[Asterisk-Users] PIX!!!!!

justiceguy at pobox.com justiceguy at pobox.com
Fri Jan 21 11:18:56 MST 2005


Chris,

Wanted to give you some insight on how my Asterisk is setup behind 
by PIX.  It works great with remote SIP UA's registering to 
Asterisk on the Public IP address, or behind VPN.

I have Fixup protocol enabled on TCP and UDP, just to be safe ;-)
fixup protocol sip 5060
fixup protocol sip udp 5060

A Static NAT on the PIX for the public outside translating to RFC 
1918 internal IP address (very important)

in my Asterisk sip.conf, I have the following relevant 
configuration:
externip = xx.xx.xx.xx (external IP)
nat=yes
bindaddr=xx.xx.xx.xx (RFC1918 IP)

For the user agents in sip.conf, whether or not they could 
register or not with success seemed to be dependant on whether I 
had the nat= yes/no toggled or or off.  I seemed to remember this 
as having an identical problem to what you had until I set this 
correctly.

You might also try "debug sip" on the PIX and send me the debug 
offline.  I can analyze the output and compare it against my 
remote UAs registering with success, and let you know how I see 
things differently.

Best regards,
Jason O.





On Fri Jan 21 07:24:11 PST 2005, "brett-asterisk at worldcall.net" 
<brett-asterisk at worldcall.net> wrote:

> Christopher wrote:
> 
>> Thanks guys, really appreciate the responses. Actually I've 
>> tried the suggestions in this document with absolutely no luck 
>> at all unfortunately, and turning off fixup protocol udp sip was 
>> the key to allowing my remote phone to ring to an internal phone 
>> (when fixup is on I can see the remote phone, but it will not 
>> ring the internal phones).  But no matter what the fixup 
>> featured is set to * still shows that phone as "Unreachable" and 
>> the port number as 0.
> 
> 
> Hey Chris,
> My setup is that Asterisk is on a public IP and the customer is 
> using private IPs behind a Cisco PIX.
> 
> When we first has the sip fixup enabled, it worked just as you 
> described. I think what what happening is as follows:
> 1. Phones are configured for NAT
> 2. Cisco PIX "handles NAT" by rewriting headers so the phone 
> doesn't appear to be NATted (for SIP proxies that may not support 
> natted devices)
> 3. Asterisk was expecting NAT headers because of nat=yes
> 
> So I left nat=yes and recommended turning sip fixup off. That 
> seemed to work for us.
> 
> I suppose (and I'd like to try this in my lab) that perhaps 
> setting nat to no or never and having the nat fixup could be an 
> interesting test as well.. Does anyone out there have any 
> experience with this?
> -Brett
> 
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 
> 




More information about the asterisk-users mailing list