[asterisk-users] Cisco PIX firewall and nat=yes

Bill Gibbs bgibbs at edurotech.com
Wed Sep 6 09:52:21 MST 2006


Thanks I will check into this.  I don't actually have access to the PIX
(I have to talk to like 3 people to get to the person who actually
manages this for the client) ...but that makes sense too

I currently have it registering at 60 secs

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Peder @
NetworkOblivion
Sent: Wednesday, September 06, 2006 12:28 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Cisco PIX firewall and nat=yes

There is a "Timeout SIP" in the config.  What is it set to?  If it is 
less than the the qualify interval, which I believe is 60 seconds, then 
the PIX will close the inbound hole for qualify traffic.  We've got lots

of phones at several remote sites all running behind PIX's and all being

NAT'd to the same IP (per location) and everything works perfect if 
qualify is on.  If we disable qualify, then the "SIP inbound hole" gets 
closed per the "Timeout SIP" and calls don't go through until the phone 
re-registers and the hole opens again (they can still call out).

Bill Gibbs wrote:
> As a follow up those commands helped with the outbound calls but
inbound 
> still had issues.  Asterisk would still show the peer UNREACHABLE.  
> Turning off qualify has fixed the problem!
> 
>  
> 
> Bill
> 
>  
> 
>
------------------------------------------------------------------------
> 
> *From:* Bill D'Anjou [mailto:danjou at rocketinternet.net]
> *Sent:* Wednesday, August 23, 2006 12:47 PM
> *To:* Asterisk Users Mailing List - Non-Commercial Discussion
> *Cc:* Bill Gibbs
> *Subject:* RE: [asterisk-users] Cisco PIX firewall and nat=yes
> 
>  
> 
> You might need:
> 
>  
> 
> fixup protocol sip 5060
> 
> fixup protocol sip udp 5060
> 
>  
> 
> in the PIX.... if these commands aren't supported you might need newer
code.
> 
>  
> 
> Bill
> 
>     -----Original Message-----
>     *From:* asterisk-users-bounces at lists.digium.com
>     [mailto:asterisk-users-bounces at lists.digium.com] *On Behalf Of
*Bill
>     Gibbs
>     *Sent:* Wednesday, August 23, 2006 8:53 AM
>     *To:* Asterisk Users Mailing List - Non-Commercial Discussion
>     *Subject:* [asterisk-users] Cisco PIX firewall and nat=yes
> 
>     I have a Polycom 501 that works great from behind simple
firewalls,
>     like Dlink, etc however behind a Cisco PIX Firewall I see the
>     register messages for the extensions on the Asterisk CLI but when
I
>     do a sip show peers I see:
> 
>      
> 
>     702/702                    x.x.x.x     D   N      54297
UNREACHABLE
> 
>     701/701                    x.x.x.x     D   N      54297
UNREACHABLE
> 
>     700/700                    x.x.x.x     D   N      54297
UNREACHABLE
> 
>      
> 
>     But I see stuff like
> 
>     n       Registered SIP '702' at x.x.x.x port 54297 expires 60
> 
>      
> 
>     I have a single phone with multiple extensions in the example
above.
>      As a test I changed that phone to a single extension (700), I see
>     the Registered line but it still says UNREACHABLE.
> 
>      
> 
>     I know the Asterisk config is good because every device (soft,
hard
>     phone) works and I know the NAT works because I've tested that
out.
> 
>      
> 
>     So...I'm thinking it has something to do with the PIX.  Any ideas?
> 
>      
> 
>     Bill
> 
> 
>
------------------------------------------------------------------------
> 
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

-- 

Network stuff you didn't know....
http://www.networkoblivion.com

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


More information about the asterisk-users mailing list