[asterisk-users] oneway audio with asterisk behind cisco pix 506

ListAcct listacc at ocosa.com
Sat Feb 9 00:18:19 CST 2008 

No problem.  :-P  I thought it might wise to include everything you 
needed just in case!! LOL! You are welcome!!!

--Otis 

Ravichandran Rajagopal wrote:
> LOL I guess all I was asking for the changes to be made in the Cisco PIX
> 506. I think you gave me a short tutorial on VI as well. Thanks once again
> for this help. Let me work on these changes and test the one-way audio
> problem and go from there.
> Thx
> Ravi
>
> -----Original Message-----
> From: ListAcct [mailto:listacc at ocosa.com] 
> Sent: Friday, February 08, 2008 11:55 PM
> To: ravi at vaishnavy.com
> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
> 506
>
> Ravi,
>
> I will explain changing the config in asterisk and the pix:
>
> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port span to 
> 10000 to 10050 (to start, you will need to increase later as ports fill up)
>
> (use insert to make a change in a file)
>
> to save:
>
>    1. esc
>    2. shift + colon
>    3. wq (to save)
>
> If you made a mistake and do not want to save but you changed something 
> in the file:
>
>    1. esc
>    2. shift + colon
>    3. q! (to exit)
>
>
> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the 
> static and conduit commands so this is a example from my setup.
>
> Theses are not usable IPs on the Internet or my IPs but just an example....
>
> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
> dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)
>
> interface ethernet0 100full (sets the duplex and turns on interface)
> interface ethernet1 100full (sets the duplex and turns on interface)
>
> nameif ethernet0 outside security0 ( lower security)
> nameif ethernet1 dmz security50 (higher security)
>
> no fixup protocol sip 5060
> no fixup protocol sip udp 5060
>
> ! - this makes things easier so now the pix knows the IP of the asterisk 
> box and maps the ip to the name just for configuration purposes only so 
> if you had 20 servers or devices you wanted public access to it's just 
> easier to remember their names versus IPs.
> name 192.168.254.11 dns
> name 192.168.254.10 asterisk
>
> ! - the static command is used as a permanent mapper from one inside, 
> dmz, or other to the global ip vice versa. (Rule of thumb if you map 
> using static make sure you have a conduit command)
> static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0
>
> ! - here is where you open the ports on the global side to the asterisk 
> box. (the conduit command allows connections from lower security 
> interfaces to higher security interfaces)
> conduit permit udp host 192.168.1.22 eq 10000 any
> conduit permit udp host 192.168.1.22 eq 10001 any
> conduit permit udp host 192.168.1.22 eq 10002 any
> conduit permit udp host 192.168.1.22 eq 10003 any
> conduit permit udp host 192.168.1.22 eq 10004 any
> conduit permit udp host 192.168.1.22 eq 10005 any
>
> Hope this helps!
>
> --Otis
>
>
> Ravichandran Rajagopal wrote:
>   
>> Otis,
>> I am new to Cisco PIX 506 and I am learning this. If you can help me with
>> how to do this change on Cisco PIX it would be greatly appreciated. 
>>
>> Thx
>> Ravi
>>
>> -----Original Message-----
>> From: ListAcct [mailto:listacc at ocosa.com] 
>> Sent: Friday, February 08, 2008 11:11 PM
>> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
>> Discussion
>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
>> 506
>>
>> Ravi,
>>
>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp host 
>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to 
>> something you can configure (10000 to 10200) unless you write a script 
>> to just copy and paste about 10000 to 20000 ports in your config on the 
>> pix. Cisco's are strange but secure.
>>
>> It took me about two hours to figure out after taking off the fixup and 
>> no more logging/debugging from the cisco. I actually fixed while a call 
>> was coming in. LOL! Let me know!!!
>>
>> --Otis
>>
>> Ravichandran Rajagopal wrote:
>>   
>>     
>>> Hi,
>>>
>>> I have the Cisco PIX 506 firewall right in front of the asterisk and I 
>>> am getting a one-way audio. I need your help/guidance to resolve this 
>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX 506. 
>>> Any help rendered by you in this subject is greatly appreciated. I 
>>> have been breaking my head trying to resolve this problem for more 
>>> than one month. I have included the sip.conf and the extensions.conf 
>>> below.
>>>
>>> [SIP.conf]
>>>
>>> ; SIP Configuration example for Asterisk
>>>
>>> [general]
>>>
>>> context=incoming
>>>
>>> allowoverlap=no
>>>
>>> bindport=5060
>>>
>>> bindaddr=0.0.0.0
>>>
>>> localnet=192.168.5.0/255.255.255.0
>>>
>>> externip=a.b.ccc.dd
>>>
>>> srvlookup=yes
>>>
>>> allow=ulaw
>>>
>>> allow=alaw
>>>
>>> [incoming]
>>>
>>> type=peer
>>>
>>> nat=no
>>>
>>> canreinvite=no
>>>
>>> host=xx.y.z.aaa
>>>
>>> qualify=yes
>>>
>>> dtmfmode=rfc2833
>>>
>>> context=default
>>>
>>> [extensions.conf]
>>>
>>> [general]
>>>
>>> static=yes
>>>
>>> writeprotect=yes
>>>
>>> clearglobalvars=no
>>>
>>> [default]
>>>
>>> include => customer
>>>
>>> exten => h,1,Hangup
>>>
>>> exten => i,1,Congestion
>>>
>>> exten => i,2,Hangup
>>>
>>> [agnosco]
>>>
>>> include => local-extensions
>>>
>>> include => customer_ivr
>>>
>>> include => incoming
>>>
>>> [customer_ivr]
>>>
>>> include => local-extensions
>>>
>>> exten => s,1,Answer
>>>
>>> exten => s,n,Background(agnosco_intro)
>>>
>>> exten => s,n,WaitExten
>>>
>>> ;Dial said extensions
>>>
>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
>>>
>>> [incoming]
>>>
>>> exten => 4025901000,1,Goto(1000,1)
>>>
>>> exten => 1000,1,Goto(customer_ivr,s,1)
>>>
>>> Thanks
>>>
>>> sunMoonstar.
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>     
>>>       
>>   
>>     
>
>
>

More information about the asterisk-users mailing list