[asterisk-users] oneway audio with asterisk behind cisco pix 506

Ravichandran Rajagopal ravichandran.rajagopal at gmail.com
Sun Feb 10 10:01:46 CST 2008


This is what I implemented

access-list asterisk permit udp any host 192.168.5.0 range 10000 20000

Thx
Ravi

-----Original Message-----
From: Wendell Hamilton [mailto:routerguy at rightsolve.com] 
Sent: Saturday, February 09, 2008 11:07 PM
To: ravi at vaishnavy.com
Cc: Joris Cras; Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix 506

Did you only open up the one port (10000)?  You need to open up a range, if you're doing it this way, like 10000-10020 and then set your rtp ports in asterisk to the same range. 

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:
> I made the following changes and I am still facing one way audio with
> my call flow.
> 
> -----Original Message-----
> From: Wendell Hamilton [mailto:routerguy at rightsolve.com] 
> Sent: Saturday, February 09, 2008 1:58 PM
> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
> Discussion
> Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
> Non-Commercial Discussion
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
> pix 506
> 
> try:
> access-list asterisk permit udp any host x.x.x.x eq 10000
> 
> ----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
> wrote:
> > I tried the following ACL command
> > 
> > "access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000
> > 20000"
> > 
> > and I got the following response back
> > 
> > "[no] access-list <id> [line <line-num>] deny|permit icmp
> > 	<sip> <smask> | interface <if_name> | object-group
> > <network_obj_grp_id>
> > 	<dip> <dmask> | interface <if_name> | object-group
> > <network_obj_grp_id>
> > 	[<icmp_type> | object-group <icmp_type_obj_grp_id>]
> > 	[log [disable|default] | [<level>] [interval <secs>]]
> > Restricted ACLs for route-map use:
> > [no] access-list <id> deny|permit {any | <prefix> <mask> | host
> > <address>}
> > Command failed"
> > 
> > I don't know how to enter into the linux interface of the Cisco Pix
> > 506
> > firewall
> > 
> > 
> > 
> > -----Original Message-----
> > From: Joris Cras [mailto:joris at bitnetwerk.nl] 
> > Sent: Saturday, February 09, 2008 3:23 AM
> > To: ravi at vaishnavy.com; Asterisk Users Mailing List -
> Non-Commercial
> > Discussion
> > Subject: Re: [asterisk-users] oneway audio with asterisk behind
> cisco
> > pix
> > 506
> > 
> > Ravi,
> > 
> > there is a easy way of creating all those commands in linux.
> > just run the following in a shell:
> > for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
> > permit udp host 192.168.5.0 eq $x any conduit permit udp host;done
> > 
> > This will create all your PIX rules at ones.
> >  
> > I think you could also use Cisco ACL's
> >  access-list [name] permit udp [source] [destination] range
> > This would be in your case something like:
> >  access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000
> > 10050
> > 
> > Good luck.
> > 
> > Joris
> > 
> > Ravichandran Rajagopal wrote:
> > > Otis,
> > > I wanted to clarify what you said and what I comprehended. 
> > >
> > > the SIP protocols are disabled in fixup. 
> > > ========================================================
> > > Having said that I guess all I have to do is just the following.
> > > the inside IP of asterisk server is 192.168.5.0
> > >
> > > On the cisco PIX firewall enter the following.
> > > 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq
> > 10001 any
> > > conduit permit udp host
> > > 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq
> > 10002 any
> > > conduit permit udp host
> > > ....................................
> > > ...................................
> > > .....................
> > > 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq
> > 10050 any
> > > conduit permit udp host
> > >
> > > in the rtp.conf in /etc/asterisk 
> > > change the ending port 20000 (which is what it currently is) to
> > 10050 
> > >
> > > Is there an easier way to make the entries in Cisco PIX firewall
> ?
> > >
> > > Thx
> > > Ravi 
> > >
> > > -----Original Message-----
> > > From: ListAcct [mailto:listacc at ocosa.com] 
> > > Sent: Saturday, February 09, 2008 12:18 AM
> > > To: ravi at vaishnavy.com
> > > Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> > > Subject: Re: [asterisk-users] oneway audio with asterisk behind
> > cisco pix
> > > 506
> > >
> > > No problem.  :-P  I thought it might wise to include everything
> you
> > 
> > > needed just in case!! LOL! You are welcome!!!
> > >
> > > --Otis 
> > >
> > > Ravichandran Rajagopal wrote:
> > >   
> > >> LOL I guess all I was asking for the changes to be made in the
> > Cisco PIX
> > >> 506. I think you gave me a short tutorial on VI as well. Thanks
> > once
> > again
> > >> for this help. Let me work on these changes and test the one-way
> > audio
> > >> problem and go from there.
> > >> Thx
> > >> Ravi
> > >>
> > >> -----Original Message-----
> > >> From: ListAcct [mailto:listacc at ocosa.com] 
> > >> Sent: Friday, February 08, 2008 11:55 PM
> > >> To: ravi at vaishnavy.com
> > >> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> > >> Subject: Re: [asterisk-users] oneway audio with asterisk behind
> > cisco pix
> > >> 506
> > >>
> > >> Ravi,
> > >>
> > >> I will explain changing the config in asterisk and the pix:
> > >>
> > >> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port
> > span to 
> > >> 10000 to 10050 (to start, you will need to increase later as
> ports
> > fill
> > >>     
> > > up)
> > >   
> > >> (use insert to make a change in a file)
> > >>
> > >> to save:
> > >>
> > >>    1. esc
> > >>    2. shift + colon
> > >>    3. wq (to save)
> > >>
> > >> If you made a mistake and do not want to save but you changed
> > something 
> > >> in the file:
> > >>
> > >>    1. esc
> > >>    2. shift + colon
> > >>    3. q! (to exit)
> > >>
> > >>
> > >> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this
> > case the 
> > >> static and conduit commands so this is a example from my setup.
> > >>
> > >> Theses are not usable IPs on the Internet or my IPs but just an
> > >>     
> > > example....
> > >   
> > >> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
> > >> dmz (interface) - 192.168.254.0/24
> (192.168.254.1-192.168.254.254)
> > >>
> > >> interface ethernet0 100full (sets the duplex and turns on
> > interface)
> > >> interface ethernet1 100full (sets the duplex and turns on
> > interface)
> > >>
> > >> nameif ethernet0 outside security0 ( lower security)
> > >> nameif ethernet1 dmz security50 (higher security)
> > >>
> > >> no fixup protocol sip 5060
> > >> no fixup protocol sip udp 5060
> > >>
> > >> ! - this makes things easier so now the pix knows the IP of the
> > asterisk 
> > >> box and maps the ip to the name just for configuration purposes
> > only so 
> > >> if you had 20 servers or devices you wanted public access to
> it's
> > just 
> > >> easier to remember their names versus IPs.
> > >> name 192.168.254.11 dns
> > >> name 192.168.254.10 asterisk
> > >>
> > >> ! - the static command is used as a permanent mapper from one
> > inside, 
> > >> dmz, or other to the global ip vice versa. (Rule of thumb if you
> > map 
> > >> using static make sure you have a conduit command)
> > >> static (dmz,outside) 192.168.1.22 asterisk netmask
> 255.255.255.255
> > 0 0
> > >>
> > >> ! - here is where you open the ports on the global side to the
> > asterisk 
> > >> box. (the conduit command allows connections from lower security
> 
> > >> interfaces to higher security interfaces)
> > >> conduit permit udp host 192.168.1.22 eq 10000 any
> > >> conduit permit udp host 192.168.1.22 eq 10001 any
> > >> conduit permit udp host 192.168.1.22 eq 10002 any
> > >> conduit permit udp host 192.168.1.22 eq 10003 any
> > >> conduit permit udp host 192.168.1.22 eq 10004 any
> > >> conduit permit udp host 192.168.1.22 eq 10005 any
> > >>
> > >> Hope this helps!
> > >>
> > >> --Otis
> > >>
> > >>
> > >> Ravichandran Rajagopal wrote:
> > >>   
> > >>     
> > >>> Otis,
> > >>> I am new to Cisco PIX 506 and I am learning this. If you can
> help
> > me
> > with
> > >>> how to do this change on Cisco PIX it would be greatly
> > appreciated. 
> > >>>
> > >>> Thx
> > >>> Ravi
> > >>>
> > >>> -----Original Message-----
> > >>> From: ListAcct [mailto:listacc at ocosa.com] 
> > >>> Sent: Friday, February 08, 2008 11:11 PM
> > >>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
> > Non-Commercial
> > >>> Discussion
> > >>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
> > cisco
> > pix
> > >>> 506
> > >>>
> > >>> Ravi,
> > >>>
> > >>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit
> udp
> > host 
> > >>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
> 
> > >>> something you can configure (10000 to 10200) unless you write a
> > script 
> > >>> to just copy and paste about 10000 to 20000 ports in your
> config
> > on the 
> > >>> pix. Cisco's are strange but secure.
> > >>>
> > >>> It took me about two hours to figure out after taking off the
> > fixup and 
> > >>> no more logging/debugging from the cisco. I actually fixed while
> a
> > call 
> > >>> was coming in. LOL! Let me know!!!
> > >>>
> > >>> --Otis
> > >>>
> > >>> Ravichandran Rajagopal wrote:
> > >>>   
> > >>>     
> > >>>       
> > >>>> Hi,
> > >>>>
> > >>>> I have the Cisco PIX 506 firewall right in front of the
> asterisk
> > and I 
> > >>>> am getting a one-way audio. I need your help/guidance to
> resolve
> > this 
> > >>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX
> > 506. 
> > >>>> Any help rendered by you in this subject is greatly
> appreciated.
> > I 
> > >>>> have been breaking my head trying to resolve this problem for
> > more 
> > >>>> than one month. I have included the sip.conf and the
> > extensions.conf 
> > >>>> below.
> > >>>>
> > >>>> [SIP.conf]
> > >>>>
> > >>>> ; SIP Configuration example for Asterisk
> > >>>>
> > >>>> [general]
> > >>>>
> > >>>> context=incoming
> > >>>>
> > >>>> allowoverlap=no
> > >>>>
> > >>>> bindport=5060
> > >>>>
> > >>>> bindaddr=0.0.0.0
> > >>>>
> > >>>> localnet=192.168.5.0/255.255.255.0
> > >>>>
> > >>>> externip=a.b.ccc.dd
> > >>>>
> > >>>> srvlookup=yes
> > >>>>
> > >>>> allow=ulaw
> > >>>>
> > >>>> allow=alaw
> > >>>>
> > >>>> [incoming]
> > >>>>
> > >>>> type=peer
> > >>>>
> > >>>> nat=no
> > >>>>
> > >>>> canreinvite=no
> > >>>>
> > >>>> host=xx.y.z.aaa
> > >>>>
> > >>>> qualify=yes
> > >>>>
> > >>>> dtmfmode=rfc2833
> > >>>>
> > >>>> context=default
> > >>>>
> > >>>> [extensions.conf]
> > >>>>
> > >>>> [general]
> > >>>>
> > >>>> static=yes
> > >>>>
> > >>>> writeprotect=yes
> > >>>>
> > >>>> clearglobalvars=no
> > >>>>
> > >>>> [default]
> > >>>>
> > >>>> include => customer
> > >>>>
> > >>>> exten => h,1,Hangup
> > >>>>
> > >>>> exten => i,1,Congestion
> > >>>>
> > >>>> exten => i,2,Hangup
> > >>>>
> > >>>> [agnosco]
> > >>>>
> > >>>> include => local-extensions
> > >>>>
> > >>>> include => customer_ivr
> > >>>>
> > >>>> include => incoming
> > >>>>
> > >>>> [customer_ivr]
> > >>>>
> > >>>> include => local-extensions
> > >>>>
> > >>>> exten => s,1,Answer
> > >>>>
> > >>>> exten => s,n,Background(agnosco_intro)
> > >>>>
> > >>>> exten => s,n,WaitExten
> > >>>>
> > >>>> ;Dial said extensions
> > >>>>
> > >>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
> > >>>>
> > >>>> [incoming]
> > >>>>
> > >>>> exten => 4025901000,1,Goto(1000,1)
> > >>>>
> > >>>> exten => 1000,1,Goto(customer_ivr,s,1)
> > >>>>
> > >>>> Thanks
> > >>>>
> > >>>> sunMoonstar.
> > >>>>
> > >>>>
> >
> ------------------------------------------------------------------------
> > >>>>
> > >>>> _______________________________________________
> > >>>> -- Bandwidth and Colocation Provided by
> > http://www.api-digital.com --
> > >>>>
> > >>>> asterisk-users mailing list
> > >>>> To UNSUBSCRIBE or update options visit:
> > >>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
> > >>>>     
> > >>>>       
> > >>>>         
> > >>>   
> > >>>     
> > >>>       
> > >>   
> > >>     
> > >
> > >
> > >
> > > _______________________________________________
> > > -- Bandwidth and Colocation Provided by
> http://www.api-digital.com
> > --
> > >
> > > asterisk-users mailing list
> > > To UNSUBSCRIBE or update options visit:
> > >    http://lists.digium.com/mailman/listinfo/asterisk-users
> > >   
> > 
> > 
> > 
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com
> --
> > 
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users





More information about the asterisk-users mailing list