Updated May 2015
Notes
- The Cisco 861 is designed for a small office of up to five people. The 871 and 881 support up to twenty users. The 891 support fifty users.
- A SIP ALG is turned on automatically when NAT is enabled as of IOS version 12.2(8).
- We discovered the SIP ALG to be broken in 12.4(20)T, but an upgrade to 12.4(24)T2 resolved the issue. We have also successfully tested 12.4(15)T9.
Router Configuration
Step 1: Start fresh. The 800 series ships with a number of preconfigured options that are unnecessary to a basic setup, so the first thing we did was "write erase" and "reload".
Step 2: Configure the DHCP pool for the private network:
ip dhcp pool POOLNAME
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name yourdomain.com
dns-server 1.1.1.1 2.2.2.2
lease 0 2
Step 3: Configure the NAT pool and allow the private network to access it:
access-list 23 permit 10.10.10.0 0.0.0.255
ip nat pool NATPOOL 6.7.8.9 6.7.8.9 netmask 255.255.255.0
ip nat inside source list 23 pool NATPOOL overload
(6.7.8.9 is our imaginary public IP that was assigned by our ISP)
Step 4: Configure the WAN interface and configure it for NAT:
interface FastEthernet4
ip address 6.7.8.9 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
Step 5: Set up a default route to your ISP's gateway:
ip route 0.0.0.0 0.0.0.0 6.7.8.1
Ping your favorite Internet host to test connectivity.
Step 6: Create a VLAN interface for the private network and configure it for NAT:
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
Step 7: Assign your switch port interfaces to your VLAN:
interface FastEthernet0
switchport mode access
switchport access vlan 1
(repeat for any further switchport interfaces required)
Troubleshooting
At this point, your phones should be up and running without having to do anything further. However, if you experience difficulties and need to debug further, you can explicitly set up a SIP firewall, which will allow you to see SIP traffic more clearly. Please note that debugging is resource intensive and will affect performance of the router.
To set up the SIP firewall, at the global config, type:
ip inspect name VOIP sip
And then on your VLAN interface, type:
ip inspect VOIP in
This will give you access to some useful tools, such as:
show ip inspect all
show ip inspect sessions
show ip inspect statistics
debug ip inspect protocol sip
debug ip inspect protocol sessions
We also found the following commands helpful for debugging:
show ip nat translations udp verbose
debug ip cef packet all input 23 rate 0
debug ip packet 23 detail
Optimize your network for business VoIP with the right router
Comments