I cannot get incoming calls to sip phones behind a PIX to work, outgoing is fine. Asterisk (Public IP) --> Internet --> PIX (NAT) --> Sip Phones I have tried no fixup protocol sip, I have punched a hole in the Pix allowing anything from the Asterisk box into the network, still no incoming. I have done all the Wiki suggests in regarding to NAT. Is their a trick getting the incoming to work? Has anyone managed to get this to work or am I wasting my time on this? Ta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040925/affdf8fd/attachment.htm
I have a customer that wants to try the exact same thing next month. Unfortunately I don't have any advice for you at this time. However, if the PIX doesn't end up working for you I can tell you that I've had excellent success with the INGATE product line. (Both Firewall and Firewall Traversal products) Chad ________________________________ From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Craig Waddington Sent: Saturday, September 25, 2004 8:17 AM To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] Cisco PIX and Asterisk I cannot get incoming calls to sip phones behind a PIX to work, outgoing is fine. Asterisk (Public IP) --> Internet --> PIX (NAT) --> Sip Phones I have tried no fixup protocol sip, I have punched a hole in the Pix allowing anything from the Asterisk box into the network, still no incoming. I have done all the Wiki suggests in regarding to NAT. Is their a trick getting the incoming to work? Has anyone managed to get this to work or am I wasting my time on this? Ta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040925/06b148fb/attachment.htm
Are any packets at all from the incoming call setup getting though the PIX?
In general, static NAT (plus access list), is required to enable an endpont with
a global IP address to establish a connection to an endpoint behind the PIX with
a private IP address.
Are you using static NAT and what version of PIX OS are you running?
John
Chad Brown <chad.brown@identitymine.com> wrote:
v\:* {behavior:url(#default#VML);}o\:* {behavior:url(#default#VML);}w\:*
{behavior:url(#default#VML);}.shape
{behavior:url(#default#VML);}st1\:*{behavior:url(#default#ieooui) }
I have a customer that wants to try the exact same thing next month.
Unfortunately I don’t have any advice for you at this time. However, if the PIX
doesn’t end up working for you I can tell you that I’ve had excellent success
with the INGATE product line. (Both Firewall and Firewall Traversal products)
Chad
---------------------------------
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Craig Waddington
Sent: Saturday, September 25, 2004 8:17 AM
To: asterisk-users@lists.digium.com
Subject: [Asterisk-Users] Cisco PIX and Asterisk
I cannot get incoming calls to sip phones behind a PIX to work, outgoing is
fine.
Asterisk (Public IP) à Internet à PIX (NAT) à Sip Phones
I have tried no fixup protocol sip, I have punched a hole in the Pix allowing
anything from the Asterisk box into the network, still no incoming.
I have done all the Wiki suggests in regarding to NAT.
Is their a trick getting the incoming to work?
Has anyone managed to get this to work or am I wasting my time on this?
Ta.
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20040925/79dcc0ad/attachment.htm
It works fine for me. I have a handful of Cisco 7960's behind a PIX firewall and they register to a Asterisk server outside of the PIX with no trouble at all. I didn't do anything special to the PIX (i.e. no access list entries). The tricks I found to make it work generally apply to any setup where the clients are behind NAT. I also run the tftp server for the phones to get configs inside the firewall, and the SIPDefault.cnf file specifies the proxy address outside of the firewall. In the Cisco phone config I have these NAT settings: nat_enable: 1 ; 0-Disabled (default), 1-Enabled nat_address: "" ; WAN IP address of NAT box (dotted IP or DNS A record only) voip_control_port: 5060 ; UDP port used for SIP messages (default - 5060) start_media_port: 16384 ; Start RTP range for media (default - 16384) end_media_port: 32766 ; End RTP range for media (default - 32766) nat_received_processing: 0 ; 0-Disabled (default), 1-Enabled And the sip.conf entry for this peer is: [7000] type=friend nat=yes qualify=yes context=xxxx secret=xxxx callerid=xxxx host=dynamic canreinvite=no dtmfmode=rfc2833 timer_register_expires: 120 Setting the registry timer to 120 seconds causes the phone to send out a packet at least every 2 minutes which will open a UDP xlate on the PIX for the session. Then the trick is to use both 'nat=yes' and 'qualify=yes' so Asterisk chats with the phone pretty often. The interval of OPTIONS or REGISTER messages between Asterisk and phone definitely needs to be shorter than the PIX's UDP xlate timeout or the PIX will close the xlate and you won't be able to pass packets into the phone for an incoming call. Note that you can put a numeric value after qualify= instead of "yes" to fine-tine the interval at which it sends a OPTIONS message. _____ From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Craig Waddington Sent: Saturday, September 25, 2004 8:17 AM To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] Cisco PIX and Asterisk I cannot get incoming calls to sip phones behind a PIX to work, outgoing is fine. Asterisk (Public IP) --> Internet --> PIX (NAT) --> Sip Phones I have tried no fixup protocol sip, I have punched a hole in the Pix allowing anything from the Asterisk box into the network, still no incoming. I have done all the Wiki suggests in regarding to NAT. Is their a trick getting the incoming to work? Has anyone managed to get this to work or am I wasting my time on this? Ta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040925/447e49ad/attachment.htm
That's Great news. Thanks for the information. What version of the PIX IOS you running? Do you have sip fixup protocol enabled? I have found a workaround, install onDo sip server on a machine behind the PIX. The phones register to that, on the pix port forward to the onDo sip server. But I would much rather get it working without having to do that. ________________________________ From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Mark Hagler Sent: 25 September 2004 19:59 To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: RE: [Asterisk-Users] Cisco PIX and Asterisk It works fine for me. I have a handful of Cisco 7960's behind a PIX firewall and they register to a Asterisk server outside of the PIX with no trouble at all. I didn't do anything special to the PIX (i.e. no access list entries). The tricks I found to make it work generally apply to any setup where the clients are behind NAT. I also run the tftp server for the phones to get configs inside the firewall, and the SIPDefault.cnf file specifies the proxy address outside of the firewall. In the Cisco phone config I have these NAT settings: nat_enable: 1 ; 0-Disabled (default), 1-Enabled nat_address: "" ; WAN IP address of NAT box (dotted IP or DNS A record only) voip_control_port: 5060 ; UDP port used for SIP messages (default - 5060) start_media_port: 16384 ; Start RTP range for media (default - 16384) end_media_port: 32766 ; End RTP range for media (default - 32766) nat_received_processing: 0 ; 0-Disabled (default), 1-Enabled And the sip.conf entry for this peer is: [7000] type=friend nat=yes qualify=yes context=xxxx secret=xxxx callerid=xxxx host=dynamic canreinvite=no dtmfmode=rfc2833 timer_register_expires: 120 Setting the registry timer to 120 seconds causes the phone to send out a packet at least every 2 minutes which will open a UDP xlate on the PIX for the session. Then the trick is to use both 'nat=yes' and 'qualify=yes' so Asterisk chats with the phone pretty often. The interval of OPTIONS or REGISTER messages between Asterisk and phone definitely needs to be shorter than the PIX's UDP xlate timeout or the PIX will close the xlate and you won't be able to pass packets into the phone for an incoming call. Note that you can put a numeric value after qualify= instead of "yes" to fine-tine the interval at which it sends a OPTIONS message. ________________________________ From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Craig Waddington Sent: Saturday, September 25, 2004 8:17 AM To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] Cisco PIX and Asterisk I cannot get incoming calls to sip phones behind a PIX to work, outgoing is fine. Asterisk (Public IP) --> Internet --> PIX (NAT) --> Sip Phones I have tried no fixup protocol sip, I have punched a hole in the Pix allowing anything from the Asterisk box into the network, still no incoming. I have done all the Wiki suggests in regarding to NAT. Is their a trick getting the incoming to work? Has anyone managed to get this to work or am I wasting my time on this? Ta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040925/7172adbb/attachment.htm