Can anyone point me in a good direction for configuring SIP through a
PIX using 1:1 NAT. I have read anything I could get my hands on and
tried them all with very little success. I can get it to work through
the cheap little cable modem routers, but not this PIX.
I -can- make a direct SIP call using the IP address of the * server
(ie.exten@ipaddr), but when I do that * still doesn't show it
registering. Even when I call through this method the phone comes up as
"UNREACHABLE" and the port is listed as 0 instead of 5060 like all the
internal phones.
--
B2 Technologies, LLC
- www.VoIPSupply.com
- www.ValueResale.com
454 Sonwil Drive
Buffalo, NY 14225
(716) 630-1555 x.27
(716) 250-3411 (Direct)
(716) 630-1548 fax
We sell all things VoIP related at: http://www.VoipSupply.com
Buy online, same day shipping on most items, volume discounts are available.
Christopher wrote:> Can anyone point me in a good direction for configuring SIP through a > PIX using 1:1 NAT. I have read anything I could get my hands on and > tried them all with very little success. I can get it to work through > the cheap little cable modem routers, but not this PIX. > I -can- make a direct SIP call using the IP address of the * server > (ie.exten@ipaddr), but when I do that * still doesn't show it > registering. Even when I call through this method the phone comes up as > "UNREACHABLE" and the port is listed as 0 instead of 5060 like all the > internal phones.I seem to recall some weird thing in the PIX, where you had to disable the SIP fixup to work (and of course, to use some nat traversal trick, like outbound proxy).
Chris, I suggest the same, but in case you want to use the fixup feature http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura tion_example09186a00801fc74a.shtml LTenorio -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Julio Arruda Sent: Thursday, January 20, 2005 7:01 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] PIX!!!!! Christopher wrote:> Can anyone point me in a good direction for configuring SIP through a > PIX using 1:1 NAT. I have read anything I could get my hands on and > tried them all with very little success. I can get it to work through> the cheap little cable modem routers, but not this PIX. > I -can- make a direct SIP call using the IP address of the * server > (ie.exten@ipaddr), but when I do that * still doesn't show it > registering. Even when I call through this method the phone comes up > as "UNREACHABLE" and the port is listed as 0 instead of 5060 like all > the internal phones.I seem to recall some weird thing in the PIX, where you had to disable the SIP fixup to work (and of course, to use some nat traversal trick, like outbound proxy). _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
I have some cisco 7940's having calls initiated to them from a public address with 1:1 nat and also are set to my asterisk machine over a IPsec tunnel. Below are the applicable lines for my outside initiates call to phone inside: You may need to take the no off depending on how your phones are setup in reguards to external NAT IP. My phones have their real external IP set into them. no fixup protocol sip 5060 no fixup protocol sip udp 5060 You will need the access-list line for the accees-group outside - but shouldn't need the inside one unless you are limiting outgoing traffic also. You could break this into multiple lines for different ports/port ranges, but I am just allowing all traffic from the host to reach the phone. You could probably also just get away with allowing all/only udp from outside to the phone. access-list from-outside permit ip host sip_endpoint_ip_here any access-group from-outside in interface outside access-list from-inside permit ip 192.168.3.0 255.255.255.0 host 216.136.148.193 access-group from-inside in interface inside static (inside,outside) external_ip internal_ip netmask 255.255.255.255 0 0 Hope this helps -Jon Quoting Christopher <chris.robinson@voipsupply.com>:> Can anyone point me in a good direction for configuring SIP through a > PIX using 1:1 NAT. I have read anything I could get my hands on and > tried them all with very little success. I can get it to work through > the cheap little cable modem routers, but not this PIX. > > I -can- make a direct SIP call using the IP address of the * server > (ie.exten@ipaddr), but when I do that * still doesn't show it > registering. Even when I call through this method the phone comes up as > "UNREACHABLE" and the port is listed as 0 instead of 5060 like all the > internal phones. > > -- > B2 Technologies, LLC > - www.VoIPSupply.com > - www.ValueResale.com > 454 Sonwil Drive > Buffalo, NY 14225 > > (716) 630-1555 x.27 > (716) 250-3411 (Direct) > (716) 630-1548 fax > > We sell all things VoIP related at: http://www.VoipSupply.com > Buy online, same day shipping on most items, volume discounts are available. > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Chris, I have a PIX with 6.3(4) and I have my Asterisk behind a NAT works great. What I did have to do is shutdown all NAT config in Asterisk. What was happening is Asterisk was putting my public IP on the packets going out of my linux box and the PIX was trying to rewrite those packets. Here is what I removed in the sip.conf file ;externip = XXX.XXX.XXX.XXX ; Address that we're going to put in SIP ;nat=yes Chris Tuska -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20050120/70cc5267/attachment.htm
Chris, Wanted to give you some insight on how my Asterisk is setup behind by PIX. It works great with remote SIP UA's registering to Asterisk on the Public IP address, or behind VPN. I have Fixup protocol enabled on TCP and UDP, just to be safe ;-) fixup protocol sip 5060 fixup protocol sip udp 5060 A Static NAT on the PIX for the public outside translating to RFC 1918 internal IP address (very important) in my Asterisk sip.conf, I have the following relevant configuration: externip = xx.xx.xx.xx (external IP) nat=yes bindaddr=xx.xx.xx.xx (RFC1918 IP) For the user agents in sip.conf, whether or not they could register or not with success seemed to be dependant on whether I had the nat= yes/no toggled or or off. I seemed to remember this as having an identical problem to what you had until I set this correctly. You might also try "debug sip" on the PIX and send me the debug offline. I can analyze the output and compare it against my remote UAs registering with success, and let you know how I see things differently. Best regards, Jason O. On Fri Jan 21 07:24:11 PST 2005, "brett-asterisk@worldcall.net" <brett-asterisk@worldcall.net> wrote:> Christopher wrote: > >> Thanks guys, really appreciate the responses. Actually I've >> tried the suggestions in this document with absolutely no luck >> at all unfortunately, and turning off fixup protocol udp sip was >> the key to allowing my remote phone to ring to an internal phone >> (when fixup is on I can see the remote phone, but it will not >> ring the internal phones). But no matter what the fixup >> featured is set to * still shows that phone as "Unreachable" and >> the port number as 0. > > > Hey Chris, > My setup is that Asterisk is on a public IP and the customer is > using private IPs behind a Cisco PIX. > > When we first has the sip fixup enabled, it worked just as you > described. I think what what happening is as follows: > 1. Phones are configured for NAT > 2. Cisco PIX "handles NAT" by rewriting headers so the phone > doesn't appear to be NATted (for SIP proxies that may not support > natted devices) > 3. Asterisk was expecting NAT headers because of nat=yes > > So I left nat=yes and recommended turning sip fixup off. That > seemed to work for us. > > I suppose (and I'd like to try this in my lab) that perhaps > setting nat to no or never and having the nat fixup could be an > interesting test as well.. Does anyone out there have any > experience with this? > -Brett > > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > >
Chirstopher, What version of PIX software are you using? I had to make no special NAT configuration on the * server when using a PIX 525 firewall. I was actually impressed that it is a completely SIP aware firewall in that it will handle all the header re-writing. I am using PIX version 6.4 with Asterisk 1.0.3 and the Broadvoice patch. If you would like specific help with your PIX config please e-mail your config with a topology of the network and example call flow. -John Christopher wrote:> Can anyone point me in a good direction for configuring SIP through a > PIX using 1:1 NAT. I have read anything I could get my hands on and > tried them all with very little success. I can get it to work through > the cheap little cable modem routers, but not this PIX. > I -can- make a direct SIP call using the IP address of the * server > (ie.exten@ipaddr), but when I do that * still doesn't show it > registering. Even when I call through this method the phone comes up > as "UNREACHABLE" and the port is listed as 0 instead of 5060 like all > the internal phones. >
hi perhaps someone should add the pix stuff to an faq also perhaps someone should add a DO NOT ASK THE LISTE BEFORE READING THE FAQ somewhere roy On Jan 20, 2005, at 22:51, Christopher wrote:> Can anyone point me in a good direction for configuring SIP through a > PIX using 1:1 NAT. I have read anything I could get my hands on and > tried them all with very little success. I can get it to work through > the cheap little cable modem routers, but not this PIX. > I -can- make a direct SIP call using the IP address of the * server > (ie.exten@ipaddr), but when I do that * still doesn't show it > registering. Even when I call through this method the phone comes up > as "UNREACHABLE" and the port is listed as 0 instead of 5060 like all > the internal phones. > > -- > B2 Technologies, LLC > - www.VoIPSupply.com > - www.ValueResale.com > 454 Sonwil Drive > Buffalo, NY 14225 > (716) 630-1555 x.27 > (716) 250-3411 (Direct) > (716) 630-1548 fax > We sell all things VoIP related at: http://www.VoipSupply.com > Buy online, same day shipping on most items, volume discounts are > available. > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >