[asterisk-users] oneway audio with asterisk behind cisco pix 506

Ravichandran Rajagopal ravichandran.rajagopal at gmail.com
Sat Feb 9 12:53:51 CST 2008


I tried the following ACL command

"access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000 20000"

and I got the following response back

"[no] access-list <id> [line <line-num>] deny|permit icmp
	<sip> <smask> | interface <if_name> | object-group
<network_obj_grp_id>
	<dip> <dmask> | interface <if_name> | object-group
<network_obj_grp_id>
	[<icmp_type> | object-group <icmp_type_obj_grp_id>]
	[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed"

I don't know how to enter into the linux interface of the Cisco Pix 506
firewall



-----Original Message-----
From: Joris Cras [mailto:joris at bitnetwerk.nl] 
Sent: Saturday, February 09, 2008 3:23 AM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506

Ravi,

there is a easy way of creating all those commands in linux.
just run the following in a shell:
for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
permit udp host 192.168.5.0 eq $x any conduit permit udp host;done

This will create all your PIX rules at ones.
 
I think you could also use Cisco ACL's
 access-list [name] permit udp [source] [destination] range
This would be in your case something like:
 access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000 10050

Good luck.

Joris

Ravichandran Rajagopal wrote:
> Otis,
> I wanted to clarify what you said and what I comprehended. 
>
> the SIP protocols are disabled in fixup. 
> ========================================================
> Having said that I guess all I have to do is just the following.
> the inside IP of asterisk server is 192.168.5.0
>
> On the cisco PIX firewall enter the following.
> 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq 10001 any
> conduit permit udp host
> 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq 10002 any
> conduit permit udp host
> ....................................
> ...................................
> .....................
> 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq 10050 any
> conduit permit udp host
>
> in the rtp.conf in /etc/asterisk 
> change the ending port 20000 (which is what it currently is) to 10050 
>
> Is there an easier way to make the entries in Cisco PIX firewall ?
>
> Thx
> Ravi 
>
> -----Original Message-----
> From: ListAcct [mailto:listacc at ocosa.com] 
> Sent: Saturday, February 09, 2008 12:18 AM
> To: ravi at vaishnavy.com
> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
> 506
>
> No problem.  :-P  I thought it might wise to include everything you 
> needed just in case!! LOL! You are welcome!!!
>
> --Otis 
>
> Ravichandran Rajagopal wrote:
>   
>> LOL I guess all I was asking for the changes to be made in the Cisco PIX
>> 506. I think you gave me a short tutorial on VI as well. Thanks once
again
>> for this help. Let me work on these changes and test the one-way audio
>> problem and go from there.
>> Thx
>> Ravi
>>
>> -----Original Message-----
>> From: ListAcct [mailto:listacc at ocosa.com] 
>> Sent: Friday, February 08, 2008 11:55 PM
>> To: ravi at vaishnavy.com
>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
>> 506
>>
>> Ravi,
>>
>> I will explain changing the config in asterisk and the pix:
>>
>> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port span to 
>> 10000 to 10050 (to start, you will need to increase later as ports fill
>>     
> up)
>   
>> (use insert to make a change in a file)
>>
>> to save:
>>
>>    1. esc
>>    2. shift + colon
>>    3. wq (to save)
>>
>> If you made a mistake and do not want to save but you changed something 
>> in the file:
>>
>>    1. esc
>>    2. shift + colon
>>    3. q! (to exit)
>>
>>
>> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the 
>> static and conduit commands so this is a example from my setup.
>>
>> Theses are not usable IPs on the Internet or my IPs but just an
>>     
> example....
>   
>> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
>> dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)
>>
>> interface ethernet0 100full (sets the duplex and turns on interface)
>> interface ethernet1 100full (sets the duplex and turns on interface)
>>
>> nameif ethernet0 outside security0 ( lower security)
>> nameif ethernet1 dmz security50 (higher security)
>>
>> no fixup protocol sip 5060
>> no fixup protocol sip udp 5060
>>
>> ! - this makes things easier so now the pix knows the IP of the asterisk 
>> box and maps the ip to the name just for configuration purposes only so 
>> if you had 20 servers or devices you wanted public access to it's just 
>> easier to remember their names versus IPs.
>> name 192.168.254.11 dns
>> name 192.168.254.10 asterisk
>>
>> ! - the static command is used as a permanent mapper from one inside, 
>> dmz, or other to the global ip vice versa. (Rule of thumb if you map 
>> using static make sure you have a conduit command)
>> static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0
>>
>> ! - here is where you open the ports on the global side to the asterisk 
>> box. (the conduit command allows connections from lower security 
>> interfaces to higher security interfaces)
>> conduit permit udp host 192.168.1.22 eq 10000 any
>> conduit permit udp host 192.168.1.22 eq 10001 any
>> conduit permit udp host 192.168.1.22 eq 10002 any
>> conduit permit udp host 192.168.1.22 eq 10003 any
>> conduit permit udp host 192.168.1.22 eq 10004 any
>> conduit permit udp host 192.168.1.22 eq 10005 any
>>
>> Hope this helps!
>>
>> --Otis
>>
>>
>> Ravichandran Rajagopal wrote:
>>   
>>     
>>> Otis,
>>> I am new to Cisco PIX 506 and I am learning this. If you can help me
with
>>> how to do this change on Cisco PIX it would be greatly appreciated. 
>>>
>>> Thx
>>> Ravi
>>>
>>> -----Original Message-----
>>> From: ListAcct [mailto:listacc at ocosa.com] 
>>> Sent: Friday, February 08, 2008 11:11 PM
>>> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
>>> Discussion
>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
pix
>>> 506
>>>
>>> Ravi,
>>>
>>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp host 
>>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to 
>>> something you can configure (10000 to 10200) unless you write a script 
>>> to just copy and paste about 10000 to 20000 ports in your config on the 
>>> pix. Cisco's are strange but secure.
>>>
>>> It took me about two hours to figure out after taking off the fixup and 
>>> no more logging/debugging from the cisco. I actually fixed while a call 
>>> was coming in. LOL! Let me know!!!
>>>
>>> --Otis
>>>
>>> Ravichandran Rajagopal wrote:
>>>   
>>>     
>>>       
>>>> Hi,
>>>>
>>>> I have the Cisco PIX 506 firewall right in front of the asterisk and I 
>>>> am getting a one-way audio. I need your help/guidance to resolve this 
>>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX 506. 
>>>> Any help rendered by you in this subject is greatly appreciated. I 
>>>> have been breaking my head trying to resolve this problem for more 
>>>> than one month. I have included the sip.conf and the extensions.conf 
>>>> below.
>>>>
>>>> [SIP.conf]
>>>>
>>>> ; SIP Configuration example for Asterisk
>>>>
>>>> [general]
>>>>
>>>> context=incoming
>>>>
>>>> allowoverlap=no
>>>>
>>>> bindport=5060
>>>>
>>>> bindaddr=0.0.0.0
>>>>
>>>> localnet=192.168.5.0/255.255.255.0
>>>>
>>>> externip=a.b.ccc.dd
>>>>
>>>> srvlookup=yes
>>>>
>>>> allow=ulaw
>>>>
>>>> allow=alaw
>>>>
>>>> [incoming]
>>>>
>>>> type=peer
>>>>
>>>> nat=no
>>>>
>>>> canreinvite=no
>>>>
>>>> host=xx.y.z.aaa
>>>>
>>>> qualify=yes
>>>>
>>>> dtmfmode=rfc2833
>>>>
>>>> context=default
>>>>
>>>> [extensions.conf]
>>>>
>>>> [general]
>>>>
>>>> static=yes
>>>>
>>>> writeprotect=yes
>>>>
>>>> clearglobalvars=no
>>>>
>>>> [default]
>>>>
>>>> include => customer
>>>>
>>>> exten => h,1,Hangup
>>>>
>>>> exten => i,1,Congestion
>>>>
>>>> exten => i,2,Hangup
>>>>
>>>> [agnosco]
>>>>
>>>> include => local-extensions
>>>>
>>>> include => customer_ivr
>>>>
>>>> include => incoming
>>>>
>>>> [customer_ivr]
>>>>
>>>> include => local-extensions
>>>>
>>>> exten => s,1,Answer
>>>>
>>>> exten => s,n,Background(agnosco_intro)
>>>>
>>>> exten => s,n,WaitExten
>>>>
>>>> ;Dial said extensions
>>>>
>>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
>>>>
>>>> [incoming]
>>>>
>>>> exten => 4025901000,1,Goto(1000,1)
>>>>
>>>> exten => 1000,1,Goto(customer_ivr,s,1)
>>>>
>>>> Thanks
>>>>
>>>> sunMoonstar.
>>>>
>>>>
------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>     
>>>>       
>>>>         
>>>   
>>>     
>>>       
>>   
>>     
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>   





More information about the asterisk-users mailing list