[asterisk-users] oneway audio with asterisk behind cisco pix 506
Ravichandran Rajagopal
ravichandran.rajagopal at gmail.com
Sun Feb 10 10:25:36 CST 2008
Otis,
I don't have access to ssh into the Cisco PIX firewall. I have been logging
in using https into the Cisco PIX (without a username and only with a
password).
The following is the information in the asterisk server.
[rtp.conf]
rtpstart=10000
rtpend=20000
With the Cisco I went in through the https and then I chose the Command line
option and I typed the command
asterisk permit udp any host 192.168.5.0 range 10000 20000 and then I didn't
know whether I should have done anything else. Should I have issued any
other command to save this changes. I am asking that question as in the
below sequence of commands you are mentioning "write mem"
One interesting thing that I found was I dialed 4025901000 and then punched
5 which routes the call to my cell phone. If I don't pick up the call it
should go to my voicemail at which juncture I expect silence as the audio is
not coming through. Instead I hear the dialtone and then after x number of
rings I get a fast busy. I know not what happened. I guess with all of the
below given the thing that I didn't do yet was touch the asterisk
configurations yet.
If I am struggling with all of this cisco pix. Can you tell me how to enable
firewall in the linux-asterisk server and then disable cisco pix firewall
from its firewall behaviours so that I can isolate the problem and move
forward. Please advise.
Thx
Ravi
-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Sunday, February 10, 2008 2:13 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Cc: ravi at vaishnavy.com
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506
Ravi,
I submitted the easiest way to implement this I think for administrators
new to Cisco there are alternatives but it depends on your IOS. A GUI
might help. .
If you want reply with your network range and server IP and I will send
you a script I will write for the Cisco. I did explain the ACL way
because I thought it would be a bit large if you are not use to seeing
the cisco command line. :-)
Make sure the RTP ports on your Asterisk box reflect that of your ports
open to the Internet. Reloading your config in Asterisk if not working
could help.
Let's do this in your RTP config file.
change your RTP port range in asterisk to 10000 to 10030 and reload
asterisk.
rtpstart=10000
rtpend=10030
type
asterisk -r
Connected to Asterisk 1.2.x.x currently running on asterisk (pid = xx)
asterisk*CLI> reload or restart now (if you need or want)
Copy and paste the below to notepad or wordpad and replace the outside
ip with the real ip address of your WAN link or connection.
and enter enable mode on the cisco pix and type config t and copy and
paste the following in the terminal.
1. pix> ena
2. pix>password: blah
3. pix#config t
4. pix(config)# paste the config below after you change the outside IP
here ( not line per line but the whole deal)
5. pix(config)# sh conduit ( you should see all list below, if
everything seems valid then do next step)
6. pix(config)# write mem
7. pix(config)#exit
8. pix# sh run ( to see running config)
replace the <outside ip> with your WAN IP.
conduit permit udp host outside ip eq 10000 any
conduit permit udp host outside ip eq 10001 any
conduit permit udp host outside ip eq 10002 any
conduit permit udp host outside ip eq 10003 any
conduit permit udp host outside ip eq 10004 any
conduit permit udp host outside ip eq 10005 any
conduit permit udp host outside ip eq 10006 any
conduit permit udp host outside ip eq 10007 any
conduit permit udp host outside ip eq 10008 any
conduit permit udp host outside ip eq 10009 any
conduit permit udp host outside ip eq 10010 any
conduit permit udp host outside ip eq 10011 any
conduit permit udp host outside ip eq 10012 any
conduit permit udp host outside ip eq 10013 any
conduit permit udp host outside ip eq 10014 any
conduit permit udp host outside ip eq 10015 any
conduit permit udp host outside ip eq 10016 any
conduit permit udp host outside ip eq 10017 any
conduit permit udp host outside ip eq 10018 any
conduit permit udp host outside ip eq 10019 any
conduit permit udp host outside ip eq 10020 any
conduit permit udp host outside ip eq 10021 any
conduit permit udp host outside ip eq 10022 any
conduit permit udp host outside ip eq 10023 any
conduit permit udp host outside ip eq 10024 any
conduit permit udp host outside ip eq 10025 any
conduit permit udp host outside ip eq 10026 any
conduit permit udp host outside ip eq 10027 any
conduit permit udp host outside ip eq 10028 any
conduit permit udp host outside ip eq 10029 any
conduit permit udp host outside ip eq 10030 any
--Otis
Wendell Hamilton wrote:
> Did you only open up the one port (10000)? You need to open up a range,
if you're doing it this way, like 10000-10020 and then set your rtp ports in
asterisk to the same range.
>
> ----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:
>
>> I made the following changes and I am still facing one way audio with
>> my call flow.
>>
>> -----Original Message-----
>> From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
>> Sent: Saturday, February 09, 2008 1:58 PM
>> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
>> Discussion
>> Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
>> Non-Commercial Discussion
>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
>> pix 506
>>
>> try:
>> access-list asterisk permit udp any host x.x.x.x eq 10000
>>
>> ----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
>> wrote:
>>
>>> I tried the following ACL command
>>>
>>> "access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
>>> 20000"
>>>
>>> and I got the following response back
>>>
>>> "[no] access-list <id> [line <line-num>] deny|permit icmp
>>> <sip> <smask> | interface <if_name> | object-group
>>> <network_obj_grp_id>
>>> <dip> <dmask> | interface <if_name> | object-group
>>> <network_obj_grp_id>
>>> [<icmp_type> | object-group <icmp_type_obj_grp_id>]
>>> [log [disable|default] | [<level>] [interval <secs>]]
>>> Restricted ACLs for route-map use:
>>> [no] access-list <id> deny|permit {any | <prefix> <mask> | host
>>> <address>}
>>> Command failed"
>>>
>>> I don't know how to enter into the linux interface of the Cisco Pix
>>> 506
>>> firewall
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Joris Cras [mailto:joris at bitnetwerk.nl]
>>> Sent: Saturday, February 09, 2008 3:23 AM
>>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
>>>
>> Non-Commercial
>>
>>> Discussion
>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>
>> cisco
>>
>>> pix
>>> 506
>>>
>>> Ravi,
>>>
>>> there is a easy way of creating all those commands in linux.
>>> just run the following in a shell:
>>> for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
>>> permit udp host 192.168.5.0 eq $x any conduit permit udp host;done
>>>
>>> This will create all your PIX rules at ones.
>>>
>>> I think you could also use Cisco ACL's
>>> access-list [name] permit udp [source] [destination] range
>>> This would be in your case something like:
>>> access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
>>> 10050
>>>
>>> Good luck.
>>>
>>> Joris
>>>
>>> Ravichandran Rajagopal wrote:
>>>
>>>> Otis,
>>>> I wanted to clarify what you said and what I comprehended.
>>>>
>>>> the SIP protocols are disabled in fixup.
>>>> ========================================================
>>>> Having said that I guess all I have to do is just the following.
>>>> the inside IP of asterisk server is 192.168.5.0
>>>>
>>>> On the cisco PIX firewall enter the following.
>>>> 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq
>>>>
>>> 10001 any
>>>
>>>> conduit permit udp host
>>>> 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq
>>>>
>>> 10002 any
>>>
>>>> conduit permit udp host
>>>> ....................................
>>>> ...................................
>>>> .....................
>>>> 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq
>>>>
>>> 10050 any
>>>
>>>> conduit permit udp host
>>>>
>>>> in the rtp.conf in /etc/asterisk
>>>> change the ending port 20000 (which is what it currently is) to
>>>>
>>> 10050
>>>
>>>> Is there an easier way to make the entries in Cisco PIX firewall
>>>>
>> ?
>>
>>>> Thx
>>>> Ravi
>>>>
>>>> -----Original Message-----
>>>> From: ListAcct [mailto:listacc at ocosa.com]
>>>> Sent: Saturday, February 09, 2008 12:18 AM
>>>> To: ravi at vaishnavy.com
>>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>
>>> cisco pix
>>>
>>>> 506
>>>>
>>>> No problem. :-P I thought it might wise to include everything
>>>>
>> you
>>
>>>> needed just in case!! LOL! You are welcome!!!
>>>>
>>>> --Otis
>>>>
>>>> Ravichandran Rajagopal wrote:
>>>>
>>>>
>>>>> LOL I guess all I was asking for the changes to be made in the
>>>>>
>>> Cisco PIX
>>>
>>>>> 506. I think you gave me a short tutorial on VI as well. Thanks
>>>>>
>>> once
>>> again
>>>
>>>>> for this help. Let me work on these changes and test the one-way
>>>>>
>>> audio
>>>
>>>>> problem and go from there.
>>>>> Thx
>>>>> Ravi
>>>>>
>>>>> -----Original Message-----
>>>>> From: ListAcct [mailto:listacc at ocosa.com]
>>>>> Sent: Friday, February 08, 2008 11:55 PM
>>>>> To: ravi at vaishnavy.com
>>>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>>
>>> cisco pix
>>>
>>>>> 506
>>>>>
>>>>> Ravi,
>>>>>
>>>>> I will explain changing the config in asterisk and the pix:
>>>>>
>>>>> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port
>>>>>
>>> span to
>>>
>>>>> 10000 to 10050 (to start, you will need to increase later as
>>>>>
>> ports
>>
>>> fill
>>>
>>>>>
>>>>>
>>>> up)
>>>>
>>>>
>>>>> (use insert to make a change in a file)
>>>>>
>>>>> to save:
>>>>>
>>>>> 1. esc
>>>>> 2. shift + colon
>>>>> 3. wq (to save)
>>>>>
>>>>> If you made a mistake and do not want to save but you changed
>>>>>
>>> something
>>>
>>>>> in the file:
>>>>>
>>>>> 1. esc
>>>>> 2. shift + colon
>>>>> 3. q! (to exit)
>>>>>
>>>>>
>>>>> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this
>>>>>
>>> case the
>>>
>>>>> static and conduit commands so this is a example from my setup.
>>>>>
>>>>> Theses are not usable IPs on the Internet or my IPs but just an
>>>>>
>>>>>
>>>> example....
>>>>
>>>>
>>>>> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
>>>>> dmz (interface) - 192.168.254.0/24
>>>>>
>> (192.168.254.1-192.168.254.254)
>>
>>>>> interface ethernet0 100full (sets the duplex and turns on
>>>>>
>>> interface)
>>>
>>>>> interface ethernet1 100full (sets the duplex and turns on
>>>>>
>>> interface)
>>>
>>>>> nameif ethernet0 outside security0 ( lower security)
>>>>> nameif ethernet1 dmz security50 (higher security)
>>>>>
>>>>> no fixup protocol sip 5060
>>>>> no fixup protocol sip udp 5060
>>>>>
>>>>> ! - this makes things easier so now the pix knows the IP of the
>>>>>
>>> asterisk
>>>
>>>>> box and maps the ip to the name just for configuration purposes
>>>>>
>>> only so
>>>
>>>>> if you had 20 servers or devices you wanted public access to
>>>>>
>> it's
>>
>>> just
>>>
>>>>> easier to remember their names versus IPs.
>>>>> name 192.168.254.11 dns
>>>>> name 192.168.254.10 asterisk
>>>>>
>>>>> ! - the static command is used as a permanent mapper from one
>>>>>
>>> inside,
>>>
>>>>> dmz, or other to the global ip vice versa. (Rule of thumb if you
>>>>>
>>> map
>>>
>>>>> using static make sure you have a conduit command)
>>>>> static (dmz,outside) 192.168.1.22 asterisk netmask
>>>>>
>> 255.255.255.255
>>
>>> 0 0
>>>
>>>>> ! - here is where you open the ports on the global side to the
>>>>>
>>> asterisk
>>>
>>>>> box. (the conduit command allows connections from lower security
>>>>>
>>>>> interfaces to higher security interfaces)
>>>>> conduit permit udp host 192.168.1.22 eq 10000 any
>>>>> conduit permit udp host 192.168.1.22 eq 10001 any
>>>>> conduit permit udp host 192.168.1.22 eq 10002 any
>>>>> conduit permit udp host 192.168.1.22 eq 10003 any
>>>>> conduit permit udp host 192.168.1.22 eq 10004 any
>>>>> conduit permit udp host 192.168.1.22 eq 10005 any
>>>>>
>>>>> Hope this helps!
>>>>>
>>>>> --Otis
>>>>>
>>>>>
>>>>> Ravichandran Rajagopal wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Otis,
>>>>>> I am new to Cisco PIX 506 and I am learning this. If you can
>>>>>>
>> help
>>
>>> me
>>> with
>>>
>>>>>> how to do this change on Cisco PIX it would be greatly
>>>>>>
>>> appreciated.
>>>
>>>>>> Thx
>>>>>> Ravi
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: ListAcct [mailto:listacc at ocosa.com]
>>>>>> Sent: Friday, February 08, 2008 11:11 PM
>>>>>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
>>>>>>
>>> Non-Commercial
>>>
>>>>>> Discussion
>>>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>>>
>>> cisco
>>> pix
>>>
>>>>>> 506
>>>>>>
>>>>>> Ravi,
>>>>>>
>>>>>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit
>>>>>>
>> udp
>>
>>> host
>>>
>>>>>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
>>>>>>
>>>>>> something you can configure (10000 to 10200) unless you write a
>>>>>>
>>> script
>>>
>>>>>> to just copy and paste about 10000 to 20000 ports in your
>>>>>>
>> config
>>
>>> on the
>>>
>>>>>> pix. Cisco's are strange but secure.
>>>>>>
>>>>>> It took me about two hours to figure out after taking off the
>>>>>>
>>> fixup and
>>>
>>>>>> no more logging/debugging from the cisco. I actually fixed while
>>>>>>
>> a
>>
>>> call
>>>
>>>>>> was coming in. LOL! Let me know!!!
>>>>>>
>>>>>> --Otis
>>>>>>
>>>>>> Ravichandran Rajagopal wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have the Cisco PIX 506 firewall right in front of the
>>>>>>>
>> asterisk
>>
>>> and I
>>>
>>>>>>> am getting a one-way audio. I need your help/guidance to
>>>>>>>
>> resolve
>>
>>> this
>>>
>>>>>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX
>>>>>>>
>>> 506.
>>>
>>>>>>> Any help rendered by you in this subject is greatly
>>>>>>>
>> appreciated.
>>
>>> I
>>>
>>>>>>> have been breaking my head trying to resolve this problem for
>>>>>>>
>>> more
>>>
>>>>>>> than one month. I have included the sip.conf and the
>>>>>>>
>>> extensions.conf
>>>
>>>>>>> below.
>>>>>>>
>>>>>>> [SIP.conf]
>>>>>>>
>>>>>>> ; SIP Configuration example for Asterisk
>>>>>>>
>>>>>>> [general]
>>>>>>>
>>>>>>> context=incoming
>>>>>>>
>>>>>>> allowoverlap=no
>>>>>>>
>>>>>>> bindport=5060
>>>>>>>
>>>>>>> bindaddr=0.0.0.0
>>>>>>>
>>>>>>> localnet=192.168.5.0/255.255.255.0
>>>>>>>
>>>>>>> externip=a.b.ccc.dd
>>>>>>>
>>>>>>> srvlookup=yes
>>>>>>>
>>>>>>> allow=ulaw
>>>>>>>
>>>>>>> allow=alaw
>>>>>>>
>>>>>>> [incoming]
>>>>>>>
>>>>>>> type=peer
>>>>>>>
>>>>>>> nat=no
>>>>>>>
>>>>>>> canreinvite=no
>>>>>>>
>>>>>>> host=xx.y.z.aaa
>>>>>>>
>>>>>>> qualify=yes
>>>>>>>
>>>>>>> dtmfmode=rfc2833
>>>>>>>
>>>>>>> context=default
>>>>>>>
>>>>>>> [extensions.conf]
>>>>>>>
>>>>>>> [general]
>>>>>>>
>>>>>>> static=yes
>>>>>>>
>>>>>>> writeprotect=yes
>>>>>>>
>>>>>>> clearglobalvars=no
>>>>>>>
>>>>>>> [default]
>>>>>>>
>>>>>>> include => customer
>>>>>>>
>>>>>>> exten => h,1,Hangup
>>>>>>>
>>>>>>> exten => i,1,Congestion
>>>>>>>
>>>>>>> exten => i,2,Hangup
>>>>>>>
>>>>>>> [agnosco]
>>>>>>>
>>>>>>> include => local-extensions
>>>>>>>
>>>>>>> include => customer_ivr
>>>>>>>
>>>>>>> include => incoming
>>>>>>>
>>>>>>> [customer_ivr]
>>>>>>>
>>>>>>> include => local-extensions
>>>>>>>
>>>>>>> exten => s,1,Answer
>>>>>>>
>>>>>>> exten => s,n,Background(agnosco_intro)
>>>>>>>
>>>>>>> exten => s,n,WaitExten
>>>>>>>
>>>>>>> ;Dial said extensions
>>>>>>>
>>>>>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
>>>>>>>
>>>>>>> [incoming]
>>>>>>>
>>>>>>> exten => 4025901000,1,Goto(1000,1)
>>>>>>>
>>>>>>> exten => 1000,1,Goto(customer_ivr,s,1)
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> sunMoonstar.
>>>>>>>
>>>>>>>
>>>>>>>
>> ------------------------------------------------------------------------
>>
>>>>>>> _______________________________________________
>>>>>>> -- Bandwidth and Colocation Provided by
>>>>>>>
>>> http://www.api-digital.com --
>>>
>>>>>>> asterisk-users mailing list
>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> -- Bandwidth and Colocation Provided by
>>>>
>> http://www.api-digital.com
>>
>>> --
>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>>
>> --
>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list