[asterisk-users] Asterisk & Pix firewalls

shadowym shadowym at hotmail.com
Wed Apr 25 09:17:16 MST 2007 

Yes, we found (at least with Aastra phones) that we had to disable the SIP
fixup protocols on a pix 501.

Here is the whole setup.  
NOTE: I could be wrong but I believe the requirement to open ports
10000-20000 for remote extensions has become an urban myth.  I don't think
you need to open any more than you have extensions + maybe a few more as a
buffer.  That is what we are doing and haven't had any problems.  I'm no
expert so someone please correct me if I'm wrong.

Here is the procedure:

start>>>
Firewall/Router configuration:

The following ports needed to be forwarded to the asterisk server for
various remote access

Port 80 (Freepbx web access)
Port 4445 (Flash Operator Panel web access)
Port 4569 (IAX remote phone clients)
Port 5059-5061 (registration and proxy server access, default is 5060)
Port 10000-10025 (ports reserved for RTP voice packets for SIP phone
conversations) 
Aastra Phones as external extensions

This assumes the Asterisk server is configured for external extensions and
the extension configuration in asterisk is configured to be used as an
external extension.  Both are described earlier in this guide(sip_nat.conf,
nat=yes).

Reset the phone to factory defaults.  All you need to configure in the phone
are phone number, callerID, authentication name, password, Proxy IP and
Registrar IP.  Leave everything else at default and it should work.  I also
changed registration retry timer and BLF subscription period to 120s.

Special note about Cisco PIX firewall
In order to make Aastra phones work outside a Cisco PIX firewall to the
Asterisk server inside the firewall, we needed to remove fixup protocol sip
5060, and fixup protocol sip udp 5060 which are both enabled by default.

no fixup protocol sip 5060
no fixup protocol sip udp 5060

Special note about extensions over VPN

In order to make extensions work over VPN's we had to add the VPN subnets to
sip_nat.conf to make the phones on the 192.168.2.0 and 192.168.3.0 subnets
work with the Asterisk Server on the 192.168.1.0 subnet.  Here is the whole
sip_nat.conf file

nat=yes 
externip=xxx.xxx.xxx.xxx 
localnet=192.168.1.0/255.255.255.0 
localnet=192.168.2.0/255.255.255.0 # VPN1 to 192.168.1.0 
localnet=192.168.3.0/255.255.255.0 # VPN2 to 192.168.1.0
externrefresh=10

<<<the end


-----Original Message-----
From: C F [mailto:shmaltz at gmail.com] 
Sent: Tuesday, April 24, 2007 8:31 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Asterisk & Pix firewalls

AFAIK asterisk does't yet suport TCP, it is therefore not necessary to open
TCP 5060. On Cisco PIX you might also need to disalbe SIP fixup

On 4/24/07, Lee Jenkins <lee at datatrakpos.com> wrote:
> Noah Miller wrote:
> > Hi Don
> >
> >>  I asked this last week but i didn't get any answer   So i will
> >> elaborate on
> >> my question.   I need to setup a pix 515 firewall (running 7.2.2 OS) to
> >> allow sip traffic thru it from a sip phone wherever i may be.  The 
> >> pix is where all my servers are colocated and i will need to 
> >> connect thru it from
> >> softphones / hardphones wherever i happen to be traveling.   I need
help
> >> setting up the pix for inbound and outbound sip/iax traffic.   Any help
> >> would be greatly appreciated.
> >
> > If you're looking for which ports to open:
> >
> > SIP:
> > TCP and UDP port 5060 (signalling) - can be changed in sip.conf UDP 
> > ports 10000-20000 (RTP stream) - can be changed in rtp.conf
> >
> > IAX:
> > UDP Port 4569
> >
> >
>
> Is it possible to reduce the number of ports to be opened if there is 
> moderate traffic?
>
> --
>
> Warm Regards,
>
> Lee
>
>
>
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list