<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
span.EmailStyle18
{font-family:Tahoma;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:595.3pt 841.9pt;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>It works fine for me. I have a handful of Cisco 7960’s
behind a PIX firewall and they register to a Asterisk server outside of the PIX
with no trouble at all. I didn’t do anything special to the
PIX (i.e. no access list entries).</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>The tricks I found to make it work generally apply to any
setup where the clients are behind NAT. I also run the tftp server
for the phones to get configs inside the firewall, and the SIPDefault.cnf file
specifies the proxy address outside of the firewall.</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>In the Cisco phone config I have these NAT settings:</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>nat_enable:
1
; 0-Disabled (default), 1-Enabled</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>nat_address:
""
; WAN IP address of NAT box (dotted IP or DNS A record only)</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>voip_control_port:
5060 ; UDP port used for SIP
messages (default - 5060)</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>start_media_port:
16384 ; Start RTP range for
media (default - 16384)</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>end_media_port:
32766 ; End RTP
range for media (default - 32766)</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>nat_received_processing: 0 ;
0-Disabled (default), 1-Enabled</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>And the sip.conf entry for this peer is:</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>[7000]</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>type=friend</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>nat=yes</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>qualify=yes</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>context=xxxx</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>secret=xxxx</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>callerid=xxxx</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>host=dynamic</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>canreinvite=no</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>dtmfmode=rfc2833</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>timer_register_expires: 120</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>Setting the registry timer to 120 seconds causes the phone
to send out a packet at least every 2 minutes which will open a UDP xlate on
the PIX for the session. Then the trick is to use both ‘nat=yes’
and ‘qualify=yes’ so Asterisk chats with the phone pretty often. The
interval of OPTIONS or REGISTER messages between Asterisk and phone definitely needs
to be shorter than the PIX’s UDP xlate timeout or the PIX will close the
xlate and you won’t be able to pass packets into the phone for an
incoming call.</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>Note that you can put a numeric value after qualify=
instead of “yes” to fine-tine the interval at which it sends a
OPTIONS message.</span></font></p>
<p class=MsoNormal><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'> </span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Craig Waddington<br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, September 25, 2004
8:17 AM<br>
<b><span style='font-weight:bold'>To:</span></b> asterisk-users@lists.digium.com<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Asterisk-Users] Cisco
PIX and Asterisk</span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>I cannot get incoming calls to sip phones behind a
PIX to work, outgoing is fine.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>Asterisk (Public IP) </span></font><font size=2
face=Wingdings><span lang=EN-GB style='font-size:10.0pt;font-family:Wingdings'>à</span></font><font
size=2 face=Arial><span lang=EN-GB style='font-size:10.0pt;font-family:Arial'>
Internet </span></font><font size=2 face=Wingdings><span lang=EN-GB
style='font-size:10.0pt;font-family:Wingdings'>à</span></font><font
size=2 face=Arial><span lang=EN-GB style='font-size:10.0pt;font-family:Arial'>
PIX (NAT) </span></font><font size=2 face=Wingdings><span lang=EN-GB
style='font-size:10.0pt;font-family:Wingdings'>à</span></font><font
size=2 face=Arial><span lang=EN-GB style='font-size:10.0pt;font-family:Arial'> Sip
Phones</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>I have tried no fixup protocol sip, I have punched a
hole in the Pix allowing anything from the Asterisk box into the network, still
no incoming.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>I have done all the Wiki suggests in regarding to
NAT.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>Is their a trick getting the incoming to work?</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>Has anyone managed to get this to work or am I
wasting my time on this?</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'>Ta.</span></font></p>
</div>
</body>
</html>