[asterisk-users] oneway audio with asterisk behind cisco pix 506

Wendell Hamilton routerguy at rightsolve.com
Sat Feb 9 13:58:22 CST 2008


try:
access-list asterisk permit udp any host x.x.x.x eq 10000

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:
> I tried the following ACL command
> 
> "access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000
> 20000"
> 
> and I got the following response back
> 
> "[no] access-list <id> [line <line-num>] deny|permit icmp
> 	<sip> <smask> | interface <if_name> | object-group
> <network_obj_grp_id>
> 	<dip> <dmask> | interface <if_name> | object-group
> <network_obj_grp_id>
> 	[<icmp_type> | object-group <icmp_type_obj_grp_id>]
> 	[log [disable|default] | [<level>] [interval <secs>]]
> Restricted ACLs for route-map use:
> [no] access-list <id> deny|permit {any | <prefix> <mask> | host
> <address>}
> Command failed"
> 
> I don't know how to enter into the linux interface of the Cisco Pix
> 506
> firewall
> 
> 
> 
> -----Original Message-----
> From: Joris Cras [mailto:joris at bitnetwerk.nl] 
> Sent: Saturday, February 09, 2008 3:23 AM
> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
> Discussion
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
> pix
> 506
> 
> Ravi,
> 
> there is a easy way of creating all those commands in linux.
> just run the following in a shell:
> for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
> permit udp host 192.168.5.0 eq $x any conduit permit udp host;done
> 
> This will create all your PIX rules at ones.
>  
> I think you could also use Cisco ACL's
>  access-list [name] permit udp [source] [destination] range
> This would be in your case something like:
>  access-list asterisk permit udp 0.0.0.0 192.168.5.0  range 10000
> 10050
> 
> Good luck.
> 
> Joris
> 
> Ravichandran Rajagopal wrote:
> > Otis,
> > I wanted to clarify what you said and what I comprehended. 
> >
> > the SIP protocols are disabled in fixup. 
> > ========================================================
> > Having said that I guess all I have to do is just the following.
> > the inside IP of asterisk server is 192.168.5.0
> >
> > On the cisco PIX firewall enter the following.
> > 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq
> 10001 any
> > conduit permit udp host
> > 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq
> 10002 any
> > conduit permit udp host
> > ....................................
> > ...................................
> > .....................
> > 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq
> 10050 any
> > conduit permit udp host
> >
> > in the rtp.conf in /etc/asterisk 
> > change the ending port 20000 (which is what it currently is) to
> 10050 
> >
> > Is there an easier way to make the entries in Cisco PIX firewall ?
> >
> > Thx
> > Ravi 
> >
> > -----Original Message-----
> > From: ListAcct [mailto:listacc at ocosa.com] 
> > Sent: Saturday, February 09, 2008 12:18 AM
> > To: ravi at vaishnavy.com
> > Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> > Subject: Re: [asterisk-users] oneway audio with asterisk behind
> cisco pix
> > 506
> >
> > No problem.  :-P  I thought it might wise to include everything you
> 
> > needed just in case!! LOL! You are welcome!!!
> >
> > --Otis 
> >
> > Ravichandran Rajagopal wrote:
> >   
> >> LOL I guess all I was asking for the changes to be made in the
> Cisco PIX
> >> 506. I think you gave me a short tutorial on VI as well. Thanks
> once
> again
> >> for this help. Let me work on these changes and test the one-way
> audio
> >> problem and go from there.
> >> Thx
> >> Ravi
> >>
> >> -----Original Message-----
> >> From: ListAcct [mailto:listacc at ocosa.com] 
> >> Sent: Friday, February 08, 2008 11:55 PM
> >> To: ravi at vaishnavy.com
> >> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> >> Subject: Re: [asterisk-users] oneway audio with asterisk behind
> cisco pix
> >> 506
> >>
> >> Ravi,
> >>
> >> I will explain changing the config in asterisk and the pix:
> >>
> >> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port
> span to 
> >> 10000 to 10050 (to start, you will need to increase later as ports
> fill
> >>     
> > up)
> >   
> >> (use insert to make a change in a file)
> >>
> >> to save:
> >>
> >>    1. esc
> >>    2. shift + colon
> >>    3. wq (to save)
> >>
> >> If you made a mistake and do not want to save but you changed
> something 
> >> in the file:
> >>
> >>    1. esc
> >>    2. shift + colon
> >>    3. q! (to exit)
> >>
> >>
> >> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this
> case the 
> >> static and conduit commands so this is a example from my setup.
> >>
> >> Theses are not usable IPs on the Internet or my IPs but just an
> >>     
> > example....
> >   
> >> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
> >> dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)
> >>
> >> interface ethernet0 100full (sets the duplex and turns on
> interface)
> >> interface ethernet1 100full (sets the duplex and turns on
> interface)
> >>
> >> nameif ethernet0 outside security0 ( lower security)
> >> nameif ethernet1 dmz security50 (higher security)
> >>
> >> no fixup protocol sip 5060
> >> no fixup protocol sip udp 5060
> >>
> >> ! - this makes things easier so now the pix knows the IP of the
> asterisk 
> >> box and maps the ip to the name just for configuration purposes
> only so 
> >> if you had 20 servers or devices you wanted public access to it's
> just 
> >> easier to remember their names versus IPs.
> >> name 192.168.254.11 dns
> >> name 192.168.254.10 asterisk
> >>
> >> ! - the static command is used as a permanent mapper from one
> inside, 
> >> dmz, or other to the global ip vice versa. (Rule of thumb if you
> map 
> >> using static make sure you have a conduit command)
> >> static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255
> 0 0
> >>
> >> ! - here is where you open the ports on the global side to the
> asterisk 
> >> box. (the conduit command allows connections from lower security 
> >> interfaces to higher security interfaces)
> >> conduit permit udp host 192.168.1.22 eq 10000 any
> >> conduit permit udp host 192.168.1.22 eq 10001 any
> >> conduit permit udp host 192.168.1.22 eq 10002 any
> >> conduit permit udp host 192.168.1.22 eq 10003 any
> >> conduit permit udp host 192.168.1.22 eq 10004 any
> >> conduit permit udp host 192.168.1.22 eq 10005 any
> >>
> >> Hope this helps!
> >>
> >> --Otis
> >>
> >>
> >> Ravichandran Rajagopal wrote:
> >>   
> >>     
> >>> Otis,
> >>> I am new to Cisco PIX 506 and I am learning this. If you can help
> me
> with
> >>> how to do this change on Cisco PIX it would be greatly
> appreciated. 
> >>>
> >>> Thx
> >>> Ravi
> >>>
> >>> -----Original Message-----
> >>> From: ListAcct [mailto:listacc at ocosa.com] 
> >>> Sent: Friday, February 08, 2008 11:11 PM
> >>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
> Non-Commercial
> >>> Discussion
> >>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
> cisco
> pix
> >>> 506
> >>>
> >>> Ravi,
> >>>
> >>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp
> host 
> >>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to 
> >>> something you can configure (10000 to 10200) unless you write a
> script 
> >>> to just copy and paste about 10000 to 20000 ports in your config
> on the 
> >>> pix. Cisco's are strange but secure.
> >>>
> >>> It took me about two hours to figure out after taking off the
> fixup and 
> >>> no more logging/debugging from the cisco. I actually fixed while a
> call 
> >>> was coming in. LOL! Let me know!!!
> >>>
> >>> --Otis
> >>>
> >>> Ravichandran Rajagopal wrote:
> >>>   
> >>>     
> >>>       
> >>>> Hi,
> >>>>
> >>>> I have the Cisco PIX 506 firewall right in front of the asterisk
> and I 
> >>>> am getting a one-way audio. I need your help/guidance to resolve
> this 
> >>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX
> 506. 
> >>>> Any help rendered by you in this subject is greatly appreciated.
> I 
> >>>> have been breaking my head trying to resolve this problem for
> more 
> >>>> than one month. I have included the sip.conf and the
> extensions.conf 
> >>>> below.
> >>>>
> >>>> [SIP.conf]
> >>>>
> >>>> ; SIP Configuration example for Asterisk
> >>>>
> >>>> [general]
> >>>>
> >>>> context=incoming
> >>>>
> >>>> allowoverlap=no
> >>>>
> >>>> bindport=5060
> >>>>
> >>>> bindaddr=0.0.0.0
> >>>>
> >>>> localnet=192.168.5.0/255.255.255.0
> >>>>
> >>>> externip=a.b.ccc.dd
> >>>>
> >>>> srvlookup=yes
> >>>>
> >>>> allow=ulaw
> >>>>
> >>>> allow=alaw
> >>>>
> >>>> [incoming]
> >>>>
> >>>> type=peer
> >>>>
> >>>> nat=no
> >>>>
> >>>> canreinvite=no
> >>>>
> >>>> host=xx.y.z.aaa
> >>>>
> >>>> qualify=yes
> >>>>
> >>>> dtmfmode=rfc2833
> >>>>
> >>>> context=default
> >>>>
> >>>> [extensions.conf]
> >>>>
> >>>> [general]
> >>>>
> >>>> static=yes
> >>>>
> >>>> writeprotect=yes
> >>>>
> >>>> clearglobalvars=no
> >>>>
> >>>> [default]
> >>>>
> >>>> include => customer
> >>>>
> >>>> exten => h,1,Hangup
> >>>>
> >>>> exten => i,1,Congestion
> >>>>
> >>>> exten => i,2,Hangup
> >>>>
> >>>> [agnosco]
> >>>>
> >>>> include => local-extensions
> >>>>
> >>>> include => customer_ivr
> >>>>
> >>>> include => incoming
> >>>>
> >>>> [customer_ivr]
> >>>>
> >>>> include => local-extensions
> >>>>
> >>>> exten => s,1,Answer
> >>>>
> >>>> exten => s,n,Background(agnosco_intro)
> >>>>
> >>>> exten => s,n,WaitExten
> >>>>
> >>>> ;Dial said extensions
> >>>>
> >>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
> >>>>
> >>>> [incoming]
> >>>>
> >>>> exten => 4025901000,1,Goto(1000,1)
> >>>>
> >>>> exten => 1000,1,Goto(customer_ivr,s,1)
> >>>>
> >>>> Thanks
> >>>>
> >>>> sunMoonstar.
> >>>>
> >>>>
> ------------------------------------------------------------------------
> >>>>
> >>>> _______________________________________________
> >>>> -- Bandwidth and Colocation Provided by
> http://www.api-digital.com --
> >>>>
> >>>> asterisk-users mailing list
> >>>> To UNSUBSCRIBE or update options visit:
> >>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>>     
> >>>>       
> >>>>         
> >>>   
> >>>     
> >>>       
> >>   
> >>     
> >
> >
> >
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com
> --
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> >   
> 
> 
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list