[asterisk-users] oneway audio with asterisk behind cisco pix 506
Wendell Hamilton
routerguy at rightsolve.com
Sat Feb 9 13:58:22 CST 2008
try:
access-list asterisk permit udp any host x.x.x.x eq 10000
----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:
> I tried the following ACL command
>
> "access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
> 20000"
>
> and I got the following response back
>
> "[no] access-list <id> [line <line-num>] deny|permit icmp
> <sip> <smask> | interface <if_name> | object-group
> <network_obj_grp_id>
> <dip> <dmask> | interface <if_name> | object-group
> <network_obj_grp_id>
> [<icmp_type> | object-group <icmp_type_obj_grp_id>]
> [log [disable|default] | [<level>] [interval <secs>]]
> Restricted ACLs for route-map use:
> [no] access-list <id> deny|permit {any | <prefix> <mask> | host
> <address>}
> Command failed"
>
> I don't know how to enter into the linux interface of the Cisco Pix
> 506
> firewall
>
>
>
> -----Original Message-----
> From: Joris Cras [mailto:joris at bitnetwerk.nl]
> Sent: Saturday, February 09, 2008 3:23 AM
> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
> Discussion
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
> pix
> 506
>
> Ravi,
>
> there is a easy way of creating all those commands in linux.
> just run the following in a shell:
> for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
> permit udp host 192.168.5.0 eq $x any conduit permit udp host;done
>
> This will create all your PIX rules at ones.
>
> I think you could also use Cisco ACL's
> access-list [name] permit udp [source] [destination] range
> This would be in your case something like:
> access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
> 10050
>
> Good luck.
>
> Joris
>
> Ravichandran Rajagopal wrote:
> > Otis,
> > I wanted to clarify what you said and what I comprehended.
> >
> > the SIP protocols are disabled in fixup.
> > ========================================================
> > Having said that I guess all I have to do is just the following.
> > the inside IP of asterisk server is 192.168.5.0
> >
> > On the cisco PIX firewall enter the following.
> > 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq
> 10001 any
> > conduit permit udp host
> > 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq
> 10002 any
> > conduit permit udp host
> > ....................................
> > ...................................
> > .....................
> > 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq
> 10050 any
> > conduit permit udp host
> >
> > in the rtp.conf in /etc/asterisk
> > change the ending port 20000 (which is what it currently is) to
> 10050
> >
> > Is there an easier way to make the entries in Cisco PIX firewall ?
> >
> > Thx
> > Ravi
> >
> > -----Original Message-----
> > From: ListAcct [mailto:listacc at ocosa.com]
> > Sent: Saturday, February 09, 2008 12:18 AM
> > To: ravi at vaishnavy.com
> > Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> > Subject: Re: [asterisk-users] oneway audio with asterisk behind
> cisco pix
> > 506
> >
> > No problem. :-P I thought it might wise to include everything you
>
> > needed just in case!! LOL! You are welcome!!!
> >
> > --Otis
> >
> > Ravichandran Rajagopal wrote:
> >
> >> LOL I guess all I was asking for the changes to be made in the
> Cisco PIX
> >> 506. I think you gave me a short tutorial on VI as well. Thanks
> once
> again
> >> for this help. Let me work on these changes and test the one-way
> audio
> >> problem and go from there.
> >> Thx
> >> Ravi
> >>
> >> -----Original Message-----
> >> From: ListAcct [mailto:listacc at ocosa.com]
> >> Sent: Friday, February 08, 2008 11:55 PM
> >> To: ravi at vaishnavy.com
> >> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> >> Subject: Re: [asterisk-users] oneway audio with asterisk behind
> cisco pix
> >> 506
> >>
> >> Ravi,
> >>
> >> I will explain changing the config in asterisk and the pix:
> >>
> >> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port
> span to
> >> 10000 to 10050 (to start, you will need to increase later as ports
> fill
> >>
> > up)
> >
> >> (use insert to make a change in a file)
> >>
> >> to save:
> >>
> >> 1. esc
> >> 2. shift + colon
> >> 3. wq (to save)
> >>
> >> If you made a mistake and do not want to save but you changed
> something
> >> in the file:
> >>
> >> 1. esc
> >> 2. shift + colon
> >> 3. q! (to exit)
> >>
> >>
> >> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this
> case the
> >> static and conduit commands so this is a example from my setup.
> >>
> >> Theses are not usable IPs on the Internet or my IPs but just an
> >>
> > example....
> >
> >> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
> >> dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)
> >>
> >> interface ethernet0 100full (sets the duplex and turns on
> interface)
> >> interface ethernet1 100full (sets the duplex and turns on
> interface)
> >>
> >> nameif ethernet0 outside security0 ( lower security)
> >> nameif ethernet1 dmz security50 (higher security)
> >>
> >> no fixup protocol sip 5060
> >> no fixup protocol sip udp 5060
> >>
> >> ! - this makes things easier so now the pix knows the IP of the
> asterisk
> >> box and maps the ip to the name just for configuration purposes
> only so
> >> if you had 20 servers or devices you wanted public access to it's
> just
> >> easier to remember their names versus IPs.
> >> name 192.168.254.11 dns
> >> name 192.168.254.10 asterisk
> >>
> >> ! - the static command is used as a permanent mapper from one
> inside,
> >> dmz, or other to the global ip vice versa. (Rule of thumb if you
> map
> >> using static make sure you have a conduit command)
> >> static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255
> 0 0
> >>
> >> ! - here is where you open the ports on the global side to the
> asterisk
> >> box. (the conduit command allows connections from lower security
> >> interfaces to higher security interfaces)
> >> conduit permit udp host 192.168.1.22 eq 10000 any
> >> conduit permit udp host 192.168.1.22 eq 10001 any
> >> conduit permit udp host 192.168.1.22 eq 10002 any
> >> conduit permit udp host 192.168.1.22 eq 10003 any
> >> conduit permit udp host 192.168.1.22 eq 10004 any
> >> conduit permit udp host 192.168.1.22 eq 10005 any
> >>
> >> Hope this helps!
> >>
> >> --Otis
> >>
> >>
> >> Ravichandran Rajagopal wrote:
> >>
> >>
> >>> Otis,
> >>> I am new to Cisco PIX 506 and I am learning this. If you can help
> me
> with
> >>> how to do this change on Cisco PIX it would be greatly
> appreciated.
> >>>
> >>> Thx
> >>> Ravi
> >>>
> >>> -----Original Message-----
> >>> From: ListAcct [mailto:listacc at ocosa.com]
> >>> Sent: Friday, February 08, 2008 11:11 PM
> >>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
> Non-Commercial
> >>> Discussion
> >>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
> cisco
> pix
> >>> 506
> >>>
> >>> Ravi,
> >>>
> >>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp
> host
> >>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
> >>> something you can configure (10000 to 10200) unless you write a
> script
> >>> to just copy and paste about 10000 to 20000 ports in your config
> on the
> >>> pix. Cisco's are strange but secure.
> >>>
> >>> It took me about two hours to figure out after taking off the
> fixup and
> >>> no more logging/debugging from the cisco. I actually fixed while a
> call
> >>> was coming in. LOL! Let me know!!!
> >>>
> >>> --Otis
> >>>
> >>> Ravichandran Rajagopal wrote:
> >>>
> >>>
> >>>
> >>>> Hi,
> >>>>
> >>>> I have the Cisco PIX 506 firewall right in front of the asterisk
> and I
> >>>> am getting a one-way audio. I need your help/guidance to resolve
> this
> >>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX
> 506.
> >>>> Any help rendered by you in this subject is greatly appreciated.
> I
> >>>> have been breaking my head trying to resolve this problem for
> more
> >>>> than one month. I have included the sip.conf and the
> extensions.conf
> >>>> below.
> >>>>
> >>>> [SIP.conf]
> >>>>
> >>>> ; SIP Configuration example for Asterisk
> >>>>
> >>>> [general]
> >>>>
> >>>> context=incoming
> >>>>
> >>>> allowoverlap=no
> >>>>
> >>>> bindport=5060
> >>>>
> >>>> bindaddr=0.0.0.0
> >>>>
> >>>> localnet=192.168.5.0/255.255.255.0
> >>>>
> >>>> externip=a.b.ccc.dd
> >>>>
> >>>> srvlookup=yes
> >>>>
> >>>> allow=ulaw
> >>>>
> >>>> allow=alaw
> >>>>
> >>>> [incoming]
> >>>>
> >>>> type=peer
> >>>>
> >>>> nat=no
> >>>>
> >>>> canreinvite=no
> >>>>
> >>>> host=xx.y.z.aaa
> >>>>
> >>>> qualify=yes
> >>>>
> >>>> dtmfmode=rfc2833
> >>>>
> >>>> context=default
> >>>>
> >>>> [extensions.conf]
> >>>>
> >>>> [general]
> >>>>
> >>>> static=yes
> >>>>
> >>>> writeprotect=yes
> >>>>
> >>>> clearglobalvars=no
> >>>>
> >>>> [default]
> >>>>
> >>>> include => customer
> >>>>
> >>>> exten => h,1,Hangup
> >>>>
> >>>> exten => i,1,Congestion
> >>>>
> >>>> exten => i,2,Hangup
> >>>>
> >>>> [agnosco]
> >>>>
> >>>> include => local-extensions
> >>>>
> >>>> include => customer_ivr
> >>>>
> >>>> include => incoming
> >>>>
> >>>> [customer_ivr]
> >>>>
> >>>> include => local-extensions
> >>>>
> >>>> exten => s,1,Answer
> >>>>
> >>>> exten => s,n,Background(agnosco_intro)
> >>>>
> >>>> exten => s,n,WaitExten
> >>>>
> >>>> ;Dial said extensions
> >>>>
> >>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
> >>>>
> >>>> [incoming]
> >>>>
> >>>> exten => 4025901000,1,Goto(1000,1)
> >>>>
> >>>> exten => 1000,1,Goto(customer_ivr,s,1)
> >>>>
> >>>> Thanks
> >>>>
> >>>> sunMoonstar.
> >>>>
> >>>>
> ------------------------------------------------------------------------
> >>>>
> >>>> _______________________________________________
> >>>> -- Bandwidth and Colocation Provided by
> http://www.api-digital.com --
> >>>>
> >>>> asterisk-users mailing list
> >>>> To UNSUBSCRIBE or update options visit:
> >>>> http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
> >
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com
> --
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> >
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list