".
Step 2: Configure the DHCP pool for the private network:
ip dhcp pool POOLNAME
network 10.10.10.0 255.255.255.0
dns-server 184.108.40.206 220.127.116.11
lease 0 2
Step 3: Configure the NAT pool and allow the private network to access it:
access-list 23 permit 10.10.10.0 0.0.0.255
ip nat pool NATPOOL 18.104.22.168 22.214.171.124 netmask 255.255.255.0
ip nat inside source list 23 pool NATPOOL overload
(126.96.36.199 is our imaginary public IP that was assigned by our ISP)
Step 4: Configure the WAN interface and configure it for NAT:
ip address 188.8.131.52 255.255.255.0
ip nat outside
Step 5: Set up a default route to your ISP's gateway:
ip route 0.0.0.0 0.0.0.0 184.108.40.206
Ping your favorite Internet host to test connectivity.
Step 6: Create a VLAN interface for the private network and configure it for NAT:
ip address 10.10.10.1 255.255.255.0
ip nat inside
Step 7: Assign your switch port interfaces to your VLAN:
switchport mode access
switchport access vlan 1
(repeat for any further switchport interfaces required)
At this point, your phones should be up and running without having to do anything further. However, if you experience difficulties and need to debug further, you can explicitly set up a SIP firewall, which will allow you to see SIP traffic more clearly. Please note that debugging is resource intensive and will affect performance of the router.
To set up the SIP firewall, at the global config, type:
ip inspect name VOIP sip
And then on your VLAN interface, type:
ip inspect VOIP in
This will give you access to some useful tools, such as:
show ip inspect all
show ip inspect sessions
show ip inspect statistics
debug ip inspect protocol sip
debug ip inspect protocol sessions
We also found the following commands helpful for debugging:
show ip nat translations udp verbose
debug ip cef packet all input 23 rate 0
debug ip packet 23 detail
Optimize your network for business VoIP with the right router