[Asterisk-Users] Cisco PIX and Asterisk

Mark Hagler pbx at hagler.org
Sat Sep 25 11:58:32 MST 2004 

It works fine for me.  I have a handful of Cisco 7960's behind a PIX
firewall and they register to a Asterisk server outside of the PIX with no
trouble at all.   I didn't do anything special to the PIX (i.e. no access
list entries).

 

The tricks I found to make it work generally apply to any setup where the
clients are behind NAT.   I also run the tftp server for the phones to get
configs inside the firewall, and the SIPDefault.cnf file specifies the proxy
address outside of the firewall.

 

In the Cisco phone config I have these NAT settings:

nat_enable: 1                   ; 0-Disabled (default), 1-Enabled

nat_address: ""                 ; WAN IP address of NAT box (dotted IP or
DNS A record only)

voip_control_port: 5060         ; UDP port used for SIP messages (default -
5060)

start_media_port: 16384         ; Start RTP range for media (default -
16384)

end_media_port: 32766           ; End RTP range for media (default - 32766)

nat_received_processing: 0      ; 0-Disabled (default), 1-Enabled

 

And the sip.conf entry for this peer is:

 

[7000]

type=friend

nat=yes

qualify=yes

context=xxxx

secret=xxxx

callerid=xxxx

host=dynamic

canreinvite=no

dtmfmode=rfc2833

 

timer_register_expires: 120

 

Setting the registry timer to 120 seconds causes the phone to send out a
packet at least every 2 minutes which will open a UDP xlate on the PIX for
the session.   Then the trick is to use both 'nat=yes' and 'qualify=yes' so
Asterisk chats with the phone pretty often.   The interval of OPTIONS or
REGISTER messages between Asterisk and phone definitely needs to be shorter
than the PIX's UDP xlate timeout or the PIX will close the xlate and you
won't be able to pass packets into the phone for an incoming call.

 

Note that you can put a numeric value after qualify= instead of "yes" to
fine-tine the interval at which it sends a OPTIONS message.

 

  _____  

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Craig
Waddington
Sent: Saturday, September 25, 2004 8:17 AM
To: asterisk-users at lists.digium.com
Subject: [Asterisk-Users] Cisco PIX and Asterisk

 

I cannot get incoming calls to sip phones behind a PIX to work, outgoing is
fine.

 

Asterisk (Public IP) --> Internet --> PIX (NAT) --> Sip Phones

 

I have tried no fixup protocol sip, I have punched a hole in the Pix
allowing anything from the Asterisk box into the network, still no incoming.

 

I have done all the Wiki suggests in regarding to NAT.

 

Is their a trick getting the incoming to work?

 

Has anyone managed to get this to work or am I wasting my time on this?

 

Ta.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040925/447e49ad/attachment.htm

More information about the asterisk-users mailing list