topic Re: NAT Only works part of the time in General Topics

NAT Only works part of the time

Brad.Herbert — Tue, 18 Sep 2018 20:07:42 GMT

Ok, Who knows what's going here...Here is my Scenario..

We're looking at a new Phone Platform and I'm only able to get a NAT to work part of the time. First, when the IP Phone loads, internal address of 172.23.1.1, It connects out to the Platform IP of 55.66.77.88, downloads the config from it's TFTP Service. Since we don't want our Voice traffic mingled in with our other public traffic, we've NAT'd 172.23.0.0 /16 to a Public IP of 192.15.15.15, the NAT Works perfectly here. Next, once the TFTP Load is complete, the Phone tries to register via SIP, same Internal Address 172.23.1.1 to the platform of 55.66.77.88, however the same NAT Statement is not being used. I've ran numerous PCAP's, changed NAT several times, moved rules, but everything appears correct. Furthermore, when I run test nat-policy-match with the proper destination and source on port 5060 and protocol 17, it test out correctly.

Setup is...

Inside Zone to Destination Zone, source address 172.23.0.0/16 to destination address 55.66.77.88, any interface and any service translate type Dynamic IP address of 192.15.15.15. Anyone have any idea what's going on and why the NAT isn't getting applied 100% of the time? When I look at the Web GUI of the phone platform, it's showing my phone as being registered with our Public IP of 192.15.15.8. I am able to place and receive a call, however there is not audio. Running another PCAP for a call session, all UDP packets from 172.23.1.1 are getting dropped.

One thing to note, SIP ALG is turned enabled, though I'm not sure if that's the issue. Do try to get around SIP ALG, I created a custom Application, mirrored from SIP, and setup an Application Override with Inside/Outside, all IP's and UDP 5060, but still having the issue.

I've opened a Support Case, but with it being a low priority, thought I'd reach out to the community to see if anyone has ran into this issue inthe past.

We're running 8.0.8 PAN-OS version.

Re: NAT Only works part of the time

reaper — Thu, 20 Sep 2018 08:34:50 GMT

try dynamic-ip-and-port

with dynamic IP you may be running out of ip-port combinations and breaking NAT because you only have 1 single IP and are forcing port reuse (oversubscription of more than 8x will be reached quickly)

if your SIP implementation doesn;t allow the varying source ports, you'll need a bigger subnet to NAT your phones

Re: NAT Only works part of the time

Brad.Herbert — Thu, 20 Sep 2018 12:49:08 GMT

I've changed to dynamin-ip-and-port, however I'm still getting the same results. Currently, we're just testing with one phone back to the new PBX solution. Support hasn't been any help, they've asked that I clear all sessions, would be suprised if that actually works. Doesn't matter what I try, the TFTP Download from the PBX utilizes the NAT however the SIP Registration does not, same source and Destination addresses for both the TFTP Download and SIP Registration.

Re: NAT Only works part of the time

reaper — Thu, 20 Sep 2018 14:31:08 GMT

Have you set a filter and checked the global counters? SIP has this thing where it sometimes reuses all the session parameters (source ports et al) of the previous session, which the firewall doesn't like

that will likely show up in error counters

additionally, you could try disabling the ALG on the sip application, or try an app override altogether

Re: NAT Only works part of the time

Brad.Herbert — Fri, 21 Sep 2018 19:10:26 GMT

Finally have the NAT working 100% of the time, had to clear the old SIP Sessions. However, Audio still is an issue so I'm going to try building out an Applicaion Override to see if that works.

Re: NAT Only works part of the time

OtakarKlier — Fri, 21 Sep 2018 19:28:31 GMT

Hello,

Could you expand on the issues you are having with audio? i.e. poor quality, one side cannot hear, etc.

Regards,

Re: NAT Only works part of the time

Brad.Herbert — Fri, 21 Sep 2018 19:41:49 GMT

We aren't getting any audio, either way. My Phone Rings just as it should, when I answer there isn't any audio either way. Running PCAP's, I keep seeing 401 unauthorized responses back from the PBX.

Even wierder, just called that test phone from my cell phone, I just left the call established and after about 4 Minutes, i had audio both ways?

Re: NAT Only works part of the time

OtakarKlier — Fri, 21 Sep 2018 19:52:43 GMT

Hello,

So is it consistently working now or still takes minutes to connect?

Please advise,

Re: NAT Only works part of the time

Brad.Herbert — Fri, 21 Sep 2018 19:58:08 GMT

Once the call is connected, Audio is not getting passed until 2 minutes into the session.

Re: NAT Only works part of the time

Brad.Herbert — Fri, 21 Sep 2018 20:00:00 GMT

Running another PCAP, i just noticed the Firewall is dropping UDP packets, inside to outside. Looking back through, the source and destination ports are the same during the call, but are different with each call.

Re: NAT Only works part of the time

OtakarKlier — Fri, 21 Sep 2018 20:01:27 GMT

Also check the logs, they should show what/where its getting blocked and you can adjust you policies accordingly.

Re: NAT Only works part of the time

Brad.Herbert — Fri, 21 Sep 2018 20:15:43 GMT

Going through the logs, nothing is being blocked by policy to/from by private address/NAT'd Address and the PBX. Actually, the policy is set to allow any application, Service is Application-Default. I enabled logging on my Interzone rule, however nothing is being dropped by policy, that I can find.

Re: NAT Only works part of the time

OtakarKlier — Fri, 21 Sep 2018 20:20:30 GMT

I hear ya it can be a pain. We use Skype and I can tell you that even having the application set to any and service to application default was not enough. Skype/Lync use like almost every port 50K and up :(. Does your SIP terminate internally or does it flow out over the internet to the provider? I would also say call the provider and see if they can run a trace while your making the test call just to see if they see anything on their end.

Re: NAT Only works part of the time

Brad.Herbert — Fri, 24 May 2019 16:46:04 GMT

Just an FYI, the issue was finally determined to be a bug in Pan-OS 8.0 - 8.1.6. (PAN-103023).