[Asterisk-Users] PIX Firewall configuration??

Tony Nichols tony.nichols at gmail.com
Tue Feb 1 08:20:06 MST 2005 

On Tue, 1 Feb 2005 08:08:50 -0600 (CST), infoman at colonydrive.com
<infoman at colonydrive.com> wrote:
> I'd like to open up my firwall so that I can connect my SIP phones to a
> test server behind or firewall. I can configure an outside addtess to pass
> traffic to the internal address of the Asterisk server. I'm not sure what
> other ports need to be opened. My SIP phone will either be at my home
> behind a linksys cable/dsl router or perhaps at a hotel when I'm on the
> road. What am I missing in this configuration? Is STUN needed?
> 
> Pat
> 

looks to me that it would be easier to prchase a vpn lic...... I've
tried some of the suggestions on the list to no avail.
Until version * 1.03 came out... I still had echo/cutouts through the
vpn. Now so far <knock on wood repeatadly> it is going ok.

Here is what I found on the list:



It works fine for me.  I have a handful of Cisco 7960's behind a PIX
firewall and they register to a Asterisk server outside of the PIX with no
trouble at all.   I didn't do anything special to the PIX (i.e. no access
list entries).

 

The tricks I found to make it work generally apply to any setup where the
clients are behind NAT.   I also run the tftp server for the phones to get
configs inside the firewall, and the SIPDefault.cnf file specifies the proxy
address outside of the firewall.

 

In the Cisco phone config I have these NAT settings:

nat_enable: 1                   ; 0-Disabled (default), 1-Enabled

nat_address: ""                 ; WAN IP address of NAT box (dotted IP or
DNS A record only)

voip_control_port: 5060         ; UDP port used for SIP messages (default -
5060)

start_media_port: 16384         ; Start RTP range for media (default -
16384)

end_media_port: 32766           ; End RTP range for media (default - 32766)

nat_received_processing: 0      ; 0-Disabled (default), 1-Enabled

 

And the sip.conf entry for this peer is:

 

[7000]

type=friend

nat=yes

qualify=yes

context=xxxx

secret=xxxx

callerid=xxxx

host=dynamic

canreinvite=no

dtmfmode=rfc2833

 

timer_register_expires: 120

 

Setting the registry timer to 120 seconds causes the phone to send out a
packet at least every 2 minutes which will open a UDP xlate on the PIX for
the session.   Then the trick is to use both 'nat=yes' and 'qualify=yes' so
Asterisk chats with the phone pretty often.   The interval of OPTIONS or
REGISTER messages between Asterisk and phone definitely needs to be shorter
than the PIX's UDP xlate timeout or the PIX will close the xlate and you
won't be able to pass packets into the phone for an incoming call.

 

Note that you can put a numeric value after qualify= instead of "yes" to
fine-tine the interval at which it sends a OPTIONS message.

 Good Luck!

t o n y

More information about the asterisk-users mailing list