[asterisk-users] Cisco PIX firewall and nat=yes

Peder at NetworkOblivion peder at networkoblivion.com
Wed Sep 6 09:27:53 MST 2006


There is a "Timeout SIP" in the config.  What is it set to?  If it is 
less than the the qualify interval, which I believe is 60 seconds, then 
the PIX will close the inbound hole for qualify traffic.  We've got lots 
of phones at several remote sites all running behind PIX's and all being 
NAT'd to the same IP (per location) and everything works perfect if 
qualify is on.  If we disable qualify, then the "SIP inbound hole" gets 
closed per the "Timeout SIP" and calls don't go through until the phone 
re-registers and the hole opens again (they can still call out).

Bill Gibbs wrote:
> As a follow up those commands helped with the outbound calls but inbound 
> still had issues.  Asterisk would still show the peer UNREACHABLE.  
> Turning off qualify has fixed the problem!
> 
>  
> 
> Bill
> 
>  
> 
> ------------------------------------------------------------------------
> 
> *From:* Bill D'Anjou [mailto:danjou at rocketinternet.net]
> *Sent:* Wednesday, August 23, 2006 12:47 PM
> *To:* Asterisk Users Mailing List - Non-Commercial Discussion
> *Cc:* Bill Gibbs
> *Subject:* RE: [asterisk-users] Cisco PIX firewall and nat=yes
> 
>  
> 
> You might need:
> 
>  
> 
> fixup protocol sip 5060
> 
> fixup protocol sip udp 5060
> 
>  
> 
> in the PIX.... if these commands aren't supported you might need newer code.
> 
>  
> 
> Bill
> 
>     -----Original Message-----
>     *From:* asterisk-users-bounces at lists.digium.com
>     [mailto:asterisk-users-bounces at lists.digium.com] *On Behalf Of *Bill
>     Gibbs
>     *Sent:* Wednesday, August 23, 2006 8:53 AM
>     *To:* Asterisk Users Mailing List - Non-Commercial Discussion
>     *Subject:* [asterisk-users] Cisco PIX firewall and nat=yes
> 
>     I have a Polycom 501 that works great from behind simple firewalls,
>     like Dlink, etc however behind a Cisco PIX Firewall I see the
>     register messages for the extensions on the Asterisk CLI but when I
>     do a sip show peers I see:
> 
>      
> 
>     702/702                    x.x.x.x     D   N      54297    UNREACHABLE
> 
>     701/701                    x.x.x.x     D   N      54297    UNREACHABLE
> 
>     700/700                    x.x.x.x     D   N      54297    UNREACHABLE
> 
>      
> 
>     But I see stuff like
> 
>     n       Registered SIP '702' at x.x.x.x port 54297 expires 60
> 
>      
> 
>     I have a single phone with multiple extensions in the example above.
>      As a test I changed that phone to a single extension (700), I see
>     the Registered line but it still says UNREACHABLE.
> 
>      
> 
>     I know the Asterisk config is good because every device (soft, hard
>     phone) works and I know the NAT works because I’ve tested that out.
> 
>      
> 
>     So…I’m thinking it has something to do with the PIX.  Any ideas?
> 
>      
> 
>     Bill
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

-- 

Network stuff you didn't know....
http://www.networkoblivion.com



More information about the asterisk-users mailing list