Port forwarding fo r Voip

[StaplesMan]

I'm trying to get my router to work correctly with my Linksys SPA-2102. I have service with Voipyourlife.com

It all works but some times I have problems making calls. The line does not make the call all the time. I called there support and talked to someone and he get me access to the configuration of the unit and set an IP on the adapter. Also told me I need to have the following ports forwarded on my router. He also told me I was connecting on the wrong port on there network. And sure enough I did a show ip nat tran and it was changing 5060 to another port number.

UDP ports that need to be forwarded.
5004
5060 - 5069
16000 - 16500

I did some research and found out I would need to use the following commands to do a range of ports and have them forwarded to my Voip box.

ip nat pool Voip 10.0.1.50 10.0.1.50 netmask 255.255.255.0 type rotary
ip nat inside destination list 100 pool Voip
ip nat inside source list 101 interface Ethernet0 overload

access-list 100 permit udp any any eq 5004
access-list 100 permit udp any any range 5060 5069
access-list 100 permit udp any any range 16000 16500

After doing this I did some testing and found that the commands did nothing at all. I did a few clear ip nat tran * and then I was unable to call my home from my cell. Then I thought that if the above command where not forwarding the packets then I should try a static route. I then used this command.

ip nat inside source static udp 10.0.1.50 5060 interface Ethernet0 5060

Now if I issue a clear ip nat tran * the 5060 port will still forward and my phone rings.

But my question is why do i have to enter the above configuration command to perform the route. Why do the original port forwarding commands I described first work instead?

Does it depend on the direction of the packet? Outside to in or in to out?

 

[StaplesMan]

My running config. 1720 router.


version 12.3
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname FireWall
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
!
memory-size iomem 25
clock timezone CST -6
clock summer-time cdt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip domain name xxxxxxx.local
!
ip dhcp pool Voip
network 10.0.1.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 10.0.1.1
!
ip cef
ip audit po max-events 100
!
!
username xxxxxxxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any Voip
match protocol rtp
!
!
policy-map QOS2
class class-default
shape average 486400
shape fr-voice-adapt deactivation 30
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxxxxx
key xxxxxxxxxxxxxxxxxxx
dns 192.168.78.1
wins 192.168.78.1
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback1
ip address 10.0.0.2 255.255.255.248 secondary
ip address 10.0.0.1 255.255.255.248
!
interface Ethernet0
bandwidth 512
ip address dhcp
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
rate-limit output access-group 2020 512000 256000 786000 conform-action transmi
t exceed-action drop
half-duplex
no cdp enable
crypto map clientmap
service-policy output QOS2
!
interface Ethernet1
ip address 10.0.1.1 255.255.255.0
ip nat inside
full-duplex
!
interface FastEthernet0
ip address 192.168.78.2 255.255.255.0
ip nat inside
speed auto
!
ip local pool ippool 192.168.79.100 192.168.79.200
ip nat pool Voip 10.0.1.50 10.0.1.50 netmask 255.255.255.0 type rotary
ip nat inside source list 101 interface Ethernet0 overload
ip nat inside source static udp 10.0.1.50 5060 interface Ethernet0 5060
ip nat inside source static tcp 10.0.0.1 22 interface Ethernet0 456
ip nat inside source static tcp 10.0.0.1 23 interface Ethernet0 789
ip nat inside source static tcp 192.168.78.201 5012 interface Ethernet0 5012
ip nat inside source static tcp 192.168.78.200 5011 interface Ethernet0 5011
ip nat inside source static tcp 192.168.78.200 5001 interface Ethernet0 5001
ip nat inside source static tcp 192.168.78.201 5002 interface Ethernet0 5002
ip nat inside source static tcp 192.168.78.201 3389 interface Ethernet0 4002
ip nat inside source static tcp 192.168.78.200 3389 interface Ethernet0 4001
ip nat inside source static tcp 192.168.78.1 1723 interface Ethernet0 1723
ip nat inside source static tcp 192.168.78.1 21 interface Ethernet0 21
ip nat inside source static tcp 192.168.78.3 4001 interface Ethernet0 232
ip nat inside source static tcp 192.168.78.1 3389 interface Ethernet0 4000
ip nat inside destination list 100 pool Voip
ip classless
no ip http server
no ip http secure-server
!
!
logging 192.168.78.1
access-list 100 permit udp any any eq 5004
access-list 100 permit udp any any range 5060 5069
access-list 100 permit udp any any range 16000 16500
access-list 100 permit udp any any eq 3478
access-list 101 deny ip 192.168.79.0 0.0.0.255 any
access-list 101 deny ip any 192.168.79.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 remark Inbound Access List logging
access-list 102 deny tcp any any eq ftp
access-list 102 permit udp any any eq bootpc
access-list 102 permit icmp any any
access-list 102 permit ip 192.168.79.0 0.0.0.255 any
access-list 102 deny tcp any any eq 3389 log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 0.0.0.0 0.255.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip 169.254.0.0 0.0.255.255 any log
access-list 102 deny ip 192.0.2.0 0.0.0.255 any log
access-list 102 deny ip 198.18.0.0 0.1.255.255 any log
access-list 102 deny ip 224.0.0.0 15.255.255.255 any log
access-list 102 permit tcp any any eq ftp log
access-list 102 permit tcp any any eq telnet log
access-list 102 permit tcp any any eq 1723 log
access-list 102 permit tcp any any eq 4000 log
access-list 102 permit tcp any any eq 4001 log
access-list 102 permit tcp any any eq 4002 log
access-list 102 permit tcp any any eq 5001 log
access-list 102 permit tcp any any eq 5002 log
access-list 102 permit tcp any any eq 5011 log
access-list 102 permit tcp any any eq 5012 log
access-list 102 permit tcp any any eq 789 log
access-list 102 permit tcp any any eq 456 log
access-list 102 permit ip any any
access-list 103 remark Inbound Access List logging
access-list 103 deny tcp any any eq ftp
access-list 103 permit udp any any eq bootpc
access-list 103 permit icmp any any
access-list 103 permit ip 192.168.79.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 0.0.0.0 0.255.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip 169.254.0.0 0.0.255.255 any log
access-list 103 deny ip 192.0.2.0 0.0.0.255 any log
access-list 103 deny ip 198.18.0.0 0.1.255.255 any log
access-list 103 deny ip 224.0.0.0 15.255.255.255 any log
access-list 103 permit ip any any
access-list 108 permit ip 10.0.0.0 0.0.0.7 any
access-list 108 permit ip 192.168.78.0 0.0.0.255 any
access-list 108 permit ip 192.168.79.0 0.0.0.255 any
access-list 108 permit ip 10.0.1.0 0.0.0.255 any
access-list 2020 permit icmp any any echo
!
!

!
line con 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous
!
scheduler allocate 4000 1000
sntp server 192.168.78.1
end