I tried the following ACL command
"access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 20000"
and I got the following response back
"[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group
<network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group
<network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed"
I don't know how to enter into the linux interface of the Cisco Pix 506
firewall
-----Original Message-----
From: Joris Cras [mailto:[EMAIL PROTECTED]
Sent: Saturday, February 09, 2008 3:23 AM
To: [EMAIL PROTECTED]; Asterisk Users Mailing List - Non-Commercial
Discussion
Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
506
Ravi,
there is a easy way of creating all those commands in linux.
just run the following in a shell:
for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit
permit udp host 192.168.5.0 eq $x any conduit permit udp host;done
This will create all your PIX rules at ones.
I think you could also use Cisco ACL's
access-list [name] permit udp [source] [destination] range
This would be in your case something like:
access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 10050
Good luck.
Joris
Ravichandran Rajagopal wrote:
> Otis,
> I wanted to clarify what you said and what I comprehended.
>
> the SIP protocols are disabled in fixup.
> ========================================================
> Having said that I guess all I have to do is just the following.
> the inside IP of asterisk server is 192.168.5.0
>
> On the cisco PIX firewall enter the following.
> 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq 10001 any
> conduit permit udp host
> 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq 10002 any
> conduit permit udp host
> ....................................
> ...................................
> .....................
> 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq 10050 any
> conduit permit udp host
>
> in the rtp.conf in /etc/asterisk
> change the ending port 20000 (which is what it currently is) to 10050
>
> Is there an easier way to make the entries in Cisco PIX firewall ?
>
> Thx
> Ravi
>
> -----Original Message-----
> From: ListAcct [mailto:[EMAIL PROTECTED]
> Sent: Saturday, February 09, 2008 12:18 AM
> To: [EMAIL PROTECTED]
> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
> 506
>
> No problem. :-P I thought it might wise to include everything you
> needed just in case!! LOL! You are welcome!!!
>
> --Otis
>
> Ravichandran Rajagopal wrote:
>
>> LOL I guess all I was asking for the changes to be made in the Cisco PIX
>> 506. I think you gave me a short tutorial on VI as well. Thanks once
again
>> for this help. Let me work on these changes and test the one-way audio
>> problem and go from there.
>> Thx
>> Ravi
>>
>> -----Original Message-----
>> From: ListAcct [mailto:[EMAIL PROTECTED]
>> Sent: Friday, February 08, 2008 11:55 PM
>> To: [EMAIL PROTECTED]
>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion'
>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix
>> 506
>>
>> Ravi,
>>
>> I will explain changing the config in asterisk and the pix:
>>
>> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port span to
>> 10000 to 10050 (to start, you will need to increase later as ports fill
>>
> up)
>
>> (use insert to make a change in a file)
>>
>> to save:
>>
>> 1. esc
>> 2. shift + colon
>> 3. wq (to save)
>>
>> If you made a mistake and do not want to save but you changed something
>> in the file:
>>
>> 1. esc
>> 2. shift + colon
>> 3. q! (to exit)
>>
>>
>> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this case the
>> static and conduit commands so this is a example from my setup.
>>
>> Theses are not usable IPs on the Internet or my IPs but just an
>>
> example....
>
>> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254)
>> dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254)
>>
>> interface ethernet0 100full (sets the duplex and turns on interface)
>> interface ethernet1 100full (sets the duplex and turns on interface)
>>
>> nameif ethernet0 outside security0 ( lower security)
>> nameif ethernet1 dmz security50 (higher security)
>>
>> no fixup protocol sip 5060
>> no fixup protocol sip udp 5060
>>
>> ! - this makes things easier so now the pix knows the IP of the asterisk
>> box and maps the ip to the name just for configuration purposes only so
>> if you had 20 servers or devices you wanted public access to it's just
>> easier to remember their names versus IPs.
>> name 192.168.254.11 dns
>> name 192.168.254.10 asterisk
>>
>> ! - the static command is used as a permanent mapper from one inside,
>> dmz, or other to the global ip vice versa. (Rule of thumb if you map
>> using static make sure you have a conduit command)
>> static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 0 0
>>
>> ! - here is where you open the ports on the global side to the asterisk
>> box. (the conduit command allows connections from lower security
>> interfaces to higher security interfaces)
>> conduit permit udp host 192.168.1.22 eq 10000 any
>> conduit permit udp host 192.168.1.22 eq 10001 any
>> conduit permit udp host 192.168.1.22 eq 10002 any
>> conduit permit udp host 192.168.1.22 eq 10003 any
>> conduit permit udp host 192.168.1.22 eq 10004 any
>> conduit permit udp host 192.168.1.22 eq 10005 any
>>
>> Hope this helps!
>>
>> --Otis
>>
>>
>> Ravichandran Rajagopal wrote:
>>
>>
>>> Otis,
>>> I am new to Cisco PIX 506 and I am learning this. If you can help me
with
>>> how to do this change on Cisco PIX it would be greatly appreciated.
>>>
>>> Thx
>>> Ravi
>>>
>>> -----Original Message-----
>>> From: ListAcct [mailto:[EMAIL PROTECTED]
>>> Sent: Friday, February 08, 2008 11:11 PM
>>> To: [EMAIL PROTECTED]; Asterisk Users Mailing List - Non-Commercial
>>> Discussion
>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco
pix
>>> 506
>>>
>>> Ravi,
>>>
>>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp host
>>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to
>>> something you can configure (10000 to 10200) unless you write a script
>>> to just copy and paste about 10000 to 20000 ports in your config on the
>>> pix. Cisco's are strange but secure.
>>>
>>> It took me about two hours to figure out after taking off the fixup and
>>> no more logging/debugging from the cisco. I actually fixed while a call
>>> was coming in. LOL! Let me know!!!
>>>
>>> --Otis
>>>
>>> Ravichandran Rajagopal wrote:
>>>
>>>
>>>
>>>> Hi,
>>>>
>>>> I have the Cisco PIX 506 firewall right in front of the asterisk and I
>>>> am getting a one-way audio. I need your help/guidance to resolve this
>>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX 506.
>>>> Any help rendered by you in this subject is greatly appreciated. I
>>>> have been breaking my head trying to resolve this problem for more
>>>> than one month. I have included the sip.conf and the extensions.conf
>>>> below.
>>>>
>>>> [SIP.conf]
>>>>
>>>> ; SIP Configuration example for Asterisk
>>>>
>>>> [general]
>>>>
>>>> context=incoming
>>>>
>>>> allowoverlap=no
>>>>
>>>> bindport=5060
>>>>
>>>> bindaddr=0.0.0.0
>>>>
>>>> localnet=192.168.5.0/255.255.255.0
>>>>
>>>> externip=a.b.ccc.dd
>>>>
>>>> srvlookup=yes
>>>>
>>>> allow=ulaw
>>>>
>>>> allow=alaw
>>>>
>>>> [incoming]
>>>>
>>>> type=peer
>>>>
>>>> nat=no
>>>>
>>>> canreinvite=no
>>>>
>>>> host=xx.y.z.aaa
>>>>
>>>> qualify=yes
>>>>
>>>> dtmfmode=rfc2833
>>>>
>>>> context=default
>>>>
>>>> [extensions.conf]
>>>>
>>>> [general]
>>>>
>>>> static=yes
>>>>
>>>> writeprotect=yes
>>>>
>>>> clearglobalvars=no
>>>>
>>>> [default]
>>>>
>>>> include => customer
>>>>
>>>> exten => h,1,Hangup
>>>>
>>>> exten => i,1,Congestion
>>>>
>>>> exten => i,2,Hangup
>>>>
>>>> [agnosco]
>>>>
>>>> include => local-extensions
>>>>
>>>> include => customer_ivr
>>>>
>>>> include => incoming
>>>>
>>>> [customer_ivr]
>>>>
>>>> include => local-extensions
>>>>
>>>> exten => s,1,Answer
>>>>
>>>> exten => s,n,Background(agnosco_intro)
>>>>
>>>> exten => s,n,WaitExten
>>>>
>>>> ;Dial said extensions
>>>>
>>>> exten => 5,1,Dial(SIP/[EMAIL PROTECTED],30)
>>>>
>>>> [incoming]
>>>>
>>>> exten => 4025901000,1,Goto(1000,1)
>>>>
>>>> exten => 1000,1,Goto(customer_ivr,s,1)
>>>>
>>>> Thanks
>>>>
>>>> sunMoonstar.
>>>>
>>>>
------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
