[asterisk-users] oneway audio with asterisk behind cisco pix 506

Ravichandran Rajagopal ravichandran.rajagopal at gmail.com
Sat Feb 9 00:46:47 CST 2008


Otis,
I wanted to clarify what you said and what I comprehended. 

the SIP protocols are disabled in fixup. 
========================================================
Having said that I guess all I have to do is just the following.
the inside IP of asterisk server is 192.168.5.0

On the cisco PIX firewall enter the following.
192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq 10001 any
conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq 10002 any
conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq 10050 any
conduit permit udp host

in the rtp.conf in /etc/asterisk 
change the ending port 20000 (which is what it currently is) to 10050 

Is there an easier way to make the entries in Cisco PIX firewall ?

Thx
Ravi 

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com] 
Sent: Saturday, February 09, 2008 12:18 AM
To: ravi at vaishnavy.com
Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506

No problem.  :-P  I thought it might wise to include everything you 
needed just in case!! LOL! You are welcome!!!

--Otis 

Ravichandran Rajagopal wrote:
> LOL I guess all I was asking for the changes to be made in the Cisco PIX
> 506. I think you gave me a short tutorial on VI as well. Thanks once again
> for this help. Let me work on these changes and test the one-way audio
> problem and go from there.
> Thx
> Ravi
>
> -----Original Message-----
> From: ListAcct [mailto:listacc at ocosa.com] 
> Sent: Friday, February 08, 2008 11:55 PM
> To: ravi at vaishnavy.com
> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
> 506
>
> Ravi,
>
> I will explain changing the config in asterisk and the pix:
>
> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port span to 
> 10000 to 10050 (to start, you will need to increase later as ports fill
up)
>
> (use insert to make a change in a file)
>
> to save:
>
>    1. esc
>    2. shift + colon
>    3. wq (to save)
>
> If you made a mistake and do not want to save but you changed something 
> in the file:
>
>    1. esc
>    2. shift + colon
>    3. q! (to exit)
>
>
> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the 
> static and conduit commands so this is a example from my setup.
>
> Theses are not usable IPs on the Internet or my IPs but just an
example....
>
> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
> dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)
>
> interface ethernet0 100full (sets the duplex and turns on interface)
> interface ethernet1 100full (sets the duplex and turns on interface)
>
> nameif ethernet0 outside security0 ( lower security)
> nameif ethernet1 dmz security50 (higher security)
>
> no fixup protocol sip 5060
> no fixup protocol sip udp 5060
>
> ! - this makes things easier so now the pix knows the IP of the asterisk 
> box and maps the ip to the name just for configuration purposes only so 
> if you had 20 servers or devices you wanted public access to it's just 
> easier to remember their names versus IPs.
> name 192.168.254.11 dns
> name 192.168.254.10 asterisk
>
> ! - the static command is used as a permanent mapper from one inside, 
> dmz, or other to the global ip vice versa. (Rule of thumb if you map 
> using static make sure you have a conduit command)
> static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0
>
> ! - here is where you open the ports on the global side to the asterisk 
> box. (the conduit command allows connections from lower security 
> interfaces to higher security interfaces)
> conduit permit udp host 192.168.1.22 eq 10000 any
> conduit permit udp host 192.168.1.22 eq 10001 any
> conduit permit udp host 192.168.1.22 eq 10002 any
> conduit permit udp host 192.168.1.22 eq 10003 any
> conduit permit udp host 192.168.1.22 eq 10004 any
> conduit permit udp host 192.168.1.22 eq 10005 any
>
> Hope this helps!
>
> --Otis
>
>
> Ravichandran Rajagopal wrote:
>   
>> Otis,
>> I am new to Cisco PIX 506 and I am learning this. If you can help me with
>> how to do this change on Cisco PIX it would be greatly appreciated. 
>>
>> Thx
>> Ravi
>>
>> -----Original Message-----
>> From: ListAcct [mailto:listacc at ocosa.com] 
>> Sent: Friday, February 08, 2008 11:11 PM
>> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
>> Discussion
>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
>> 506
>>
>> Ravi,
>>
>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp host 
>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to 
>> something you can configure (10000 to 10200) unless you write a script 
>> to just copy and paste about 10000 to 20000 ports in your config on the 
>> pix. Cisco's are strange but secure.
>>
>> It took me about two hours to figure out after taking off the fixup and 
>> no more logging/debugging from the cisco. I actually fixed while a call 
>> was coming in. LOL! Let me know!!!
>>
>> --Otis
>>
>> Ravichandran Rajagopal wrote:
>>   
>>     
>>> Hi,
>>>
>>> I have the Cisco PIX 506 firewall right in front of the asterisk and I 
>>> am getting a one-way audio. I need your help/guidance to resolve this 
>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX 506. 
>>> Any help rendered by you in this subject is greatly appreciated. I 
>>> have been breaking my head trying to resolve this problem for more 
>>> than one month. I have included the sip.conf and the extensions.conf 
>>> below.
>>>
>>> [SIP.conf]
>>>
>>> ; SIP Configuration example for Asterisk
>>>
>>> [general]
>>>
>>> context=incoming
>>>
>>> allowoverlap=no
>>>
>>> bindport=5060
>>>
>>> bindaddr=0.0.0.0
>>>
>>> localnet=192.168.5.0/255.255.255.0
>>>
>>> externip=a.b.ccc.dd
>>>
>>> srvlookup=yes
>>>
>>> allow=ulaw
>>>
>>> allow=alaw
>>>
>>> [incoming]
>>>
>>> type=peer
>>>
>>> nat=no
>>>
>>> canreinvite=no
>>>
>>> host=xx.y.z.aaa
>>>
>>> qualify=yes
>>>
>>> dtmfmode=rfc2833
>>>
>>> context=default
>>>
>>> [extensions.conf]
>>>
>>> [general]
>>>
>>> static=yes
>>>
>>> writeprotect=yes
>>>
>>> clearglobalvars=no
>>>
>>> [default]
>>>
>>> include => customer
>>>
>>> exten => h,1,Hangup
>>>
>>> exten => i,1,Congestion
>>>
>>> exten => i,2,Hangup
>>>
>>> [agnosco]
>>>
>>> include => local-extensions
>>>
>>> include => customer_ivr
>>>
>>> include => incoming
>>>
>>> [customer_ivr]
>>>
>>> include => local-extensions
>>>
>>> exten => s,1,Answer
>>>
>>> exten => s,n,Background(agnosco_intro)
>>>
>>> exten => s,n,WaitExten
>>>
>>> ;Dial said extensions
>>>
>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
>>>
>>> [incoming]
>>>
>>> exten => 4025901000,1,Goto(1000,1)
>>>
>>> exten => 1000,1,Goto(customer_ivr,s,1)
>>>
>>> Thanks
>>>
>>> sunMoonstar.
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>     
>>>       
>>   
>>     
>
>
>   





More information about the asterisk-users mailing list