VoIP Mailing List Archives :: View topic - [asterisk-users] oneway audio with asterisk behind cisco pix

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] oneway audio with asterisk behind cisco pix

Goto page 1, 2 Next

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

listacc at ocosa.com
Guest

Posted: Sat Feb 09, 2008 12:10 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp host
x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
something you can configure (10000 to 10200) unless you write a script
to just copy and paste about 10000 to 20000 ports in your config on the
pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the fixup and
no more logging/debugging from the cisco. I actually fixed while a call
was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the asterisk and I
am getting a one-way audio. I need your help/guidance to resolve this
problem. I have the ?fixups? disabled for SIP in the Cisco PIX 506.
Any help rendered by you in this subject is greatly appreciated. I
have been breaking my head trying to resolve this problem for more
than one month. I have included the sip.conf and the extensions.conf
below.

[SIP.conf]

; SIP Configuration example for Asterisk

[general]

context=incoming

allowoverlap=no

bindport=5060

bindaddr=0.0.0.0

localnet=192.168.5.0/255.255.255.0

externip=a.b.ccc.dd

srvlookup=yes

allow=ulaw

allow=alaw

[incoming]

type=peer

nat=no

canreinvite=no

host=xx.y.z.aaa

qualify=yes

dtmfmode=rfc2833

context=default

[extensions.conf]

[general]

static=yes

writeprotect=yes

clearglobalvars=no

[default]

include => customer

exten => h,1,Hangup

exten => i,1,Congestion

exten => i,2,Hangup

[agnosco]

include => local-extensions

include => customer_ivr

include => incoming

[customer_ivr]

include => local-extensions

exten => s,1,Answer

exten => s,n,Background(agnosco_intro)

exten => s,n,WaitExten

;Dial said extensions

exten => 5,1,Dial(SIP/4028805362 at incoming,30)

[incoming]

exten => 4025901000,1,Goto(1000,1)

exten => 1000,1,Goto(customer_ivr,s,1)

Thanks

sunMoonstar.

------------------------------------------------------------------------

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

ravichandran.rajagopal...
Guest

Posted: Sat Feb 09, 2008 12:14 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Otis,
I am new to Cisco PIX 506 and I am learning this. If you can help me with
how to do this change on Cisco PIX it would be greatly appreciated.

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:11 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp host
x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
something you can configure (10000 to 10200) unless you write a script
to just copy and paste about 10000 to 20000 ports in your config on the
pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the fixup and
no more logging/debugging from the cisco. I actually fixed while a call
was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the asterisk and I
am getting a one-way audio. I need your help/guidance to resolve this
problem. I have the "fixups" disabled for SIP in the Cisco PIX 506.
Any help rendered by you in this subject is greatly appreciated. I
have been breaking my head trying to resolve this problem for more
than one month. I have included the sip.conf and the extensions.conf
below.

[SIP.conf]

; SIP Configuration example for Asterisk

[general]

context=incoming

allowoverlap=no

bindport=5060

bindaddr=0.0.0.0

localnet=192.168.5.0/255.255.255.0

externip=a.b.ccc.dd

srvlookup=yes

allow=ulaw

allow=alaw

[incoming]

type=peer

nat=no

canreinvite=no

host=xx.y.z.aaa

qualify=yes

dtmfmode=rfc2833

context=default

[extensions.conf]

[general]

static=yes

writeprotect=yes

clearglobalvars=no

[default]

include => customer

exten => h,1,Hangup

exten => i,1,Congestion

exten => i,2,Hangup

[agnosco]

include => local-extensions

include => customer_ivr

include => incoming

[customer_ivr]

include => local-extensions

exten => s,1,Answer

exten => s,n,Background(agnosco_intro)

exten => s,n,WaitExten

;Dial said extensions

exten => 5,1,Dial(SIP/4028805362 at incoming,30)

[incoming]

exten => 4025901000,1,Goto(1000,1)

exten => 1000,1,Goto(customer_ivr,s,1)

Thanks

sunMoonstar.

------------------------------------------------------------------------

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

listacc at ocosa.com
Guest

Posted: Sat Feb 09, 2008 12:54 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port span to
10000 to 10050 (to start, you will need to increase later as ports fill up)

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed something
in the file:

1. esc
2. shift + colon
3. q! (to exit)
Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the
static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an example....

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)

interface ethernet0 100full (sets the duplex and turns on interface)
interface ethernet1 100full (sets the duplex and turns on interface)

nameif ethernet0 outside security0 ( lower security)
nameif ethernet1 dmz security50 (higher security)

no fixup protocol sip 5060
no fixup protocol sip udp 5060

! - this makes things easier so now the pix knows the IP of the asterisk
box and maps the ip to the name just for configuration purposes only so
if you had 20 servers or devices you wanted public access to it's just
easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one inside,
dmz, or other to the global ip vice versa. (Rule of thumb if you map
using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0

! - here is where you open the ports on the global side to the asterisk
box. (the conduit command allows connections from lower security
interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

ravichandran.rajagopal...
Guest

Posted: Sat Feb 09, 2008 12:57 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

LOL I guess all I was asking for the changes to be made in the Cisco PIX
506. I think you gave me a short tutorial on VI as well. Thanks once again
for this help. Let me work on these changes and test the one-way audio
problem and go from there.
Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:55 PM
To: ravi at vaishnavy.com
Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port span to
10000 to 10050 (to start, you will need to increase later as ports fill up)

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed something
in the file:

1. esc
2. shift + colon
3. q! (to exit)
Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the
static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an example....

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)

interface ethernet0 100full (sets the duplex and turns on interface)
interface ethernet1 100full (sets the duplex and turns on interface)

nameif ethernet0 outside security0 ( lower security)
nameif ethernet1 dmz security50 (higher security)

no fixup protocol sip 5060
no fixup protocol sip udp 5060

! - this makes things easier so now the pix knows the IP of the asterisk
box and maps the ip to the name just for configuration purposes only so
if you had 20 servers or devices you wanted public access to it's just
easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one inside,
dmz, or other to the global ip vice versa. (Rule of thumb if you map
using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0

! - here is where you open the ports on the global side to the asterisk
box. (the conduit command allows connections from lower security
interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

listacc at ocosa.com
Guest

Posted: Sat Feb 09, 2008 1:18 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

No problem. Razz

I thought it might wise to include everything you
needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

LOL I guess all I was asking for the changes to be made in the Cisco PIX
506. I think you gave me a short tutorial on VI as well. Thanks once again
for this help. Let me work on these changes and test the one-way audio
problem and go from there.
Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:55 PM
To: ravi at vaishnavy.com
Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port span to
10000 to 10050 (to start, you will need to increase later as ports fill up)

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed something
in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the
static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an example....

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)

interface ethernet0 100full (sets the duplex and turns on interface)
interface ethernet1 100full (sets the duplex and turns on interface)

nameif ethernet0 outside security0 ( lower security)
nameif ethernet1 dmz security50 (higher security)

no fixup protocol sip 5060
no fixup protocol sip udp 5060

! - this makes things easier so now the pix knows the IP of the asterisk
box and maps the ip to the name just for configuration purposes only so
if you had 20 servers or devices you wanted public access to it's just
easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one inside,
dmz, or other to the global ip vice versa. (Rule of thumb if you map
using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0

! - here is where you open the ports on the global side to the asterisk
box. (the conduit command allows connections from lower security
interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

ravichandran.rajagopal...
Guest

Posted: Sat Feb 09, 2008 1:46 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Otis,
I wanted to clarify what you said and what I comprehended.

the SIP protocols are disabled in fixup.
========================================================
Having said that I guess all I have to do is just the following.
the inside IP of asterisk server is 192.168.5.0

On the cisco PIX firewall enter the following.
192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq 10001 any
conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq 10002 any
conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq 10050 any
conduit permit udp host

in the rtp.conf in /etc/asterisk
change the ending port 20000 (which is what it currently is) to 10050

Is there an easier way to make the entries in Cisco PIX firewall ?

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Saturday, February 09, 2008 12:18 AM
To: ravi at vaishnavy.com
Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506

No problem. Razz

I thought it might wise to include everything you
needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

up)

Quote:

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed something
in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the
static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an

example....

Quote:

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)

interface ethernet0 100full (sets the duplex and turns on interface)
interface ethernet1 100full (sets the duplex and turns on interface)

nameif ethernet0 outside security0 ( lower security)
nameif ethernet1 dmz security50 (higher security)

no fixup protocol sip 5060
no fixup protocol sip udp 5060

! - this makes things easier so now the pix knows the IP of the asterisk
box and maps the ip to the name just for configuration purposes only so
if you had 20 servers or devices you wanted public access to it's just
easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one inside,
dmz, or other to the global ip vice versa. (Rule of thumb if you map
using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0

! - here is where you open the ports on the global side to the asterisk
box. (the conduit command allows connections from lower security
interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

routerguy at rightsolv...
Guest

Posted: Sat Feb 09, 2008 2:24 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Note also that if you point to the DNS name rather than the IP address of the asterisk server on the phones trying to register, you can set NAT=NO on the asterisk side and the sip FIXUP command on the PIX will handle everything correctly making this workaround unnecessary ----- Original Message ----- From: "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> To: asterisk-users at lists.digium.com Sent: Friday, February 8, 2008 8:54:23 PM (GMT-0800) America/Los_Angeles Subject: [asterisk-users] oneway audio with asterisk behind cisco pix 506 Hi, I have the Cisco PIX 506 firewall right in front of the asterisk and I am getting a one-way audio. I need your help/guidance to resolve this problem. I have the ?fixups? disabled for SIP in the Cisco PIX 506. Any help rendered by you in this subject is greatly appreciated. I have been breaking my head trying to resolve this problem for more than one month. I have included the sip.conf and the extensions.conf below. [SIP.conf] ; SIP Configuration example for Asterisk [general] context=incoming allowoverlap=no bindport=5060 bindaddr=0.0.0.0 localnet=192.168.5.0/255.255.255.0 externip=a.b.ccc.dd srvlookup=yes allow=ulaw allow=alaw [incoming] type=peer nat=no canreinvite=no host=xx.y.z.aaa qualify=yes dtmfmode=rfc2833 context=default [extensions.conf] [general] static=yes writeprotect=yes clearglobalvars=no [default] include => customer exten => h,1,Hangup exten => i,1,Congestion exten => i,2,Hangup [agnosco] include => local-extensions include => customer_ivr include => incoming [customer_ivr] include => local-extensions exten => s,1,Answer exten => s,n,Background(agnosco_intro) exten => s,n,WaitExten ;Dial said extensions exten => 5,1,Dial(SIP/4028805362 at incoming,30) [incoming] exten => 4025901000,1,Goto(1000,1) exten => 1000,1,Goto(customer_ivr,s,1) Thanks sunMoonstar. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080208/08bca19d/attachment.htm

joris at bitnetwerk.nl
Guest

Posted: Sat Feb 09, 2008 4:23 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Ravi,

there is a easy way of creating all those commands in linux.
just run the following in a shell:
for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
permit udp host 192.168.5.0 eq $x any conduit permit udp host;done

This will create all your PIX rules at ones.

I think you could also use Cisco ACL's
access-list [name] permit udp [source] [destination] range
This would be in your case something like:
access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 10050

Good luck.

Joris

Ravichandran Rajagopal wrote:

Quote:

I thought it might wise to include everything you
needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

up)

Quote:

example....

Quote:

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

routerguy at rightsolv...
Guest

Posted: Sat Feb 09, 2008 2:58 pm Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

try:
access-list asterisk permit udp any host x.x.x.x eq 10000

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:

Quote:

I tried the following ACL command

"access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
20000"

and I got the following response back

"[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group
<network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group
<network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host
<address>}
Command failed"

I don't know how to enter into the linux interface of the Cisco Pix
506
firewall

-----Original Message-----
From: Joris Cras [mailto:joris at bitnetwerk.nl]
Sent: Saturday, February 09, 2008 3:23 AM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
pix
506

Ravi,

there is a easy way of creating all those commands in linux.
just run the following in a shell:
for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
permit udp host 192.168.5.0 eq $x any conduit permit udp host;done

This will create all your PIX rules at ones.

I think you could also use Cisco ACL's
access-list [name] permit udp [source] [destination] range
This would be in your case something like:
access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
10050

Good luck.

Joris

Ravichandran Rajagopal wrote:

Quote:

10001 any

Quote:

conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq

10002 any

Quote:

conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq

10050 any

Quote:

conduit permit udp host

in the rtp.conf in /etc/asterisk
change the ending port 20000 (which is what it currently is) to

10050

Quote:

Is there an easier way to make the entries in Cisco PIX firewall ?

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Saturday, February 09, 2008 12:18 AM
To: ravi at vaishnavy.com
Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco pix

Quote:

506

No problem. Razz

I thought it might wise to include everything you

Quote:

needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

LOL I guess all I was asking for the changes to be made in the

Cisco PIX

Quote:

506. I think you gave me a short tutorial on VI as well. Thanks

once
again

Quote:

for this help. Let me work on these changes and test the one-way

audio

Quote:

problem and go from there.
Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:55 PM
To: ravi at vaishnavy.com
Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco pix

Quote:

506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port

span to

Quote:

10000 to 10050 (to start, you will need to increase later as ports

fill

Quote:

up)

Quote:

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed

something

Quote:

in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this

case the

Quote:

static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an

example....

Quote:

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)

interface ethernet0 100full (sets the duplex and turns on

interface)

Quote:

interface ethernet1 100full (sets the duplex and turns on

interface)

Quote:

nameif ethernet0 outside security0 ( lower security)
nameif ethernet1 dmz security50 (higher security)

no fixup protocol sip 5060
no fixup protocol sip udp 5060

! - this makes things easier so now the pix knows the IP of the

asterisk

Quote:

box and maps the ip to the name just for configuration purposes

only so

Quote:

if you had 20 servers or devices you wanted public access to it's

just

Quote:

easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one

inside,

Quote:

dmz, or other to the global ip vice versa. (Rule of thumb if you

map

Quote:

using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255

0 0

Quote:

! - here is where you open the ports on the global side to the

asterisk

Quote:

box. (the conduit command allows connections from lower security
interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Otis,
I am new to Cisco PIX 506 and I am learning this. If you can help

me
with

Quote:

how to do this change on Cisco PIX it would be greatly

appreciated.

Quote:

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:11 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List -

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco
pix

Quote:

506

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp

host

Quote:

x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
something you can configure (10000 to 10200) unless you write a

script

Quote:

to just copy and paste about 10000 to 20000 ports in your config

on the

Quote:

pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the

fixup and

Quote:

no more logging/debugging from the cisco. I actually fixed while a

call

Quote:

was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the asterisk

and I

Quote:

am getting a one-way audio. I need your help/guidance to resolve

this

Quote:

problem. I have the "fixups" disabled for SIP in the Cisco PIX

506.

Quote:

Any help rendered by you in this subject is greatly appreciated.

Quote:

have been breaking my head trying to resolve this problem for

Quote:

than one month. I have included the sip.conf and the

extensions.conf

Quote:

below.

[SIP.conf]

; SIP Configuration example for Asterisk

[general]

context=incoming

allowoverlap=no

bindport=5060

bindaddr=0.0.0.0

localnet=192.168.5.0/255.255.255.0

externip=a.b.ccc.dd

srvlookup=yes

allow=ulaw

allow=alaw

[incoming]

type=peer

nat=no

canreinvite=no

host=xx.y.z.aaa

qualify=yes

dtmfmode=rfc2833

context=default

[extensions.conf]

[general]

static=yes

writeprotect=yes

clearglobalvars=no

[default]

include => customer

exten => h,1,Hangup

exten => i,1,Congestion

exten => i,2,Hangup

[agnosco]

include => local-extensions

include => customer_ivr

include => incoming

[customer_ivr]

include => local-extensions

exten => s,1,Answer

exten => s,n,Background(agnosco_intro)

exten => s,n,WaitExten

;Dial said extensions

exten => 5,1,Dial(SIP/4028805362 at incoming,30)

[incoming]

exten => 4025901000,1,Goto(1000,1)

exten => 1000,1,Goto(customer_ivr,s,1)

Thanks

sunMoonstar.

------------------------------------------------------------------------

Quote:

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com --

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

ravichandran.rajagopal...
Guest

Posted: Sat Feb 09, 2008 10:42 pm Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

I made the following changes and I am still facing one way audio with my call flow.

-----Original Message-----
From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
Sent: Saturday, February 09, 2008 1:58 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial Discussion
Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix 506

try:
access-list asterisk permit udp any host x.x.x.x eq 10000

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:

Quote:

10001 any

Quote:

conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq

10002 any

Quote:

conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq

10050 any

Quote:

conduit permit udp host

in the rtp.conf in /etc/asterisk
change the ending port 20000 (which is what it currently is) to

10050

Quote:

cisco pix

Quote:

506

No problem. Razz

I thought it might wise to include everything you

Quote:

needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

LOL I guess all I was asking for the changes to be made in the

Cisco PIX

Quote:

506. I think you gave me a short tutorial on VI as well. Thanks

once
again

Quote:

for this help. Let me work on these changes and test the one-way

audio

Quote:

cisco pix

Quote:

506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port

span to

Quote:

10000 to 10050 (to start, you will need to increase later as ports

fill

Quote:

up)

Quote:

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed

something

Quote:

in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this

case the

Quote:

static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an

example....

Quote:

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)

interface ethernet0 100full (sets the duplex and turns on

interface)

Quote:

interface ethernet1 100full (sets the duplex and turns on

interface)

Quote:

asterisk

Quote:

box and maps the ip to the name just for configuration purposes

only so

Quote:

if you had 20 servers or devices you wanted public access to it's

just

Quote:

easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one

inside,

Quote:

dmz, or other to the global ip vice versa. (Rule of thumb if you

map

Quote:

using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255

0 0

Quote:

! - here is where you open the ports on the global side to the

asterisk

Quote:

Otis,
I am new to Cisco PIX 506 and I am learning this. If you can help

me
with

Quote:

how to do this change on Cisco PIX it would be greatly

appreciated.

Quote:

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:11 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List -

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco
pix

Quote:

506

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp

host

Quote:

x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
something you can configure (10000 to 10200) unless you write a

script

Quote:

to just copy and paste about 10000 to 20000 ports in your config

on the

Quote:

pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the

fixup and

Quote:

no more logging/debugging from the cisco. I actually fixed while a

call

Quote:

was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the asterisk

and I

Quote:

am getting a one-way audio. I need your help/guidance to resolve

this

Quote:

problem. I have the "fixups" disabled for SIP in the Cisco PIX

506.

Quote:

Any help rendered by you in this subject is greatly appreciated.

Quote:

have been breaking my head trying to resolve this problem for

Quote:

than one month. I have included the sip.conf and the

extensions.conf

Quote:

------------------------------------------------------------------------

Quote:

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com --

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

routerguy at rightsolv...
Guest

Posted: Sun Feb 10, 2008 12:07 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Did you only open up the one port (10000)? You need to open up a range, if you're doing it this way, like 10000-10020 and then set your rtp ports in asterisk to the same range.

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:

Quote:

I made the following changes and I am still facing one way audio with
my call flow.

-----Original Message-----
From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
Sent: Saturday, February 09, 2008 1:58 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
Non-Commercial Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
pix 506

try:
access-list asterisk permit udp any host x.x.x.x eq 10000

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
wrote:

Quote:

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco

Quote:

pix
506

Ravi,

there is a easy way of creating all those commands in linux.
just run the following in a shell:
for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
permit udp host 192.168.5.0 eq $x any conduit permit udp host;done

This will create all your PIX rules at ones.

I think you could also use Cisco ACL's
access-list [name] permit udp [source] [destination] range
This would be in your case something like:
access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000
10050

Good luck.

Joris

Ravichandran Rajagopal wrote:

Quote:

10001 any

Quote:

conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq

10002 any

Quote:

conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq

10050 any

Quote:

conduit permit udp host

in the rtp.conf in /etc/asterisk
change the ending port 20000 (which is what it currently is) to

10050

Quote:

Is there an easier way to make the entries in Cisco PIX firewall

Quote:

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Saturday, February 09, 2008 12:18 AM
To: ravi at vaishnavy.com
Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco pix

Quote:

506

No problem. Razz

I thought it might wise to include everything

you

Quote:

needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

LOL I guess all I was asking for the changes to be made in the

Cisco PIX

Quote:

506. I think you gave me a short tutorial on VI as well. Thanks

once
again

Quote:

for this help. Let me work on these changes and test the one-way

audio

Quote:

cisco pix

Quote:

506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port

span to

Quote:

10000 to 10050 (to start, you will need to increase later as

ports

Quote:

fill

Quote:

up)

Quote:

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed

something

Quote:

in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this

case the

Quote:

static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an

example....

Quote:

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24

(192.168.254.1-192.168.254.254)

Quote:

interface ethernet0 100full (sets the duplex and turns on

interface)

Quote:

interface ethernet1 100full (sets the duplex and turns on

interface)

Quote:

asterisk

Quote:

box and maps the ip to the name just for configuration purposes

only so

Quote:

if you had 20 servers or devices you wanted public access to

it's

Quote:

just

Quote:

easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one

inside,

Quote:

dmz, or other to the global ip vice versa. (Rule of thumb if you

map

Quote:

using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask

255.255.255.255

Quote:

0 0

Quote:

! - here is where you open the ports on the global side to the

asterisk

Quote:

box. (the conduit command allows connections from lower security

Quote:

interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Otis,
I am new to Cisco PIX 506 and I am learning this. If you can

help

Quote:

me
with

Quote:

how to do this change on Cisco PIX it would be greatly

appreciated.

Quote:

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:11 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List -

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco
pix

Quote:

506

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit

udp

Quote:

host

Quote:

x.x.x.x eq 10049 any). Also set your asterisk rtp config span to

Quote:

something you can configure (10000 to 10200) unless you write a

script

Quote:

to just copy and paste about 10000 to 20000 ports in your

config

Quote:

on the

Quote:

pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the

fixup and

Quote:

no more logging/debugging from the cisco. I actually fixed while

Quote:

call

Quote:

was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the

asterisk

Quote:

and I

Quote:

am getting a one-way audio. I need your help/guidance to

resolve

Quote:

this

Quote:

problem. I have the "fixups" disabled for SIP in the Cisco PIX

506.

Quote:

Any help rendered by you in this subject is greatly

appreciated.

Quote:

have been breaking my head trying to resolve this problem for

Quote:

than one month. I have included the sip.conf and the

extensions.conf

Quote:

------------------------------------------------------------------------

Quote:

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com --

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

listacc at ocosa.com
Guest

Posted: Sun Feb 10, 2008 3:13 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Ravi,

I submitted the easiest way to implement this I think for administrators
new to Cisco there are alternatives but it depends on your IOS. A GUI
might help. .

If you want reply with your network range and server IP and I will send
you a script I will write for the Cisco. I did explain the ACL way
because I thought it would be a bit large if you are not use to seeing
the cisco command line. Smile

Make sure the RTP ports on your Asterisk box reflect that of your ports
open to the Internet. Reloading your config in Asterisk if not working
could help.

Let's do this in your RTP config file.

change your RTP port range in asterisk to 10000 to 10030 and reload
asterisk.
rtpstart=10000
rtpend=10030

type
asterisk -r

Connected to Asterisk 1.2.x.x currently running on asterisk (pid = xx)
asterisk*CLI> reload or restart now (if you need or want)

Copy and paste the below to notepad or wordpad and replace the outside
ip with the real ip address of your WAN link or connection.

and enter enable mode on the cisco pix and type config t and copy and
paste the following in the terminal.

1. pix> ena
2. pix>password: blah
3. pix#config t
4. pix(config)# paste the config below after you change the outside IP
here ( not line per line but the whole deal)
5. pix(config)# sh conduit ( you should see all list below, if
everything seems valid then do next step)
6. pix(config)# write mem
7. pix(config)#exit
8. pix# sh run ( to see running config)

replace the <outside ip> with your WAN IP.

conduit permit udp host outside ip eq 10000 any
conduit permit udp host outside ip eq 10001 any
conduit permit udp host outside ip eq 10002 any
conduit permit udp host outside ip eq 10003 any
conduit permit udp host outside ip eq 10004 any
conduit permit udp host outside ip eq 10005 any
conduit permit udp host outside ip eq 10006 any
conduit permit udp host outside ip eq 10007 any
conduit permit udp host outside ip eq 10008 any
conduit permit udp host outside ip eq 10009 any
conduit permit udp host outside ip eq 10010 any
conduit permit udp host outside ip eq 10011 any
conduit permit udp host outside ip eq 10012 any
conduit permit udp host outside ip eq 10013 any
conduit permit udp host outside ip eq 10014 any
conduit permit udp host outside ip eq 10015 any
conduit permit udp host outside ip eq 10016 any
conduit permit udp host outside ip eq 10017 any
conduit permit udp host outside ip eq 10018 any
conduit permit udp host outside ip eq 10019 any
conduit permit udp host outside ip eq 10020 any
conduit permit udp host outside ip eq 10021 any
conduit permit udp host outside ip eq 10022 any
conduit permit udp host outside ip eq 10023 any
conduit permit udp host outside ip eq 10024 any
conduit permit udp host outside ip eq 10025 any
conduit permit udp host outside ip eq 10026 any
conduit permit udp host outside ip eq 10027 any
conduit permit udp host outside ip eq 10028 any
conduit permit udp host outside ip eq 10029 any
conduit permit udp host outside ip eq 10030 any

--Otis
Wendell Hamilton wrote:

Quote:

I made the following changes and I am still facing one way audio with
my call flow.

-----Original Message-----
From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
Sent: Saturday, February 09, 2008 1:58 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
Non-Commercial Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
pix 506

try:
access-list asterisk permit udp any host x.x.x.x eq 10000

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
wrote:

Quote:

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco

Quote:

10001 any

Quote:

conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq

10002 any

Quote:

conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq

10050 any

Quote:

conduit permit udp host

in the rtp.conf in /etc/asterisk
change the ending port 20000 (which is what it currently is) to

10050

Quote:

Is there an easier way to make the entries in Cisco PIX firewall

Quote:

cisco pix

Quote:

506

No problem. Razz

I thought it might wise to include everything

you

Quote:

needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

LOL I guess all I was asking for the changes to be made in the

Cisco PIX

Quote:

506. I think you gave me a short tutorial on VI as well. Thanks

once
again

Quote:

for this help. Let me work on these changes and test the one-way

audio

Quote:

cisco pix

Quote:

506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port

span to

Quote:

10000 to 10050 (to start, you will need to increase later as

ports

Quote:

fill

Quote:

up)

Quote:

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed

something

Quote:

in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this

case the

Quote:

static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an

example....

Quote:

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24

(192.168.254.1-192.168.254.254)

Quote:

interface ethernet0 100full (sets the duplex and turns on

interface)

Quote:

interface ethernet1 100full (sets the duplex and turns on

interface)

Quote:

asterisk

Quote:

box and maps the ip to the name just for configuration purposes

only so

Quote:

if you had 20 servers or devices you wanted public access to

it's

Quote:

just

Quote:

easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one

inside,

Quote:

dmz, or other to the global ip vice versa. (Rule of thumb if you

map

Quote:

using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask

255.255.255.255

Quote:

0 0

Quote:

! - here is where you open the ports on the global side to the

asterisk

Quote:

box. (the conduit command allows connections from lower security

interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Otis,
I am new to Cisco PIX 506 and I am learning this. If you can

help

Quote:

me
with

Quote:

how to do this change on Cisco PIX it would be greatly

appreciated.

Quote:

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:11 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List -

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco
pix

Quote:

506

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit

udp

Quote:

host

Quote:

x.x.x.x eq 10049 any). Also set your asterisk rtp config span to

something you can configure (10000 to 10200) unless you write a

script

Quote:

to just copy and paste about 10000 to 20000 ports in your

config

Quote:

on the

Quote:

pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the

fixup and

Quote:

no more logging/debugging from the cisco. I actually fixed while

Quote:

call

Quote:

was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the

asterisk

Quote:

and I

Quote:

am getting a one-way audio. I need your help/guidance to

resolve

Quote:

this

Quote:

problem. I have the "fixups" disabled for SIP in the Cisco PIX

506.

Quote:

Any help rendered by you in this subject is greatly

appreciated.

Quote:

have been breaking my head trying to resolve this problem for

Quote:

than one month. I have included the sip.conf and the

extensions.conf

Quote:

------------------------------------------------------------------------

Quote:

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com --

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

ravichandran.rajagopal...
Guest

Posted: Sun Feb 10, 2008 11:01 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

This is what I implemented

access-list asterisk permit udp any host 192.168.5.0 range 10000 20000

Thx
Ravi

-----Original Message-----
From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
Sent: Saturday, February 09, 2008 11:07 PM
To: ravi at vaishnavy.com
Cc: Joris Cras; Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix 506

Did you only open up the one port (10000)? You need to open up a range, if you're doing it this way, like 10000-10020 and then set your rtp ports in asterisk to the same range.

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:

Quote:

I made the following changes and I am still facing one way audio with
my call flow.

-----Original Message-----
From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
Sent: Saturday, February 09, 2008 1:58 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
Non-Commercial Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
pix 506

try:
access-list asterisk permit udp any host x.x.x.x eq 10000

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
wrote:

Quote:

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco

Quote:

10001 any

Quote:

conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq

10002 any

Quote:

conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq

10050 any

Quote:

conduit permit udp host

in the rtp.conf in /etc/asterisk
change the ending port 20000 (which is what it currently is) to

10050

Quote:

Is there an easier way to make the entries in Cisco PIX firewall

Quote:

cisco pix

Quote:

506

No problem. Razz

I thought it might wise to include everything

you

Quote:

needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

LOL I guess all I was asking for the changes to be made in the

Cisco PIX

Quote:

506. I think you gave me a short tutorial on VI as well. Thanks

once
again

Quote:

for this help. Let me work on these changes and test the one-way

audio

Quote:

cisco pix

Quote:

506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port

span to

Quote:

10000 to 10050 (to start, you will need to increase later as

ports

Quote:

fill

Quote:

up)

Quote:

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed

something

Quote:

in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this

case the

Quote:

static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an

example....

Quote:

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24

(192.168.254.1-192.168.254.254)

Quote:

interface ethernet0 100full (sets the duplex and turns on

interface)

Quote:

interface ethernet1 100full (sets the duplex and turns on

interface)

Quote:

asterisk

Quote:

box and maps the ip to the name just for configuration purposes

only so

Quote:

if you had 20 servers or devices you wanted public access to

it's

Quote:

just

Quote:

easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one

inside,

Quote:

dmz, or other to the global ip vice versa. (Rule of thumb if you

map

Quote:

using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask

255.255.255.255

Quote:

0 0

Quote:

! - here is where you open the ports on the global side to the

asterisk

Quote:

box. (the conduit command allows connections from lower security

Quote:

Otis,
I am new to Cisco PIX 506 and I am learning this. If you can

help

Quote:

me
with

Quote:

how to do this change on Cisco PIX it would be greatly

appreciated.

Quote:

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:11 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List -

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco
pix

Quote:

506

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit

udp

Quote:

host

Quote:

x.x.x.x eq 10049 any). Also set your asterisk rtp config span to

Quote:

something you can configure (10000 to 10200) unless you write a

script

Quote:

to just copy and paste about 10000 to 20000 ports in your

config

Quote:

on the

Quote:

pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the

fixup and

Quote:

no more logging/debugging from the cisco. I actually fixed while

Quote:

call

Quote:

was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the

asterisk

Quote:

and I

Quote:

am getting a one-way audio. I need your help/guidance to

resolve

Quote:

this

Quote:

problem. I have the "fixups" disabled for SIP in the Cisco PIX

506.

Quote:

Any help rendered by you in this subject is greatly

appreciated.

Quote:

have been breaking my head trying to resolve this problem for

Quote:

than one month. I have included the sip.conf and the

extensions.conf

Quote:

------------------------------------------------------------------------

Quote:

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com --

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

ravichandran.rajagopal...
Guest

Posted: Sun Feb 10, 2008 11:25 am Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Otis,
I don't have access to ssh into the Cisco PIX firewall. I have been logging
in using https into the Cisco PIX (without a username and only with a
password).

The following is the information in the asterisk server.
[rtp.conf]
rtpstart=10000
rtpend=20000

With the Cisco I went in through the https and then I chose the Command line
option and I typed the command
asterisk permit udp any host 192.168.5.0 range 10000 20000 and then I didn't
know whether I should have done anything else. Should I have issued any
other command to save this changes. I am asking that question as in the
below sequence of commands you are mentioning "write mem"

One interesting thing that I found was I dialed 4025901000 and then punched
5 which routes the call to my cell phone. If I don't pick up the call it
should go to my voicemail at which juncture I expect silence as the audio is
not coming through. Instead I hear the dialtone and then after x number of
rings I get a fast busy. I know not what happened. I guess with all of the
below given the thing that I didn't do yet was touch the asterisk
configurations yet.

If I am struggling with all of this cisco pix. Can you tell me how to enable
firewall in the linux-asterisk server and then disable cisco pix firewall
from its firewall behaviours so that I can isolate the problem and move
forward. Please advise.

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Sunday, February 10, 2008 2:13 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Cc: ravi at vaishnavy.com
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506

Ravi,

I submitted the easiest way to implement this I think for administrators
new to Cisco there are alternatives but it depends on your IOS. A GUI
might help. .

If you want reply with your network range and server IP and I will send
you a script I will write for the Cisco. I did explain the ACL way
because I thought it would be a bit large if you are not use to seeing
the cisco command line. Smile

Quote:

Did you only open up the one port (10000)? You need to open up a range,

if you're doing it this way, like 10000-10020 and then set your rtp ports in
asterisk to the same range.

Quote:

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com> wrote:

Quote:

I made the following changes and I am still facing one way audio with
my call flow.

-----Original Message-----
From: Wendell Hamilton [mailto:routerguy at rightsolve.com]
Sent: Saturday, February 09, 2008 1:58 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List - Non-Commercial
Discussion
Cc: Joris Cras; ravi at vaishnavy.com; Asterisk Users Mailing List -
Non-Commercial Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
pix 506

try:
access-list asterisk permit udp any host x.x.x.x eq 10000

----- "Ravichandran Rajagopal" <ravichandran.rajagopal at gmail.com>
wrote:

Quote:

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco

Quote:

10001 any

Quote:

conduit permit udp host
192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq

10002 any

Quote:

conduit permit udp host
....................................
...................................
.....................
192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq

10050 any

Quote:

conduit permit udp host

in the rtp.conf in /etc/asterisk
change the ending port 20000 (which is what it currently is) to

10050

Quote:

Is there an easier way to make the entries in Cisco PIX firewall

Quote:

cisco pix

Quote:

506

No problem. Razz

I thought it might wise to include everything

you

Quote:

needed just in case!! LOL! You are welcome!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

LOL I guess all I was asking for the changes to be made in the

Cisco PIX

Quote:

506. I think you gave me a short tutorial on VI as well. Thanks

once
again

Quote:

for this help. Let me work on these changes and test the one-way

audio

Quote:

cisco pix

Quote:

506

Ravi,

I will explain changing the config in asterisk and the pix:

Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port

span to

Quote:

10000 to 10050 (to start, you will need to increase later as

ports

Quote:

fill

Quote:

up)

Quote:

(use insert to make a change in a file)

to save:

1. esc
2. shift + colon
3. wq (to save)

If you made a mistake and do not want to save but you changed

something

Quote:

in the file:

1. esc
2. shift + colon
3. q! (to exit)

Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this

case the

Quote:

static and conduit commands so this is a example from my setup.

Theses are not usable IPs on the Internet or my IPs but just an

example....

Quote:

outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
dmz (interface) - 192.168.254.0/24

(192.168.254.1-192.168.254.254)

Quote:

interface ethernet0 100full (sets the duplex and turns on

interface)

Quote:

interface ethernet1 100full (sets the duplex and turns on

interface)

Quote:

asterisk

Quote:

box and maps the ip to the name just for configuration purposes

only so

Quote:

if you had 20 servers or devices you wanted public access to

it's

Quote:

just

Quote:

easier to remember their names versus IPs.
name 192.168.254.11 dns
name 192.168.254.10 asterisk

! - the static command is used as a permanent mapper from one

inside,

Quote:

dmz, or other to the global ip vice versa. (Rule of thumb if you

map

Quote:

using static make sure you have a conduit command)
static (dmz,outside) 192.168.1.22 asterisk netmask

255.255.255.255

Quote:

0 0

Quote:

! - here is where you open the ports on the global side to the

asterisk

Quote:

box. (the conduit command allows connections from lower security

interfaces to higher security interfaces)
conduit permit udp host 192.168.1.22 eq 10000 any
conduit permit udp host 192.168.1.22 eq 10001 any
conduit permit udp host 192.168.1.22 eq 10002 any
conduit permit udp host 192.168.1.22 eq 10003 any
conduit permit udp host 192.168.1.22 eq 10004 any
conduit permit udp host 192.168.1.22 eq 10005 any

Hope this helps!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Otis,
I am new to Cisco PIX 506 and I am learning this. If you can

help

Quote:

me
with

Quote:

how to do this change on Cisco PIX it would be greatly

appreciated.

Quote:

Thx
Ravi

-----Original Message-----
From: ListAcct [mailto:listacc at ocosa.com]
Sent: Friday, February 08, 2008 11:11 PM
To: ravi at vaishnavy.com; Asterisk Users Mailing List -

Non-Commercial

Quote:

Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind

cisco
pix

Quote:

506

Ravi,

Open up the RTP (UDP) ports on your pix. (EX. conduit permit

udp

Quote:

host

Quote:

x.x.x.x eq 10049 any). Also set your asterisk rtp config span to

something you can configure (10000 to 10200) unless you write a

script

Quote:

to just copy and paste about 10000 to 20000 ports in your

config

Quote:

on the

Quote:

pix. Cisco's are strange but secure.

It took me about two hours to figure out after taking off the

fixup and

Quote:

no more logging/debugging from the cisco. I actually fixed while

Quote:

call

Quote:

was coming in. LOL! Let me know!!!

--Otis

Ravichandran Rajagopal wrote:

Quote:

Hi,

I have the Cisco PIX 506 firewall right in front of the

asterisk

Quote:

and I

Quote:

am getting a one-way audio. I need your help/guidance to

resolve

Quote:

this

Quote:

problem. I have the "fixups" disabled for SIP in the Cisco PIX

506.

Quote:

Any help rendered by you in this subject is greatly

appreciated.

Quote:

have been breaking my head trying to resolve this problem for

Quote:

than one month. I have included the sip.conf and the

extensions.conf

Quote:

------------------------------------------------------------------------

Quote:

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com --

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by

http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com

Quote:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

adamk at 3a.hu
Guest

Posted: Sun Feb 10, 2008 12:44 pm Post subject: [asterisk-users] oneway audio with asterisk behind cisco pix

Quote:

permit udp any host 192.168.5.0 range 10000 20000 and then I didn't

home users typically use /24 netmask. If this is the case, i don't
understand why do you write keyword host following a network address.

either specify a valid host address, or write 192.168.5.0 255.255.255.0
to specify the whole subnet.

if the netmask isn't /24 then, of course the above 5.0 may be a valid
host address.

regards
adam

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours Goto page 1, 2 Next
Page 1 of 2

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum