[Asterisk-Users] Cisco PIX and Asterisk

[Craig Waddington]

That's Great news. Thanks for the information. 

 

What version of the PIX IOS you running?

 

Do you have sip fixup protocol enabled?

 

I have found a workaround, install onDo sip server on a machine behind
the PIX. The phones register to that, on the pix port forward to the
onDo sip server.

 

But I would much rather get it working without having to do that.

 

 

 

 

________________________________

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Mark
Hagler
Sent: 25 September 2004 19:59
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: RE: [Asterisk-Users] Cisco PIX and Asterisk

 

It works fine for me.  I have a handful of Cisco 7960's behind a PIX
firewall and they register to a Asterisk server outside of the PIX with
no trouble at all.   I didn't do anything special to the PIX (i.e. no
access list entries).

 

The tricks I found to make it work generally apply to any setup where
the clients are behind NAT.   I also run the tftp server for the phones
to get configs inside the firewall, and the SIPDefault.cnf file
specifies the proxy address outside of the firewall.

 

In the Cisco phone config I have these NAT settings:

nat_enable: 1                   ; 0-Disabled (default), 1-Enabled

nat_address: ""                 ; WAN IP address of NAT box (dotted IP
or DNS A record only)

voip_control_port: 5060         ; UDP port used for SIP messages
(default - 5060)

start_media_port: 16384         ; Start RTP range for media (default -
16384)

end_media_port: 32766           ; End RTP range for media (default -
32766)

nat_received_processing: 0      ; 0-Disabled (default), 1-Enabled

 

And the sip.conf entry for this peer is:

 

[7000]

type=friend

nat=yes

qualify=yes

context=xxxx

secret=xxxx

callerid=xxxx

host=dynamic

canreinvite=no

dtmfmode=rfc2833

 

timer_register_expires: 120

 

Setting the registry timer to 120 seconds causes the phone to send out a
packet at least every 2 minutes which will open a UDP xlate on the PIX
for the session.   Then the trick is to use both 'nat=yes' and
'qualify=yes' so Asterisk chats with the phone pretty often.   The
interval of OPTIONS or REGISTER messages between Asterisk and phone
definitely needs to be shorter than the PIX's UDP xlate timeout or the
PIX will close the xlate and you won't be able to pass packets into the
phone for an incoming call.

 

Note that you can put a numeric value after qualify= instead of "yes" to
fine-tine the interval at which it sends a OPTIONS message.

 

________________________________

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Craig
Waddington
Sent: Saturday, September 25, 2004 8:17 AM
To: asterisk-users at lists.digium.com
Subject: [Asterisk-Users] Cisco PIX and Asterisk

 

I cannot get incoming calls to sip phones behind a PIX to work, outgoing
is fine.

 

Asterisk (Public IP) --> Internet --> PIX (NAT) --> Sip Phones

 

I have tried no fixup protocol sip, I have punched a hole in the Pix
allowing anything from the Asterisk box into the network, still no
incoming.

 

I have done all the Wiki suggests in regarding to NAT.

 

Is their a trick getting the incoming to work?

 

Has anyone managed to get this to work or am I wasting my time on this?

 

Ta.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040925/7172adbb/attachment.htm