[asterisk-users] oneway audio with asterisk behind cisco pix 506
Ravichandran Rajagopal
ravichandran.rajagopal at gmail.com
Mon Feb 11 07:02:50 CST 2008
Otis,
Can I call and talk to you if you have a US number or chat with you using
Gmail talk etc. Please email me the same to ravi at vaishnavy.com.
Thx
Ravi
-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Monday, February 11, 2008 6:08 AM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Cc: 'Wendell Hamilton'
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506
Ravi,
Are you sure that is the IP address of your Asterisk server? If you
are following / using CIDR then
192.168.5.0/24
192.168.5.0 = network address
192.168.5.255 = broadcast
Valid IPs in that range are 192.168.5.1-254 usable
Did you get everything working?
--Otis
Ravichandran Rajagopal wrote:
> This is what I implemented
>
> access-list asterisk permit udp any host 192.168.5.0 range 10000 20000
>
> Thx
> Ravi
>
> -----Original Message-----
> From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
> Sent: Saturday, February 09, 2008 11:07 PM
> To: ravi at vaishnavy.com
> Cc: Joris Cras; Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506
>
> Did you only open up the one port (10000)? You need to open up a range,
if you're doing it this way, like 10000-10020 and then set your rtp ports in
asterisk to the same range.
>
> ----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:
>
>> I made the following changes and I am still facing one way audio with
>> my call flow.
>>
>> -----Original Message-----
>> From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
>> Sent: Saturday, February 09, 2008 1:58 PM
>> To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
>> Discussion
>> Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
>> Non-Commercial Discussion
>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
>> pix 506
>>
>> try:
>> access-list asterisk permit udp any host x.x.x.x eq 10000
>>
>> ----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
>> wrote:
>>
>>> I tried the following ACL command
>>>
>>> "access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
>>> 20000"
>>>
>>> and I got the following response back
>>>
>>> "[no] access-list <id> [line <line-num>] deny|permit icmp
>>> <sip> <smask> | interface <if_name> | object-group
>>> <network_obj_grp_id>
>>> <dip> <dmask> | interface <if_name> | object-group
>>> <network_obj_grp_id>
>>> [<icmp_type> | object-group <icmp_type_obj_grp_id>]
>>> [log [disable|default] | [<level>] [interval <secs>]]
>>> Restricted ACLs for route-map use:
>>> [no] access-list <id> deny|permit {any | <prefix> <mask> | host
>>> <address>}
>>> Command failed"
>>>
>>> I don't know how to enter into the linux interface of the Cisco Pix
>>> 506
>>> firewall
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Joris Cras [mailto:joris at bitnetwerk.nl]
>>> Sent: Saturday, February 09, 2008 3:23 AM
>>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
>>>
>> Non-Commercial
>>
>>> Discussion
>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>
>> cisco
>>
>>> pix
>>> 506
>>>
>>> Ravi,
>>>
>>> there is a easy way of creating all those commands in linux.
>>> just run the following in a shell:
>>> for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
>>> permit udp host 192.168.5.0 eq $x any conduit permit udp host;done
>>>
>>> This will create all your PIX rules at ones.
>>>
>>> I think you could also use Cisco ACL's
>>> access-list [name] permit udp [source] [destination] range
>>> This would be in your case something like:
>>> access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
>>> 10050
>>>
>>> Good luck.
>>>
>>> Joris
>>>
>>> Ravichandran Rajagopal wrote:
>>>
>>>> Otis,
>>>> I wanted to clarify what you said and what I comprehended.
>>>>
>>>> the SIP protocols are disabled in fixup.
>>>> ========================================================
>>>> Having said that I guess all I have to do is just the following.
>>>> the inside IP of asterisk server is 192.168.5.0
>>>>
>>>> On the cisco PIX firewall enter the following.
>>>> 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq
>>>>
>>> 10001 any
>>>
>>>> conduit permit udp host
>>>> 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq
>>>>
>>> 10002 any
>>>
>>>> conduit permit udp host
>>>> ....................................
>>>> ...................................
>>>> .....................
>>>> 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq
>>>>
>>> 10050 any
>>>
>>>> conduit permit udp host
>>>>
>>>> in the rtp.conf in /etc/asterisk
>>>> change the ending port 20000 (which is what it currently is) to
>>>>
>>> 10050
>>>
>>>> Is there an easier way to make the entries in Cisco PIX firewall
>>>>
>> ?
>>
>>>> Thx
>>>> Ravi
>>>>
>>>> -----Original Message-----
>>>> From: ListAcct [mailto:listacc at ocosa.com]
>>>> Sent: Saturday, February 09, 2008 12:18 AM
>>>> To: ravi at vaishnavy.com
>>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>
>>> cisco pix
>>>
>>>> 506
>>>>
>>>> No problem. :-P I thought it might wise to include everything
>>>>
>> you
>>
>>>> needed just in case!! LOL! You are welcome!!!
>>>>
>>>> --Otis
>>>>
>>>> Ravichandran Rajagopal wrote:
>>>>
>>>>
>>>>> LOL I guess all I was asking for the changes to be made in the
>>>>>
>>> Cisco PIX
>>>
>>>>> 506. I think you gave me a short tutorial on VI as well. Thanks
>>>>>
>>> once
>>> again
>>>
>>>>> for this help. Let me work on these changes and test the one-way
>>>>>
>>> audio
>>>
>>>>> problem and go from there.
>>>>> Thx
>>>>> Ravi
>>>>>
>>>>> -----Original Message-----
>>>>> From: ListAcct [mailto:listacc at ocosa.com]
>>>>> Sent: Friday, February 08, 2008 11:55 PM
>>>>> To: ravi at vaishnavy.com
>>>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>>
>>> cisco pix
>>>
>>>>> 506
>>>>>
>>>>> Ravi,
>>>>>
>>>>> I will explain changing the config in asterisk and the pix:
>>>>>
>>>>> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port
>>>>>
>>> span to
>>>
>>>>> 10000 to 10050 (to start, you will need to increase later as
>>>>>
>> ports
>>
>>> fill
>>>
>>>>>
>>>>>
>>>> up)
>>>>
>>>>
>>>>> (use insert to make a change in a file)
>>>>>
>>>>> to save:
>>>>>
>>>>> 1. esc
>>>>> 2. shift + colon
>>>>> 3. wq (to save)
>>>>>
>>>>> If you made a mistake and do not want to save but you changed
>>>>>
>>> something
>>>
>>>>> in the file:
>>>>>
>>>>> 1. esc
>>>>> 2. shift + colon
>>>>> 3. q! (to exit)
>>>>>
>>>>>
>>>>> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this
>>>>>
>>> case the
>>>
>>>>> static and conduit commands so this is a example from my setup.
>>>>>
>>>>> Theses are not usable IPs on the Internet or my IPs but just an
>>>>>
>>>>>
>>>> example....
>>>>
>>>>
>>>>> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
>>>>> dmz (interface) - 192.168.254.0/24
>>>>>
>> (192.168.254.1-192.168.254.254)
>>
>>>>> interface ethernet0 100full (sets the duplex and turns on
>>>>>
>>> interface)
>>>
>>>>> interface ethernet1 100full (sets the duplex and turns on
>>>>>
>>> interface)
>>>
>>>>> nameif ethernet0 outside security0 ( lower security)
>>>>> nameif ethernet1 dmz security50 (higher security)
>>>>>
>>>>> no fixup protocol sip 5060
>>>>> no fixup protocol sip udp 5060
>>>>>
>>>>> ! - this makes things easier so now the pix knows the IP of the
>>>>>
>>> asterisk
>>>
>>>>> box and maps the ip to the name just for configuration purposes
>>>>>
>>> only so
>>>
>>>>> if you had 20 servers or devices you wanted public access to
>>>>>
>> it's
>>
>>> just
>>>
>>>>> easier to remember their names versus IPs.
>>>>> name 192.168.254.11 dns
>>>>> name 192.168.254.10 asterisk
>>>>>
>>>>> ! - the static command is used as a permanent mapper from one
>>>>>
>>> inside,
>>>
>>>>> dmz, or other to the global ip vice versa. (Rule of thumb if you
>>>>>
>>> map
>>>
>>>>> using static make sure you have a conduit command)
>>>>> static (dmz,outside) 192.168.1.22 asterisk netmask
>>>>>
>> 255.255.255.255
>>
>>> 0 0
>>>
>>>>> ! - here is where you open the ports on the global side to the
>>>>>
>>> asterisk
>>>
>>>>> box. (the conduit command allows connections from lower security
>>>>>
>>>>> interfaces to higher security interfaces)
>>>>> conduit permit udp host 192.168.1.22 eq 10000 any
>>>>> conduit permit udp host 192.168.1.22 eq 10001 any
>>>>> conduit permit udp host 192.168.1.22 eq 10002 any
>>>>> conduit permit udp host 192.168.1.22 eq 10003 any
>>>>> conduit permit udp host 192.168.1.22 eq 10004 any
>>>>> conduit permit udp host 192.168.1.22 eq 10005 any
>>>>>
>>>>> Hope this helps!
>>>>>
>>>>> --Otis
>>>>>
>>>>>
>>>>> Ravichandran Rajagopal wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Otis,
>>>>>> I am new to Cisco PIX 506 and I am learning this. If you can
>>>>>>
>> help
>>
>>> me
>>> with
>>>
>>>>>> how to do this change on Cisco PIX it would be greatly
>>>>>>
>>> appreciated.
>>>
>>>>>> Thx
>>>>>> Ravi
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: ListAcct [mailto:listacc at ocosa.com]
>>>>>> Sent: Friday, February 08, 2008 11:11 PM
>>>>>> To: ravi at vaishnavy.com; Asterisk Users Mailing List -
>>>>>>
>>> Non-Commercial
>>>
>>>>>> Discussion
>>>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind
>>>>>>
>>> cisco
>>> pix
>>>
>>>>>> 506
>>>>>>
>>>>>> Ravi,
>>>>>>
>>>>>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit
>>>>>>
>> udp
>>
>>> host
>>>
>>>>>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
>>>>>>
>>>>>> something you can configure (10000 to 10200) unless you write a
>>>>>>
>>> script
>>>
>>>>>> to just copy and paste about 10000 to 20000 ports in your
>>>>>>
>> config
>>
>>> on the
>>>
>>>>>> pix. Cisco's are strange but secure.
>>>>>>
>>>>>> It took me about two hours to figure out after taking off the
>>>>>>
>>> fixup and
>>>
>>>>>> no more logging/debugging from the cisco. I actually fixed while
>>>>>>
>> a
>>
>>> call
>>>
>>>>>> was coming in. LOL! Let me know!!!
>>>>>>
>>>>>> --Otis
>>>>>>
>>>>>> Ravichandran Rajagopal wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have the Cisco PIX 506 firewall right in front of the
>>>>>>>
>> asterisk
>>
>>> and I
>>>
>>>>>>> am getting a one-way audio. I need your help/guidance to
>>>>>>>
>> resolve
>>
>>> this
>>>
>>>>>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX
>>>>>>>
>>> 506.
>>>
>>>>>>> Any help rendered by you in this subject is greatly
>>>>>>>
>> appreciated.
>>
>>> I
>>>
>>>>>>> have been breaking my head trying to resolve this problem for
>>>>>>>
>>> more
>>>
>>>>>>> than one month. I have included the sip.conf and the
>>>>>>>
>>> extensions.conf
>>>
>>>>>>> below.
>>>>>>>
>>>>>>> [SIP.conf]
>>>>>>>
>>>>>>> ; SIP Configuration example for Asterisk
>>>>>>>
>>>>>>> [general]
>>>>>>>
>>>>>>> context=incoming
>>>>>>>
>>>>>>> allowoverlap=no
>>>>>>>
>>>>>>> bindport=5060
>>>>>>>
>>>>>>> bindaddr=0.0.0.0
>>>>>>>
>>>>>>> localnet=192.168.5.0/255.255.255.0
>>>>>>>
>>>>>>> externip=a.b.ccc.dd
>>>>>>>
>>>>>>> srvlookup=yes
>>>>>>>
>>>>>>> allow=ulaw
>>>>>>>
>>>>>>> allow=alaw
>>>>>>>
>>>>>>> [incoming]
>>>>>>>
>>>>>>> type=peer
>>>>>>>
>>>>>>> nat=no
>>>>>>>
>>>>>>> canreinvite=no
>>>>>>>
>>>>>>> host=xx.y.z.aaa
>>>>>>>
>>>>>>> qualify=yes
>>>>>>>
>>>>>>> dtmfmode=rfc2833
>>>>>>>
>>>>>>> context=default
>>>>>>>
>>>>>>> [extensions.conf]
>>>>>>>
>>>>>>> [general]
>>>>>>>
>>>>>>> static=yes
>>>>>>>
>>>>>>> writeprotect=yes
>>>>>>>
>>>>>>> clearglobalvars=no
>>>>>>>
>>>>>>> [default]
>>>>>>>
>>>>>>> include => customer
>>>>>>>
>>>>>>> exten => h,1,Hangup
>>>>>>>
>>>>>>> exten => i,1,Congestion
>>>>>>>
>>>>>>> exten => i,2,Hangup
>>>>>>>
>>>>>>> [agnosco]
>>>>>>>
>>>>>>> include => local-extensions
>>>>>>>
>>>>>>> include => customer_ivr
>>>>>>>
>>>>>>> include => incoming
>>>>>>>
>>>>>>> [customer_ivr]
>>>>>>>
>>>>>>> include => local-extensions
>>>>>>>
>>>>>>> exten => s,1,Answer
>>>>>>>
>>>>>>> exten => s,n,Background(agnosco_intro)
>>>>>>>
>>>>>>> exten => s,n,WaitExten
>>>>>>>
>>>>>>> ;Dial said extensions
>>>>>>>
>>>>>>> exten => 5,1,Dial(SIP/4028805362 at incoming,30)
>>>>>>>
>>>>>>> [incoming]
>>>>>>>
>>>>>>> exten => 4025901000,1,Goto(1000,1)
>>>>>>>
>>>>>>> exten => 1000,1,Goto(customer_ivr,s,1)
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> sunMoonstar.
>>>>>>>
>>>>>>>
>>>>>>>
>> ------------------------------------------------------------------------
>>
>>>>>>> _______________________________________________
>>>>>>> -- Bandwidth and Colocation Provided by
>>>>>>>
>>> http://www.api-digital.com --
>>>
>>>>>>> asterisk-users mailing list
>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> -- Bandwidth and Colocation Provided by
>>>>
>> http://www.api-digital.com
>>
>>> --
>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>>
>> --
>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list