Is there anything special that anyone here has had to do to get an Aastra phone (on the Internet) to talk to Asterisk behind a PIX firewall? Ports 10000-20000 UDP are open on the PIX and forwarding to the Asterisk server. The Asterisk server's RTP.CONF is set to use 10000-20000. The phone registers, and will place AND receive calls, however, no audio is passed. The phone is an Aastra 9133i. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071127/f1ab8872/attachment.htm
Matt wrote:> Is there anything special that anyone here has had to do to get an > Aastra phone (on the Internet) to talk to Asterisk behind a PIX firewall? > > Ports 10000-20000 UDP are open on the PIX and forwarding to the Asterisk > server. The Asterisk server's RTP.CONF is set to use 10000-20000. > The phone registers, and will place AND receive calls, however, no audio > is passed. The phone is an Aastra 9133i. >Just checking.... NAT=yes, canreinvite=no ? Thanks, Steve Totaro 888.777.1888
> Just checking.... NAT=yes, canreinvite=no ?Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071127/2de26e08/attachment.htm
Matt wrote:> > > > Just checking.... NAT=yes, canreinvite=no ? > > > Correct, I have those settings set for this phone. Asterisk has been > reloaded even restarted. > >Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I live OpenVPN bridges for double NAT situations, of course you could try IAX2 but I have seen too many sound quality issues surrounding IAX2 so I try to stick with SIP, even if that means setting up VPNs. Thanks, Steve 888.777.1888
Matt, If your phone is using SIP, then you should enable sip inspection (7.x code or above) or fixup sip (6.x code) and have a rule that allows source (wherever you need) inbound on the outside interface to TCP 5060 (SIP port). The sip inspection or fixup should enable the proper ports for the require RTP streams. I had this working through an ASA at some point, but I don't remember if both ends were doing NAT or only one end. I don't know the phone you are talking about, but you also might want to look into STUN or ICE to get beyond the NAT Traversal issue, if that is what's causing the problem. In the Firewall log, are you seeing Denys? or drops? Have you tried debug sip on the firewall console? I've been dealing with several ASA SIP issues lately. SIP trunking with NAT will certainly not work and there is a Cisco Bug that my company discovered when setting up our PBX. Shlomo in Israel On 11/27/07, Matt <mhoppes at gmail.com> wrote:> > Is there anything special that anyone here has had to do to get an Aastra > phone (on the Internet) to talk to Asterisk behind a PIX firewall? > > Ports 10000-20000 UDP are open on the PIX and forwarding to the Asteriskserver. The > Asterisk server's RTP.CONF is set to use 10000-20000. The phone > registers, and will place AND receive calls, however, no audio is passed. > The phone is an Aastra 9133i. > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071127/8acdc8ec/attachment-0001.htm
On Nov 27, 2007 9:08 AM, Steve Totaro <stotaro at totarotechnologies.com> wrote:> > Matt wrote: > > > > > > > > Just checking.... NAT=yes, canreinvite=no ? > > > > > > Correct, I have those settings set for this phone. Asterisk has been > > reloaded even restarted. > > > > > > Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? > If so, I fear it will never work, you might get one way audio though. >I disagree with you, setting in sip.conf: externhost=ddnsname;or set the next setting externip=x.x.x.x;external ip externrefresh=10;for dns localnet=192.168.0.0/255.255.0.0 should take care of this, I have never had a problem with dual nat like this, using Aastra, Cisco, Polycom and linksys.> I live OpenVPN bridges for double NAT situations, of course you could > try IAX2 but I have seen too many sound quality issues surrounding IAX2 > so I try to stick with SIP, even if that means setting up VPNs. > > Thanks, > Steve > > 888.777.1888 > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
C F wrote:> On Nov 27, 2007 9:08 AM, Steve Totaro <stotaro at totarotechnologies.com> wrote: >> Matt wrote: >>> >>> >>> Just checking.... NAT=yes, canreinvite=no ? >>> >>> >>> Correct, I have those settings set for this phone. Asterisk has been >>> reloaded even restarted. >>> >>> >> Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? >> If so, I fear it will never work, you might get one way audio though. >> > > I disagree with you, setting in sip.conf: > externhost=ddnsname;or set the next setting > externip=x.x.x.x;external ip > externrefresh=10;for dns > localnet=192.168.0.0/255.255.0.0 > should take care of this, I have never had a problem with dual nat > like this, using Aastra, Cisco, Polycom and linksys. >You are probably right. I think the first and last time I attempted double NATs, there was no sip.conf, I have to keep up with the times, lol. Worth a shot. I still like the OpenVPN solution for security and other added benefits.> >> I live OpenVPN bridges for double NAT situations, of course you could >> try IAX2 but I have seen too many sound quality issues surrounding IAX2 >> so I try to stick with SIP, even if that means setting up VPNs. >> >> Thanks, >> Steve >> >> 888.777.1888
Steve Totaro wrote:> C F wrote: >> On Nov 27, 2007 9:08 AM, Steve Totaro <stotaro at totarotechnologies.com> wrote: >>> Matt wrote: >>>> >>>> Just checking.... NAT=yes, canreinvite=no ? >>>> >>>> >>>> Correct, I have those settings set for this phone. Asterisk has been >>>> reloaded even restarted. >>>> >>>> >>> Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? >>> If so, I fear it will never work, you might get one way audio though. >>> >> I disagree with you, setting in sip.conf: >> externhost=ddnsname;or set the next setting >> externip=x.x.x.x;external ip >> externrefresh=10;for dns >> localnet=192.168.0.0/255.255.0.0 >> should take care of this, I have never had a problem with dual nat >> like this, using Aastra, Cisco, Polycom and linksys. >> > > You are probably right. I think the first and last time I attempted > double NATs, there was no sip.conf, I have to keep up with the times, > lol. Worth a shot. I still like the OpenVPN solution for security and > other added benefits.Sorry, those options were not available in sip.conf is what I meant to say.> >>> I live OpenVPN bridges for double NAT situations, of course you could >>> try IAX2 but I have seen too many sound quality issues surrounding IAX2 >>> so I try to stick with SIP, even if that means setting up VPNs. >>> >>> Thanks, >>> Steve >>> >>> 888.777.1888 > > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >
On Nov 27, 2007 11:02 AM, C F <shmaltz at gmail.com> wrote:> On Nov 27, 2007 9:08 AM, Steve Totaro <stotaro at totarotechnologies.com> > wrote: > > > > Matt wrote: > > > > > > > > > > > > Just checking.... NAT=yes, canreinvite=no ? > > > > > > > > > Correct, I have those settings set for this phone. Asterisk has been > > > reloaded even restarted. > > > > > > > > > > Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? > > If so, I fear it will never work, you might get one way audio though. > > > > I disagree with you, setting in sip.conf: > externhost=ddnsname;or set the next setting > externip=x.x.x.x;external ip > externrefresh=10;for dns > localnet=192.168.0.0/255.255.0.0 > should take care of this, I have never had a problem with dual nat > like this, using Aastra, Cisco, Polycom and linksys. >LO! This worked! All it needed was an externip entry! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071127/43701a82/attachment.htm
Hi all, use ingate siparator. www.ingate.com ingate will help you to get rid of these issues. Regards, Vidura Senadeera Tel - +94777766596 yahoo, skype - vidurased Sri Lanka. ============================================ You can also create the vpn using the existing pix and netgear, eliminating more hardware and points of failure. ----- Original Message ----- From: "Ricardo Carvalho" <rjcarvalho.lists at gmail.com> To: "Asterisk Users Mailing List - Non-Commercial Discussion" < asterisk-users at lists.digium.com> Sent: Tuesday, November 27, 2007 7:30:35 AM (GMT-0800) America/Los_Angeles Subject: Re: [asterisk-users] Asterisk behind a PIX firewall? Try to just open port 5060 for SIP signaling on the PIX and also enable the INSPECT SIP rule. That way, your PIX firewall will inspect SIP signalling and open the necessary UDP ports for the RTP. If you have NAT uptream in the network, you should see if in the layer 4 the IPs shown in the SIP messages got rewritten by its public IPs, it should have, or else you'll never get it working right. Regards, Ricardo Carvalho. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071128/6b010de8/attachment.htm
which version of the pix ? there is some bugs in old 6.3.... with sip... _____ De : asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] De la part de Matt Envoy? : mardi 27 novembre 2007 14:11 ? : Asterisk Users Mailing List - Non-Commercial Discussion Objet : [asterisk-users] Asterisk behind a PIX firewall? Is there anything special that anyone here has had to do to get an Aastra phone (on the Internet) to talk to Asterisk behind a PIX firewall? Ports 10000-20000 UDP are open on the PIX and forwarding to the Asterisk server. The Asterisk server's RTP.CONF is set to use 10000-20000. The phone registers, and will place AND receive calls, however, no audio is passed. The phone is an Aastra 9133i. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071128/ec7666ba/attachment.htm