[asterisk-users] Cisco PIX firewall and nat=yes

Peder at NetworkOblivion peder at networkoblivion.com
Wed Aug 23 09:29:15 MST 2006 

If you are running a new version of PIX sw (6.3.4 or 6.3.5), then leave 
fixup on and set "nat=no".  The PIX is the only firewall that I have 
seen that truly does nat correctly.  It nat's both the source and dest 
inside the packet.  You can even do reinvite with multiple phones behind 
a PIX and it works correctly.  One other thing to check.  If you have 
qualify off, then you need to set the phone to re-register in less time 
that the SIP timeout value in the PIX.  For example, if the timeout is 
10 mins, then the phone needs to have a register value less than 10 mins.


Scott Pinhorne wrote:
> Hi
> 
> I use a PIX 515 and had a similar problem when I started.
> I turned on the fixup for SIP (as well as having nat in sip entry) and 
> it seems to do the trick for me.
> 
> Good Luck
> SP
> 
> Bill Gibbs wrote:
>> Also the phone can dial out from behind the PIX…but obviously not 
>> receive calls.
>>
>>  
>>
>> Bill
>>
>>  
>>
>> ------------------------------------------------------------------------
>>
>> *From:* asterisk-users-bounces at lists.digium.com 
>> [mailto:asterisk-users-bounces at lists.digium.com] *On Behalf Of *Bill 
>> Gibbs
>> *Sent:* Wednesday, August 23, 2006 11:53 AM
>> *To:* Asterisk Users Mailing List - Non-Commercial Discussion
>> *Subject:* [asterisk-users] Cisco PIX firewall and nat=yes
>>
>>  
>>
>> I have a Polycom 501 that works great from behind simple firewalls, 
>> like Dlink, etc however behind a Cisco PIX Firewall I see the register 
>> messages for the extensions on the Asterisk CLI but when I do a sip 
>> show peers I see:
>>
>>  
>>
>> 702/702                    x.x.x.x     D   N      54297    UNREACHABLE
>>
>> 701/701                    x.x.x.x     D   N      54297    UNREACHABLE
>>
>> 700/700                    x.x.x.x     D   N      54297    UNREACHABLE
>>
>>  
>>
>> But I see stuff like
>>
>> n       Registered SIP '702' at x.x.x.x port 54297 expires 60
>>
>>  
>>
>> I have a single phone with multiple extensions in the example above.  
>> As a test I changed that phone to a single extension (700), I see the 
>> Registered line but it still says UNREACHABLE.
>>
>>  
>>
>> I know the Asterisk config is good because every device (soft, hard 
>> phone) works and I know the NAT works because I’ve tested that out.
>>
>>  
>>
>> So…I’m thinking it has something to do with the PIX.  Any ideas?
>>
>>  
>>
>> Bill
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> --Bandwidth and Colocation provided by Easynews.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 

-- 

Network stuff you didn't know....
http://www.networkoblivion.com

More information about the asterisk-users mailing list