[asterisk-users] oneway audio with asterisk behind cisco pix 506

ListAcct listacc at ocosa.com
Mon Feb 11 06:07:33 CST 2008


Ravi,

Are you sure that is the IP address of your Asterisk server?   If you 
are following / using CIDR then

192.168.5.0/24
192.168.5.0 = network address
192.168.5.255 = broadcast

Valid IPs in that range are 192.168.5.1-254 usable

Did you get everything working?

--Otis

Ravichandran Rajagopal wrote:
> This is what I implemented
>
> access-list asterisk permit udp any host 192.168.5.0 range 10000 20000
>
> Thx
> Ravi
>
> -----Original Message-----
> From: Wendell Hamilton [mailto:routerguy at rightsolve.com] 
> Sent: Saturday, February 09, 2008 11:07 PM
> To: ravi at vaishnavy.com
> Cc: Joris Cras; Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix 506
>
> Did you only open up the one port (10000)?  You need to open up a range, if you're doing it this way, like 10000-10020 and then set your rtp ports in asterisk to the same range. 
>
> ----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:
>   
>> I made the following changes and I am still facing one way audio with
>> my call flow.
>>
>> -----Original Message-----
>> From: Wendell Hamilton [mailto:routerguy at rightsolve.com] 
>> Sent: Saturday, February 09, 2008 1:58 PM
>> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
>> Discussion
>> Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
>> Non-Commercial Discussion
>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
>> pix 506
>>
>> try:
>> access-list asterisk permit udp any host x.x.x.x eq 10000
>>
>> ----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
>> wrote:
>>     
>>> I tried the following ACL command
>>>
>>> "access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000
>>> 20000"
>>>
>>> and I got the following response back
>>>
>>> "[no] access-list <id> [line <line-num>] deny|permit icmp
>>> 	<sip> <smask> | interface <if_name> | object-group
>>> <network_obj_grp_id>
>>> 	<dip> <dmask> | interface <if_name> | object-group
>>> <network_obj_grp_id>
>>> 	[<icmp_type> | object-group <icmp_type_obj_grp_id>]
>>> 	[log [disable|default] | [<level>] [interval <secs>]]
>>> Restricted ACLs for route-map use:
>>> [no] access-list <id> deny|permit {any | <prefix> <mask> | host
>>> <address>}
>>> Command failed"
>>>
>>> I don't know how to enter into the linux interface of the Cisco Pix
>>> 506
>>> firewall
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Joris Cras [mailto:joris at bitnetwerk.nl] 
>>> Sent: Saturday, February 09, 2008 3:23 AM
>>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
>>>       
>> Non-Commercial
>>     
>>> Discussion
>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>       
>> cisco
>>     
>>> pix
>>> 506
>>>
>>> Ravi,
>>>
>>> there is a easy way of creating all those commands in linux.
>>> just run the following in a shell:
>>> for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
>>> permit udp host 192.168.5.0 eq $x any conduit permit udp host;done
>>>
>>> This will create all your PIX rules at ones.
>>>  
>>> I think you could also use Cisco ACL's
>>>  access-list [name] permit udp [source] [destination] range
>>> This would be in your case something like:
>>>  access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000
>>> 10050
>>>
>>> Good luck.
>>>
>>> Joris
>>>
>>> Ravichandran Rajagopal wrote:
>>>       
>>>> Otis,
>>>> I wanted to clarify what you said and what I comprehended. 
>>>>
>>>> the SIP protocols are disabled in fixup. 
>>>> ========================================================
>>>> Having said that I guess all I have to do is just the following.
>>>> the inside IP of asterisk server is 192.168.5.0
>>>>
>>>> On the cisco PIX firewall enter the following.
>>>> 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq
>>>>         
>>> 10001 any
>>>       
>>>> conduit permit udp host
>>>> 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq
>>>>         
>>> 10002 any
>>>       
>>>> conduit permit udp host
>>>> ....................................
>>>> ...................................
>>>> .....................
>>>> 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq
>>>>         
>>> 10050 any
>>>       
>>>> conduit permit udp host
>>>>
>>>> in the rtp.conf in /etc/asterisk 
>>>> change the ending port 20000 (which is what it currently is) to
>>>>         
>>> 10050 
>>>       
>>>> Is there an easier way to make the entries in Cisco PIX firewall
>>>>         
>> ?
>>     
>>>> Thx
>>>> Ravi 
>>>>
>>>> -----Original Message-----
>>>> From: ListAcct [mailto:listacc at ocosa.com] 
>>>> Sent: Saturday, February 09, 2008 12:18 AM
>>>> To: ravi at vaishnavy.com
>>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>         
>>> cisco pix
>>>       
>>>> 506
>>>>
>>>> No problem.  :-P  I thought it might wise to include everything
>>>>         
>> you
>>     
>>>> needed just in case!! LOL! You are welcome!!!
>>>>
>>>> --Otis 
>>>>
>>>> Ravichandran Rajagopal wrote:
>>>>   
>>>>         
>>>>> LOL I guess all I was asking for the changes to be made in the
>>>>>           
>>> Cisco PIX
>>>       
>>>>> 506. I think you gave me a short tutorial on VI as well. Thanks
>>>>>           
>>> once
>>> again
>>>       
>>>>> for this help. Let me work on these changes and test the one-way
>>>>>           
>>> audio
>>>       
>>>>> problem and go from there.
>>>>> Thx
>>>>> Ravi
>>>>>
>>>>> -----Original Message-----
>>>>> From: ListAcct [mailto:listacc at ocosa.com] 
>>>>> Sent: Friday, February 08, 2008 11:55 PM
>>>>> To: ravi at vaishnavy.com
>>>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>>           
>>> cisco pix
>>>       
>>>>> 506
>>>>>
>>>>> Ravi,
>>>>>
>>>>> I will explain changing the config in asterisk and the pix:
>>>>>
>>>>> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port
>>>>>           
>>> span to 
>>>       
>>>>> 10000 to 10050 (to start, you will need to increase later as
>>>>>           
>> ports
>>     
>>> fill
>>>       
>>>>>     
>>>>>           
>>>> up)
>>>>   
>>>>         
>>>>> (use insert to make a change in a file)
>>>>>
>>>>> to save:
>>>>>
>>>>>    1. esc
>>>>>    2. shift + colon
>>>>>    3. wq (to save)
>>>>>
>>>>> If you made a mistake and do not want to save but you changed
>>>>>           
>>> something 
>>>       
>>>>> in the file:
>>>>>
>>>>>    1. esc
>>>>>    2. shift + colon
>>>>>    3. q! (to exit)
>>>>>
>>>>>
>>>>> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this
>>>>>           
>>> case the 
>>>       
>>>>> static and conduit commands so this is a example from my setup.
>>>>>
>>>>> Theses are not usable IPs on the Internet or my IPs but just an
>>>>>     
>>>>>           
>>>> example....
>>>>   
>>>>         
>>>>> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
>>>>> dmz (interface) - 192.168.254.0/24
>>>>>           
>> (192.168.254.1-192.168.254.254)
>>     
>>>>> interface ethernet0 100full (sets the duplex and turns on
>>>>>           
>>> interface)
>>>       
>>>>> interface ethernet1 100full (sets the duplex and turns on
>>>>>           
>>> interface)
>>>       
>>>>> nameif ethernet0 outside security0 ( lower security)
>>>>> nameif ethernet1 dmz security50 (higher security)
>>>>>
>>>>> no fixup protocol sip 5060
>>>>> no fixup protocol sip udp 5060
>>>>>
>>>>> ! - this makes things easier so now the pix knows the IP of the
>>>>>           
>>> asterisk 
>>>       
>>>>> box and maps the ip to the name just for configuration purposes
>>>>>           
>>> only so 
>>>       
>>>>> if you had 20 servers or devices you wanted public access to
>>>>>           
>> it's
>>     
>>> just 
>>>       
>>>>> easier to remember their names versus IPs.
>>>>> name 192.168.254.11 dns
>>>>> name 192.168.254.10 asterisk
>>>>>
>>>>> ! - the static command is used as a permanent mapper from one
>>>>>           
>>> inside, 
>>>       
>>>>> dmz, or other to the global ip vice versa. (Rule of thumb if you
>>>>>           
>>> map 
>>>       
>>>>> using static make sure you have a conduit command)
>>>>> static (dmz,outside) 192.168.1.22 asterisk netmask
>>>>>           
>> 255.255.255.255
>>     
>>> 0 0
>>>       
>>>>> ! - here is where you open the ports on the global side to the
>>>>>           
>>> asterisk 
>>>       
>>>>> box. (the conduit command allows connections from lower security
>>>>>           
>>>>> interfaces to higher security interfaces)
>>>>> conduit permit udp host 192.168.1.22 eq 10000 any
>>>>> conduit permit udp host 192.168.1.22 eq 10001 any
>>>>> conduit permit udp host 192.168.1.22 eq 10002 any
>>>>> conduit permit udp host 192.168.1.22 eq 10003 any
>>>>> conduit permit udp host 192.168.1.22 eq 10004 any
>>>>> conduit permit udp host 192.168.1.22 eq 10005 any
>>>>>
>>>>> Hope this helps!
>>>>>
>>>>> --Otis
>>>>>
>>>>>
>>>>> Ravichandran Rajagopal wrote:
>>>>>   
>>>>>     
>>>>>           
>>>>>> Otis,
>>>>>> I am new to Cisco PIX 506 and I am learning this. If you can
>>>>>>             
>> help
>>     
>>> me
>>> with
>>>       
>>>>>> how to do this change on Cisco PIX it would be greatly
>>>>>>             
>>> appreciated. 
>>>       
>>>>>> Thx
>>>>>> Ravi
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: ListAcct [mailto:listacc at ocosa.com] 
>>>>>> Sent: Friday, February 08, 2008 11:11 PM
>>>>>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
>>>>>>             
>>> Non-Commercial
>>>       
>>>>>> Discussion
>>>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>>>             
>>> cisco
>>> pix
>>>       
>>>>>> 506
>>>>>>
>>>>>> Ravi,
>>>>>>
>>>>>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit
>>>>>>             
>> udp
>>     
>>> host 
>>>       
>>>>>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
>>>>>>             
>>>>>> something you can configure (10000 to 10200) unless you write a
>>>>>>             
>>> script 
>>>       
>>>>>> to just copy and paste about 10000 to 20000 ports in your
>>>>>>             
>> config
>>     
>>> on the 
>>>       
>>>>>> pix. Cisco's are strange but secure.
>>>>>>
>>>>>> It took me about two hours to figure out after taking off the
>>>>>>             
>>> fixup and 
>>>       
>>>>>> no more logging/debugging from the cisco. I actually fixed while
>>>>>>             
>> a
>>     
>>> call 
>>>       
>>>>>> was coming in. LOL! Let me know!!!
>>>>>>
>>>>>> --Otis
>>>>>>
>>>>>> Ravichandran Rajagopal wrote:
>>>>>>   
>>>>>>     
>>>>>>       
>>>>>>             
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have the Cisco PIX 506 firewall right in front of the
>>>>>>>               
>> asterisk
>>     
>>> and I 
>>>       
>>>>>>> am getting a one-way audio. I need your help/guidance to
>>>>>>>               
>> resolve
>>     
>>> this 
>>>       
>>>>>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX
>>>>>>>               
>>> 506. 
>>>       
>>>>>>> Any help rendered by you in this subject is greatly
>>>>>>>               
>> appreciated.
>>     
>>> I 
>>>       
>>>>>>> have been breaking my head trying to resolve this problem for
>>>>>>>               
>>> more 
>>>       
>>>>>>> than one month. I have included the sip.conf and the
>>>>>>>               
>>> extensions.conf 
>>>       
>>>>>>> below.
>>>>>>>
>>>>>>> [SIP.conf]
>>>>>>>
>>>>>>> ; SIP Configuration example for Asterisk
>>>>>>>
>>>>>>> [general]
>>>>>>>
>>>>>>> context=incoming
>>>>>>>
>>>>>>> allowoverlap=no
>>>>>>>
>>>>>>> bindport=5060
>>>>>>>
>>>>>>> bindaddr=0.0.0.0
>>>>>>>
>>>>>>> localnet=192.168.5.0/255.255.255.0
>>>>>>>
>>>>>>> externip=a.b.ccc.dd
>>>>>>>
>>>>>>> srvlookup=yes
>>>>>>>
>>>>>>> allow=ulaw
>>>>>>>
>>>>>>> allow=alaw
>>>>>>>
>>>>>>> [incoming]
>>>>>>>
>>>>>>> type=peer
>>>>>>>
>>>>>>> nat=no
>>>>>>>
>>>>>>> canreinvite=no
>>>>>>>
>>>>>>> host=xx.y.z.aaa
>>>>>>>
>>>>>>> qualify=yes
>>>>>>>
>>>>>>> dtmfmode=rfc2833
>>>>>>>
>>>>>>> context=default
>>>>>>>
>>>>>>> [extensions.conf]
>>>>>>>
>>>>>>> [general]
>>>>>>>
>>>>>>> static=yes
>>>>>>>
>>>>>>> writeprotect=yes
>>>>>>>
>>>>>>> clearglobalvars=no
>>>>>>>
>>>>>>> [default]
>>>>>>>
>>>>>>> include => customer
>>>>>>>
>>>>>>> exten => h,1,Hangup
>>>>>>>
>>>>>>> exten => i,1,Congestion
>>>>>>>
>>>>>>> exten => i,2,Hangup
>>>>>>>
>>>>>>> [agnosco]
>>>>>>>
>>>>>>> include => local-extensions
>>>>>>>
>>>>>>> include => customer_ivr
>>>>>>>
>>>>>>> include => incoming
>>>>>>>
>>>>>>> [customer_ivr]
>>>>>>>
>>>>>>> include => local-extensions
>>>>>>>
>>>>>>> exten => s,1,Answer
>>>>>>>
>>>>>>> exten => s,n,Background(agnosco_intro)
>>>>>>>
>>>>>>> exten => s,n,WaitExten
>>>>>>>
>>>>>>> ;Dial said extensions
>>>>>>>
>>>>>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
>>>>>>>
>>>>>>> [incoming]
>>>>>>>
>>>>>>> exten => 4025901000,1,Goto(1000,1)
>>>>>>>
>>>>>>> exten => 1000,1,Goto(customer_ivr,s,1)
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> sunMoonstar.
>>>>>>>
>>>>>>>
>>>>>>>               
>> ------------------------------------------------------------------------
>>     
>>>>>>> _______________________________________________
>>>>>>> -- Bandwidth and Colocation Provided by
>>>>>>>               
>>> http://www.api-digital.com --
>>>       
>>>>>>> asterisk-users mailing list
>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>     
>>>>>>>       
>>>>>>>         
>>>>>>>               
>>>>>>   
>>>>>>     
>>>>>>       
>>>>>>             
>>>>>   
>>>>>     
>>>>>           
>>>>
>>>> _______________________________________________
>>>> -- Bandwidth and Colocation Provided by
>>>>         
>> http://www.api-digital.com
>>     
>>> --
>>>       
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>   
>>>>         
>>>
>>> _______________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>>       
>> --
>>     
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>       
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>   




More information about the asterisk-users mailing list