I made the following changes and I am still facing one way audio with my call flow.
-----Original Message----- From: Wendell Hamilton [mailto:[EMAIL PROTECTED] Sent: Saturday, February 09, 2008 1:58 PM To: [EMAIL PROTECTED]; Asterisk Users Mailing List - Non-Commercial Discussion Cc: Joris Cras; [EMAIL PROTECTED]; Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix 506 try: access-list asterisk permit udp any host x.x.x.x eq 10000 ----- "Ravichandran Rajagopal" <[EMAIL PROTECTED]> wrote: > I tried the following ACL command > > "access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 > 20000" > > and I got the following response back > > "[no] access-list <id> [line <line-num>] deny|permit icmp > <sip> <smask> | interface <if_name> | object-group > <network_obj_grp_id> > <dip> <dmask> | interface <if_name> | object-group > <network_obj_grp_id> > [<icmp_type> | object-group <icmp_type_obj_grp_id>] > [log [disable|default] | [<level>] [interval <secs>]] > Restricted ACLs for route-map use: > [no] access-list <id> deny|permit {any | <prefix> <mask> | host > <address>} > Command failed" > > I don't know how to enter into the linux interface of the Cisco Pix > 506 > firewall > > > > -----Original Message----- > From: Joris Cras [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 09, 2008 3:23 AM > To: [EMAIL PROTECTED]; Asterisk Users Mailing List - Non-Commercial > Discussion > Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco > pix > 506 > > Ravi, > > there is a easy way of creating all those commands in linux. > just run the following in a shell: > for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit > permit udp host 192.168.5.0 eq $x any conduit permit udp host;done > > This will create all your PIX rules at ones. > > I think you could also use Cisco ACL's > access-list [name] permit udp [source] [destination] range > This would be in your case something like: > access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 > 10050 > > Good luck. > > Joris > > Ravichandran Rajagopal wrote: > > Otis, > > I wanted to clarify what you said and what I comprehended. > > > > the SIP protocols are disabled in fixup. > > ======================================================== > > Having said that I guess all I have to do is just the following. > > the inside IP of asterisk server is 192.168.5.0 > > > > On the cisco PIX firewall enter the following. > > 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq > 10001 any > > conduit permit udp host > > 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq > 10002 any > > conduit permit udp host > > .................................... > > ................................... > > ..................... > > 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq > 10050 any > > conduit permit udp host > > > > in the rtp.conf in /etc/asterisk > > change the ending port 20000 (which is what it currently is) to > 10050 > > > > Is there an easier way to make the entries in Cisco PIX firewall ? > > > > Thx > > Ravi > > > > -----Original Message----- > > From: ListAcct [mailto:[EMAIL PROTECTED] > > Sent: Saturday, February 09, 2008 12:18 AM > > To: [EMAIL PROTECTED] > > Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion' > > Subject: Re: [asterisk-users] oneway audio with asterisk behind > cisco pix > > 506 > > > > No problem. :-P I thought it might wise to include everything you > > > needed just in case!! LOL! You are welcome!!! > > > > --Otis > > > > Ravichandran Rajagopal wrote: > > > >> LOL I guess all I was asking for the changes to be made in the > Cisco PIX > >> 506. I think you gave me a short tutorial on VI as well. Thanks > once > again > >> for this help. Let me work on these changes and test the one-way > audio > >> problem and go from there. > >> Thx > >> Ravi > >> > >> -----Original Message----- > >> From: ListAcct [mailto:[EMAIL PROTECTED] > >> Sent: Friday, February 08, 2008 11:55 PM > >> To: [EMAIL PROTECTED] > >> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion' > >> Subject: Re: [asterisk-users] oneway audio with asterisk behind > cisco pix > >> 506 > >> > >> Ravi, > >> > >> I will explain changing the config in asterisk and the pix: > >> > >> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port > span to > >> 10000 to 10050 (to start, you will need to increase later as ports > fill > >> > > up) > > > >> (use insert to make a change in a file) > >> > >> to save: > >> > >> 1. esc > >> 2. shift + colon > >> 3. wq (to save) > >> > >> If you made a mistake and do not want to save but you changed > something > >> in the file: > >> > >> 1. esc > >> 2. shift + colon > >> 3. q! (to exit) > >> > >> > >> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this > case the > >> static and conduit commands so this is a example from my setup. > >> > >> Theses are not usable IPs on the Internet or my IPs but just an > >> > > example.... > > > >> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254) > >> dmz (interface) - 192.168.254.0/24 (192.168.254.1-192.168.254.254) > >> > >> interface ethernet0 100full (sets the duplex and turns on > interface) > >> interface ethernet1 100full (sets the duplex and turns on > interface) > >> > >> nameif ethernet0 outside security0 ( lower security) > >> nameif ethernet1 dmz security50 (higher security) > >> > >> no fixup protocol sip 5060 > >> no fixup protocol sip udp 5060 > >> > >> ! - this makes things easier so now the pix knows the IP of the > asterisk > >> box and maps the ip to the name just for configuration purposes > only so > >> if you had 20 servers or devices you wanted public access to it's > just > >> easier to remember their names versus IPs. > >> name 192.168.254.11 dns > >> name 192.168.254.10 asterisk > >> > >> ! - the static command is used as a permanent mapper from one > inside, > >> dmz, or other to the global ip vice versa. (Rule of thumb if you > map > >> using static make sure you have a conduit command) > >> static (dmz,outside) 192.168.1.22 asterisk netmask 255.255.255.255 > 0 0 > >> > >> ! - here is where you open the ports on the global side to the > asterisk > >> box. (the conduit command allows connections from lower security > >> interfaces to higher security interfaces) > >> conduit permit udp host 192.168.1.22 eq 10000 any > >> conduit permit udp host 192.168.1.22 eq 10001 any > >> conduit permit udp host 192.168.1.22 eq 10002 any > >> conduit permit udp host 192.168.1.22 eq 10003 any > >> conduit permit udp host 192.168.1.22 eq 10004 any > >> conduit permit udp host 192.168.1.22 eq 10005 any > >> > >> Hope this helps! > >> > >> --Otis > >> > >> > >> Ravichandran Rajagopal wrote: > >> > >> > >>> Otis, > >>> I am new to Cisco PIX 506 and I am learning this. If you can help > me > with > >>> how to do this change on Cisco PIX it would be greatly > appreciated. > >>> > >>> Thx > >>> Ravi > >>> > >>> -----Original Message----- > >>> From: ListAcct [mailto:[EMAIL PROTECTED] > >>> Sent: Friday, February 08, 2008 11:11 PM > >>> To: [EMAIL PROTECTED]; Asterisk Users Mailing List - > Non-Commercial > >>> Discussion > >>> Subject: Re: [asterisk-users] oneway audio with asterisk behind > cisco > pix > >>> 506 > >>> > >>> Ravi, > >>> > >>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit udp > host > >>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to > >>> something you can configure (10000 to 10200) unless you write a > script > >>> to just copy and paste about 10000 to 20000 ports in your config > on the > >>> pix. Cisco's are strange but secure. > >>> > >>> It took me about two hours to figure out after taking off the > fixup and > >>> no more logging/debugging from the cisco. I actually fixed while a > call > >>> was coming in. LOL! Let me know!!! > >>> > >>> --Otis > >>> > >>> Ravichandran Rajagopal wrote: > >>> > >>> > >>> > >>>> Hi, > >>>> > >>>> I have the Cisco PIX 506 firewall right in front of the asterisk > and I > >>>> am getting a one-way audio. I need your help/guidance to resolve > this > >>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX > 506. > >>>> Any help rendered by you in this subject is greatly appreciated. > I > >>>> have been breaking my head trying to resolve this problem for > more > >>>> than one month. I have included the sip.conf and the > extensions.conf > >>>> below. > >>>> > >>>> [SIP.conf] > >>>> > >>>> ; SIP Configuration example for Asterisk > >>>> > >>>> [general] > >>>> > >>>> context=incoming > >>>> > >>>> allowoverlap=no > >>>> > >>>> bindport=5060 > >>>> > >>>> bindaddr=0.0.0.0 > >>>> > >>>> localnet=192.168.5.0/255.255.255.0 > >>>> > >>>> externip=a.b.ccc.dd > >>>> > >>>> srvlookup=yes > >>>> > >>>> allow=ulaw > >>>> > >>>> allow=alaw > >>>> > >>>> [incoming] > >>>> > >>>> type=peer > >>>> > >>>> nat=no > >>>> > >>>> canreinvite=no > >>>> > >>>> host=xx.y.z.aaa > >>>> > >>>> qualify=yes > >>>> > >>>> dtmfmode=rfc2833 > >>>> > >>>> context=default > >>>> > >>>> [extensions.conf] > >>>> > >>>> [general] > >>>> > >>>> static=yes > >>>> > >>>> writeprotect=yes > >>>> > >>>> clearglobalvars=no > >>>> > >>>> [default] > >>>> > >>>> include => customer > >>>> > >>>> exten => h,1,Hangup > >>>> > >>>> exten => i,1,Congestion > >>>> > >>>> exten => i,2,Hangup > >>>> > >>>> [agnosco] > >>>> > >>>> include => local-extensions > >>>> > >>>> include => customer_ivr > >>>> > >>>> include => incoming > >>>> > >>>> [customer_ivr] > >>>> > >>>> include => local-extensions > >>>> > >>>> exten => s,1,Answer > >>>> > >>>> exten => s,n,Background(agnosco_intro) > >>>> > >>>> exten => s,n,WaitExten > >>>> > >>>> ;Dial said extensions > >>>> > >>>> exten => 5,1,Dial(SIP/[EMAIL PROTECTED],30) > >>>> > >>>> [incoming] > >>>> > >>>> exten => 4025901000,1,Goto(1000,1) > >>>> > >>>> exten => 1000,1,Goto(customer_ivr,s,1) > >>>> > >>>> Thanks > >>>> > >>>> sunMoonstar. > >>>> > >>>> > ------------------------------------------------------------------------ > >>>> > >>>> _______________________________________________ > >>>> -- Bandwidth and Colocation Provided by > http://www.api-digital.com -- > >>>> > >>>> asterisk-users mailing list > >>>> To UNSUBSCRIBE or update options visit: > >>>> http://lists.digium.com/mailman/listinfo/asterisk-users > >>>> > >>>> > >>>> > >>> > >>> > >>> > >> > >> > > > > > > > > _______________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com > -- > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
