[Asterisk-bugs] [Asterisk 0004610]: Asterisk behind a Cisco PIX 515E firewall using fixup protocol
noreply at bugs.digium.com
noreply at bugs.digium.com
Wed Jul 11 07:06:04 CDT 2007
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=4610
======================================================================
Reported By: pabelanger
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 4610
Category: Channels/chan_sip/Interoperability
Reproducibility: always
Severity: minor
Priority: normal
Status: feedback
Asterisk Version: CVS HEAD
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 06-28-2005 12:50 CDT
Last Modified: 07-11-2007 07:06 CDT
======================================================================
Summary: Asterisk behind a Cisco PIX 515E firewall using
fixup protocol
Description:
When using fixup protocol on the Cisco PIX, asterisk will always fail to
registar an UA (Mitel 5055); 403 Forbidden is always returned.
SIP Debug is attached
Mitel 5055 (67.71.252.110)
Cisco PIX 515E:
- External (67.71.252.108)
- Internal (172.16.128.1)
Asterisk CVS HEAD (172.16.128.2)
Let me know if addition information is required.
======================================================================
----------------------------------------------------------------------
stevedavies - 07-11-07 07:06
----------------------------------------------------------------------
Hi,
This is a bug in the PIX NAT "fixup" for SIP.
Apparently the PIX looks through the SIP packet and, amongst other things
replaces any occurences of its own external address with the address of the
NATTed-to SIP device (aka the Asterisk box).
Here's an example REGISTER packet as sent by the original sending system:
REGISTER sip:XXX.13.142.72 SIP/2.0
Via: SIP/2.0/UDP YYY.40.106.9:5060;branch=z9hG4bK5d035114;rport
From: <sip:cteltest at XXX.13.142.72>;tag=as2ede4718
To: <sip:cteltest at XXX.13.142.72>
Call-ID: 64727ea8396c6e026b35348b74eaa9a5 at YYY.40.106.9
CSeq: 103 REGISTER
User-Agent: Asterisk PBX
Max-Forwards: 70
Authorization: Digest username="cteltest", realm="asterisk",
algorithm=MD5, uri="sip:XXX.13.142.72", nonce="4cfc78b5",
response="26e35cded2994cf578435090754c3b9c", opaque=""
Expires: 120
Contact: <sip:s at YYY.40.106.9>
Event: registration
Content-Length: 0
By the time it has passed through the Pix and got to the server, it looks
like this:
REGISTER sip:ZZZ.57.10.34 SIP/2.0
Via: SIP/2.0/UDP YYY.40.106.9:5060;branch=z9hG4bK5d035114;rport
From: <sip:cteltest at ZZZ.57.10.34>;tag=as2ede4718
To: <sip:cteltest at ZZZ.57.10.34>
Call-ID: 64727ea8396c6e026b35348b74eaa9a5 at YYY.40.106.9
CSeq: 103 REGISTER
User-Agent: Asterisk PBX
Max-Forwards: 70
Authorization: Digest username="cteltest", realm="asterisk",
algorithm=MD5, uri="sip:ZZZ.57.10.34", nonce="4cfc78b5",
response="26e35cded2994cf57843509
0754c3b9c", opaque=""
Expires: 120
Contact: <sip:s at YYY.40.106.9>
Event: registration
Content-Length: 0
The problem is that the PIX also mangled the contents of the uri part of
the Authorization header. But you can't do that because the hash in the
response is now invalidated. That's why Asterisk rejects the registration
with Bad auth.
As a workaround you can changing the registering/calling system to use a
DNS name to reach the PIX rather than a hard-coded IP address. Then the
PIX doesn't mangle it and the authorization will succeed.
So - Asterisk 1, Cisco 0: this is their bug not ours.
Regards,
Steve
Issue History
Date Modified Username Field Change
======================================================================
07-11-07 07:06 stevedavies Note Added: 0067104
======================================================================
More information about the Asterisk-bugs
mailing list