Did you only open up the one port (10000)? You need to open up a range, if you're doing it this way, like 10000-10020 and then set your rtp ports in asterisk to the same range.
----- "Ravichandran Rajagopal" <[EMAIL PROTECTED]> wrote: > I made the following changes and I am still facing one way audio with > my call flow. > > -----Original Message----- > From: Wendell Hamilton [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 09, 2008 1:58 PM > To: [EMAIL PROTECTED]; Asterisk Users Mailing List - Non-Commercial > Discussion > Cc: Joris Cras; [EMAIL PROTECTED]; Asterisk Users Mailing List - > Non-Commercial Discussion > Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco > pix 506 > > try: > access-list asterisk permit udp any host x.x.x.x eq 10000 > > ----- "Ravichandran Rajagopal" <[EMAIL PROTECTED]> > wrote: > > I tried the following ACL command > > > > "access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 > > 20000" > > > > and I got the following response back > > > > "[no] access-list <id> [line <line-num>] deny|permit icmp > > <sip> <smask> | interface <if_name> | object-group > > <network_obj_grp_id> > > <dip> <dmask> | interface <if_name> | object-group > > <network_obj_grp_id> > > [<icmp_type> | object-group <icmp_type_obj_grp_id>] > > [log [disable|default] | [<level>] [interval <secs>]] > > Restricted ACLs for route-map use: > > [no] access-list <id> deny|permit {any | <prefix> <mask> | host > > <address>} > > Command failed" > > > > I don't know how to enter into the linux interface of the Cisco Pix > > 506 > > firewall > > > > > > > > -----Original Message----- > > From: Joris Cras [mailto:[EMAIL PROTECTED] > > Sent: Saturday, February 09, 2008 3:23 AM > > To: [EMAIL PROTECTED]; Asterisk Users Mailing List - > Non-Commercial > > Discussion > > Subject: Re: [asterisk-users] oneway audio with asterisk behind > cisco > > pix > > 506 > > > > Ravi, > > > > there is a easy way of creating all those commands in linux. > > just run the following in a shell: > > for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit > > permit udp host 192.168.5.0 eq $x any conduit permit udp host;done > > > > This will create all your PIX rules at ones. > > > > I think you could also use Cisco ACL's > > access-list [name] permit udp [source] [destination] range > > This would be in your case something like: > > access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 > > 10050 > > > > Good luck. > > > > Joris > > > > Ravichandran Rajagopal wrote: > > > Otis, > > > I wanted to clarify what you said and what I comprehended. > > > > > > the SIP protocols are disabled in fixup. > > > ======================================================== > > > Having said that I guess all I have to do is just the following. > > > the inside IP of asterisk server is 192.168.5.0 > > > > > > On the cisco PIX firewall enter the following. > > > 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq > > 10001 any > > > conduit permit udp host > > > 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq > > 10002 any > > > conduit permit udp host > > > .................................... > > > ................................... > > > ..................... > > > 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq > > 10050 any > > > conduit permit udp host > > > > > > in the rtp.conf in /etc/asterisk > > > change the ending port 20000 (which is what it currently is) to > > 10050 > > > > > > Is there an easier way to make the entries in Cisco PIX firewall > ? > > > > > > Thx > > > Ravi > > > > > > -----Original Message----- > > > From: ListAcct [mailto:[EMAIL PROTECTED] > > > Sent: Saturday, February 09, 2008 12:18 AM > > > To: [EMAIL PROTECTED] > > > Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion' > > > Subject: Re: [asterisk-users] oneway audio with asterisk behind > > cisco pix > > > 506 > > > > > > No problem. :-P I thought it might wise to include everything > you > > > > > needed just in case!! LOL! You are welcome!!! > > > > > > --Otis > > > > > > Ravichandran Rajagopal wrote: > > > > > >> LOL I guess all I was asking for the changes to be made in the > > Cisco PIX > > >> 506. I think you gave me a short tutorial on VI as well. Thanks > > once > > again > > >> for this help. Let me work on these changes and test the one-way > > audio > > >> problem and go from there. > > >> Thx > > >> Ravi > > >> > > >> -----Original Message----- > > >> From: ListAcct [mailto:[EMAIL PROTECTED] > > >> Sent: Friday, February 08, 2008 11:55 PM > > >> To: [EMAIL PROTECTED] > > >> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion' > > >> Subject: Re: [asterisk-users] oneway audio with asterisk behind > > cisco pix > > >> 506 > > >> > > >> Ravi, > > >> > > >> I will explain changing the config in asterisk and the pix: > > >> > > >> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port > > span to > > >> 10000 to 10050 (to start, you will need to increase later as > ports > > fill > > >> > > > up) > > > > > >> (use insert to make a change in a file) > > >> > > >> to save: > > >> > > >> 1. esc > > >> 2. shift + colon > > >> 3. wq (to save) > > >> > > >> If you made a mistake and do not want to save but you changed > > something > > >> in the file: > > >> > > >> 1. esc > > >> 2. shift + colon > > >> 3. q! (to exit) > > >> > > >> > > >> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this > > case the > > >> static and conduit commands so this is a example from my setup. > > >> > > >> Theses are not usable IPs on the Internet or my IPs but just an > > >> > > > example.... > > > > > >> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254) > > >> dmz (interface) - 192.168.254.0/24 > (192.168.254.1-192.168.254.254) > > >> > > >> interface ethernet0 100full (sets the duplex and turns on > > interface) > > >> interface ethernet1 100full (sets the duplex and turns on > > interface) > > >> > > >> nameif ethernet0 outside security0 ( lower security) > > >> nameif ethernet1 dmz security50 (higher security) > > >> > > >> no fixup protocol sip 5060 > > >> no fixup protocol sip udp 5060 > > >> > > >> ! - this makes things easier so now the pix knows the IP of the > > asterisk > > >> box and maps the ip to the name just for configuration purposes > > only so > > >> if you had 20 servers or devices you wanted public access to > it's > > just > > >> easier to remember their names versus IPs. > > >> name 192.168.254.11 dns > > >> name 192.168.254.10 asterisk > > >> > > >> ! - the static command is used as a permanent mapper from one > > inside, > > >> dmz, or other to the global ip vice versa. (Rule of thumb if you > > map > > >> using static make sure you have a conduit command) > > >> static (dmz,outside) 192.168.1.22 asterisk netmask > 255.255.255.255 > > 0 0 > > >> > > >> ! - here is where you open the ports on the global side to the > > asterisk > > >> box. (the conduit command allows connections from lower security > > > >> interfaces to higher security interfaces) > > >> conduit permit udp host 192.168.1.22 eq 10000 any > > >> conduit permit udp host 192.168.1.22 eq 10001 any > > >> conduit permit udp host 192.168.1.22 eq 10002 any > > >> conduit permit udp host 192.168.1.22 eq 10003 any > > >> conduit permit udp host 192.168.1.22 eq 10004 any > > >> conduit permit udp host 192.168.1.22 eq 10005 any > > >> > > >> Hope this helps! > > >> > > >> --Otis > > >> > > >> > > >> Ravichandran Rajagopal wrote: > > >> > > >> > > >>> Otis, > > >>> I am new to Cisco PIX 506 and I am learning this. If you can > help > > me > > with > > >>> how to do this change on Cisco PIX it would be greatly > > appreciated. > > >>> > > >>> Thx > > >>> Ravi > > >>> > > >>> -----Original Message----- > > >>> From: ListAcct [mailto:[EMAIL PROTECTED] > > >>> Sent: Friday, February 08, 2008 11:11 PM > > >>> To: [EMAIL PROTECTED]; Asterisk Users Mailing List - > > Non-Commercial > > >>> Discussion > > >>> Subject: Re: [asterisk-users] oneway audio with asterisk behind > > cisco > > pix > > >>> 506 > > >>> > > >>> Ravi, > > >>> > > >>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit > udp > > host > > >>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to > > > >>> something you can configure (10000 to 10200) unless you write a > > script > > >>> to just copy and paste about 10000 to 20000 ports in your > config > > on the > > >>> pix. Cisco's are strange but secure. > > >>> > > >>> It took me about two hours to figure out after taking off the > > fixup and > > >>> no more logging/debugging from the cisco. I actually fixed while > a > > call > > >>> was coming in. LOL! Let me know!!! > > >>> > > >>> --Otis > > >>> > > >>> Ravichandran Rajagopal wrote: > > >>> > > >>> > > >>> > > >>>> Hi, > > >>>> > > >>>> I have the Cisco PIX 506 firewall right in front of the > asterisk > > and I > > >>>> am getting a one-way audio. I need your help/guidance to > resolve > > this > > >>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX > > 506. > > >>>> Any help rendered by you in this subject is greatly > appreciated. > > I > > >>>> have been breaking my head trying to resolve this problem for > > more > > >>>> than one month. I have included the sip.conf and the > > extensions.conf > > >>>> below. > > >>>> > > >>>> [SIP.conf] > > >>>> > > >>>> ; SIP Configuration example for Asterisk > > >>>> > > >>>> [general] > > >>>> > > >>>> context=incoming > > >>>> > > >>>> allowoverlap=no > > >>>> > > >>>> bindport=5060 > > >>>> > > >>>> bindaddr=0.0.0.0 > > >>>> > > >>>> localnet=192.168.5.0/255.255.255.0 > > >>>> > > >>>> externip=a.b.ccc.dd > > >>>> > > >>>> srvlookup=yes > > >>>> > > >>>> allow=ulaw > > >>>> > > >>>> allow=alaw > > >>>> > > >>>> [incoming] > > >>>> > > >>>> type=peer > > >>>> > > >>>> nat=no > > >>>> > > >>>> canreinvite=no > > >>>> > > >>>> host=xx.y.z.aaa > > >>>> > > >>>> qualify=yes > > >>>> > > >>>> dtmfmode=rfc2833 > > >>>> > > >>>> context=default > > >>>> > > >>>> [extensions.conf] > > >>>> > > >>>> [general] > > >>>> > > >>>> static=yes > > >>>> > > >>>> writeprotect=yes > > >>>> > > >>>> clearglobalvars=no > > >>>> > > >>>> [default] > > >>>> > > >>>> include => customer > > >>>> > > >>>> exten => h,1,Hangup > > >>>> > > >>>> exten => i,1,Congestion > > >>>> > > >>>> exten => i,2,Hangup > > >>>> > > >>>> [agnosco] > > >>>> > > >>>> include => local-extensions > > >>>> > > >>>> include => customer_ivr > > >>>> > > >>>> include => incoming > > >>>> > > >>>> [customer_ivr] > > >>>> > > >>>> include => local-extensions > > >>>> > > >>>> exten => s,1,Answer > > >>>> > > >>>> exten => s,n,Background(agnosco_intro) > > >>>> > > >>>> exten => s,n,WaitExten > > >>>> > > >>>> ;Dial said extensions > > >>>> > > >>>> exten => 5,1,Dial(SIP/[EMAIL PROTECTED],30) > > >>>> > > >>>> [incoming] > > >>>> > > >>>> exten => 4025901000,1,Goto(1000,1) > > >>>> > > >>>> exten => 1000,1,Goto(customer_ivr,s,1) > > >>>> > > >>>> Thanks > > >>>> > > >>>> sunMoonstar. > > >>>> > > >>>> > > > ------------------------------------------------------------------------ > > >>>> > > >>>> _______________________________________________ > > >>>> -- Bandwidth and Colocation Provided by > > http://www.api-digital.com -- > > >>>> > > >>>> asterisk-users mailing list > > >>>> To UNSUBSCRIBE or update options visit: > > >>>> http://lists.digium.com/mailman/listinfo/asterisk-users > > >>>> > > >>>> > > >>>> > > >>> > > >>> > > >>> > > >> > > >> > > > > > > > > > > > > _______________________________________________ > > > -- Bandwidth and Colocation Provided by > http://www.api-digital.com > > -- > > > > > > asterisk-users mailing list > > > To UNSUBSCRIBE or update options visit: > > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > > > > > > > > _______________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com > -- > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users