Ravi, Are you sure that is the IP address of your Asterisk server? If you are following / using CIDR then
192.168.5.0/24 192.168.5.0 = network address 192.168.5.255 = broadcast Valid IPs in that range are 192.168.5.1-254 usable Did you get everything working? --Otis Ravichandran Rajagopal wrote: > This is what I implemented > > access-list asterisk permit udp any host 192.168.5.0 range 10000 20000 > > Thx > Ravi > > -----Original Message----- > From: Wendell Hamilton [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 09, 2008 11:07 PM > To: [EMAIL PROTECTED] > Cc: Joris Cras; Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco pix 506 > > Did you only open up the one port (10000)? You need to open up a range, if > you're doing it this way, like 10000-10020 and then set your rtp ports in > asterisk to the same range. > > ----- "Ravichandran Rajagopal" <[EMAIL PROTECTED]> wrote: > >> I made the following changes and I am still facing one way audio with >> my call flow. >> >> -----Original Message----- >> From: Wendell Hamilton [mailto:[EMAIL PROTECTED] >> Sent: Saturday, February 09, 2008 1:58 PM >> To: [EMAIL PROTECTED]; Asterisk Users Mailing List - Non-Commercial >> Discussion >> Cc: Joris Cras; [EMAIL PROTECTED]; Asterisk Users Mailing List - >> Non-Commercial Discussion >> Subject: Re: [asterisk-users] oneway audio with asterisk behind cisco >> pix 506 >> >> try: >> access-list asterisk permit udp any host x.x.x.x eq 10000 >> >> ----- "Ravichandran Rajagopal" <[EMAIL PROTECTED]> >> wrote: >> >>> I tried the following ACL command >>> >>> "access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 >>> 20000" >>> >>> and I got the following response back >>> >>> "[no] access-list <id> [line <line-num>] deny|permit icmp >>> <sip> <smask> | interface <if_name> | object-group >>> <network_obj_grp_id> >>> <dip> <dmask> | interface <if_name> | object-group >>> <network_obj_grp_id> >>> [<icmp_type> | object-group <icmp_type_obj_grp_id>] >>> [log [disable|default] | [<level>] [interval <secs>]] >>> Restricted ACLs for route-map use: >>> [no] access-list <id> deny|permit {any | <prefix> <mask> | host >>> <address>} >>> Command failed" >>> >>> I don't know how to enter into the linux interface of the Cisco Pix >>> 506 >>> firewall >>> >>> >>> >>> -----Original Message----- >>> From: Joris Cras [mailto:[EMAIL PROTECTED] >>> Sent: Saturday, February 09, 2008 3:23 AM >>> To: [EMAIL PROTECTED]; Asterisk Users Mailing List - >>> >> Non-Commercial >> >>> Discussion >>> Subject: Re: [asterisk-users] oneway audio with asterisk behind >>> >> cisco >> >>> pix >>> 506 >>> >>> Ravi, >>> >>> there is a easy way of creating all those commands in linux. >>> just run the following in a shell: >>> for x in $(seq 10001 10050); do echo 192.168.5.0 eq $x any conduit >>> permit udp host 192.168.5.0 eq $x any conduit permit udp host;done >>> >>> This will create all your PIX rules at ones. >>> >>> I think you could also use Cisco ACL's >>> access-list [name] permit udp [source] [destination] range >>> This would be in your case something like: >>> access-list asterisk permit udp 0.0.0.0 192.168.5.0 range 10000 >>> 10050 >>> >>> Good luck. >>> >>> Joris >>> >>> Ravichandran Rajagopal wrote: >>> >>>> Otis, >>>> I wanted to clarify what you said and what I comprehended. >>>> >>>> the SIP protocols are disabled in fixup. >>>> ======================================================== >>>> Having said that I guess all I have to do is just the following. >>>> the inside IP of asterisk server is 192.168.5.0 >>>> >>>> On the cisco PIX firewall enter the following. >>>> 192.168.5.0 eq 10000 any conduit permit udp host 192.168.5.0 eq >>>> >>> 10001 any >>> >>>> conduit permit udp host >>>> 192.168.5.0 eq 10001 any conduit permit udp host 192.168.5.0 eq >>>> >>> 10002 any >>> >>>> conduit permit udp host >>>> .................................... >>>> ................................... >>>> ..................... >>>> 192.168.5.0 eq 10049 any conduit permit udp host 192.168.5.0 eq >>>> >>> 10050 any >>> >>>> conduit permit udp host >>>> >>>> in the rtp.conf in /etc/asterisk >>>> change the ending port 20000 (which is what it currently is) to >>>> >>> 10050 >>> >>>> Is there an easier way to make the entries in Cisco PIX firewall >>>> >> ? >> >>>> Thx >>>> Ravi >>>> >>>> -----Original Message----- >>>> From: ListAcct [mailto:[EMAIL PROTECTED] >>>> Sent: Saturday, February 09, 2008 12:18 AM >>>> To: [EMAIL PROTECTED] >>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion' >>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind >>>> >>> cisco pix >>> >>>> 506 >>>> >>>> No problem. :-P I thought it might wise to include everything >>>> >> you >> >>>> needed just in case!! LOL! You are welcome!!! >>>> >>>> --Otis >>>> >>>> Ravichandran Rajagopal wrote: >>>> >>>> >>>>> LOL I guess all I was asking for the changes to be made in the >>>>> >>> Cisco PIX >>> >>>>> 506. I think you gave me a short tutorial on VI as well. Thanks >>>>> >>> once >>> again >>> >>>>> for this help. Let me work on these changes and test the one-way >>>>> >>> audio >>> >>>>> problem and go from there. >>>>> Thx >>>>> Ravi >>>>> >>>>> -----Original Message----- >>>>> From: ListAcct [mailto:[EMAIL PROTECTED] >>>>> Sent: Friday, February 08, 2008 11:55 PM >>>>> To: [EMAIL PROTECTED] >>>>> Cc: 'Asterisk Users Mailing List - Non-Commercial Discussion' >>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind >>>>> >>> cisco pix >>> >>>>> 506 >>>>> >>>>> Ravi, >>>>> >>>>> I will explain changing the config in asterisk and the pix: >>>>> >>>>> Asterisk Box - vi to /etc/asterisk/rtp.conf and change the port >>>>> >>> span to >>> >>>>> 10000 to 10050 (to start, you will need to increase later as >>>>> >> ports >> >>> fill >>> >>>>> >>>>> >>>> up) >>>> >>>> >>>>> (use insert to make a change in a file) >>>>> >>>>> to save: >>>>> >>>>> 1. esc >>>>> 2. shift + colon >>>>> 3. wq (to save) >>>>> >>>>> If you made a mistake and do not want to save but you changed >>>>> >>> something >>> >>>>> in the file: >>>>> >>>>> 1. esc >>>>> 2. shift + colon >>>>> 3. q! (to exit) >>>>> >>>>> >>>>> Cisco Pix - on my old Pix 520 UR I do not use the ACLs for this >>>>> >>> case the >>> >>>>> static and conduit commands so this is a example from my setup. >>>>> >>>>> Theses are not usable IPs on the Internet or my IPs but just an >>>>> >>>>> >>>> example.... >>>> >>>> >>>>> outside (interface) - 192.168.1.0/24 (192.168.1.1-192.168.1.254) >>>>> dmz (interface) - 192.168.254.0/24 >>>>> >> (192.168.254.1-192.168.254.254) >> >>>>> interface ethernet0 100full (sets the duplex and turns on >>>>> >>> interface) >>> >>>>> interface ethernet1 100full (sets the duplex and turns on >>>>> >>> interface) >>> >>>>> nameif ethernet0 outside security0 ( lower security) >>>>> nameif ethernet1 dmz security50 (higher security) >>>>> >>>>> no fixup protocol sip 5060 >>>>> no fixup protocol sip udp 5060 >>>>> >>>>> ! - this makes things easier so now the pix knows the IP of the >>>>> >>> asterisk >>> >>>>> box and maps the ip to the name just for configuration purposes >>>>> >>> only so >>> >>>>> if you had 20 servers or devices you wanted public access to >>>>> >> it's >> >>> just >>> >>>>> easier to remember their names versus IPs. >>>>> name 192.168.254.11 dns >>>>> name 192.168.254.10 asterisk >>>>> >>>>> ! - the static command is used as a permanent mapper from one >>>>> >>> inside, >>> >>>>> dmz, or other to the global ip vice versa. (Rule of thumb if you >>>>> >>> map >>> >>>>> using static make sure you have a conduit command) >>>>> static (dmz,outside) 192.168.1.22 asterisk netmask >>>>> >> 255.255.255.255 >> >>> 0 0 >>> >>>>> ! - here is where you open the ports on the global side to the >>>>> >>> asterisk >>> >>>>> box. (the conduit command allows connections from lower security >>>>> >>>>> interfaces to higher security interfaces) >>>>> conduit permit udp host 192.168.1.22 eq 10000 any >>>>> conduit permit udp host 192.168.1.22 eq 10001 any >>>>> conduit permit udp host 192.168.1.22 eq 10002 any >>>>> conduit permit udp host 192.168.1.22 eq 10003 any >>>>> conduit permit udp host 192.168.1.22 eq 10004 any >>>>> conduit permit udp host 192.168.1.22 eq 10005 any >>>>> >>>>> Hope this helps! >>>>> >>>>> --Otis >>>>> >>>>> >>>>> Ravichandran Rajagopal wrote: >>>>> >>>>> >>>>> >>>>>> Otis, >>>>>> I am new to Cisco PIX 506 and I am learning this. If you can >>>>>> >> help >> >>> me >>> with >>> >>>>>> how to do this change on Cisco PIX it would be greatly >>>>>> >>> appreciated. >>> >>>>>> Thx >>>>>> Ravi >>>>>> >>>>>> -----Original Message----- >>>>>> From: ListAcct [mailto:[EMAIL PROTECTED] >>>>>> Sent: Friday, February 08, 2008 11:11 PM >>>>>> To: [EMAIL PROTECTED]; Asterisk Users Mailing List - >>>>>> >>> Non-Commercial >>> >>>>>> Discussion >>>>>> Subject: Re: [asterisk-users] oneway audio with asterisk behind >>>>>> >>> cisco >>> pix >>> >>>>>> 506 >>>>>> >>>>>> Ravi, >>>>>> >>>>>> Open up the RTP (UDP) ports on your pix. (EX. conduit permit >>>>>> >> udp >> >>> host >>> >>>>>> x.x.x.x eq 10049 any). Also set your asterisk rtp config span to >>>>>> >>>>>> something you can configure (10000 to 10200) unless you write a >>>>>> >>> script >>> >>>>>> to just copy and paste about 10000 to 20000 ports in your >>>>>> >> config >> >>> on the >>> >>>>>> pix. Cisco's are strange but secure. >>>>>> >>>>>> It took me about two hours to figure out after taking off the >>>>>> >>> fixup and >>> >>>>>> no more logging/debugging from the cisco. I actually fixed while >>>>>> >> a >> >>> call >>> >>>>>> was coming in. LOL! Let me know!!! >>>>>> >>>>>> --Otis >>>>>> >>>>>> Ravichandran Rajagopal wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have the Cisco PIX 506 firewall right in front of the >>>>>>> >> asterisk >> >>> and I >>> >>>>>>> am getting a one-way audio. I need your help/guidance to >>>>>>> >> resolve >> >>> this >>> >>>>>>> problem. I have the "fixups" disabled for SIP in the Cisco PIX >>>>>>> >>> 506. >>> >>>>>>> Any help rendered by you in this subject is greatly >>>>>>> >> appreciated. >> >>> I >>> >>>>>>> have been breaking my head trying to resolve this problem for >>>>>>> >>> more >>> >>>>>>> than one month. I have included the sip.conf and the >>>>>>> >>> extensions.conf >>> >>>>>>> below. >>>>>>> >>>>>>> [SIP.conf] >>>>>>> >>>>>>> ; SIP Configuration example for Asterisk >>>>>>> >>>>>>> [general] >>>>>>> >>>>>>> context=incoming >>>>>>> >>>>>>> allowoverlap=no >>>>>>> >>>>>>> bindport=5060 >>>>>>> >>>>>>> bindaddr=0.0.0.0 >>>>>>> >>>>>>> localnet=192.168.5.0/255.255.255.0 >>>>>>> >>>>>>> externip=a.b.ccc.dd >>>>>>> >>>>>>> srvlookup=yes >>>>>>> >>>>>>> allow=ulaw >>>>>>> >>>>>>> allow=alaw >>>>>>> >>>>>>> [incoming] >>>>>>> >>>>>>> type=peer >>>>>>> >>>>>>> nat=no >>>>>>> >>>>>>> canreinvite=no >>>>>>> >>>>>>> host=xx.y.z.aaa >>>>>>> >>>>>>> qualify=yes >>>>>>> >>>>>>> dtmfmode=rfc2833 >>>>>>> >>>>>>> context=default >>>>>>> >>>>>>> [extensions.conf] >>>>>>> >>>>>>> [general] >>>>>>> >>>>>>> static=yes >>>>>>> >>>>>>> writeprotect=yes >>>>>>> >>>>>>> clearglobalvars=no >>>>>>> >>>>>>> [default] >>>>>>> >>>>>>> include => customer >>>>>>> >>>>>>> exten => h,1,Hangup >>>>>>> >>>>>>> exten => i,1,Congestion >>>>>>> >>>>>>> exten => i,2,Hangup >>>>>>> >>>>>>> [agnosco] >>>>>>> >>>>>>> include => local-extensions >>>>>>> >>>>>>> include => customer_ivr >>>>>>> >>>>>>> include => incoming >>>>>>> >>>>>>> [customer_ivr] >>>>>>> >>>>>>> include => local-extensions >>>>>>> >>>>>>> exten => s,1,Answer >>>>>>> >>>>>>> exten => s,n,Background(agnosco_intro) >>>>>>> >>>>>>> exten => s,n,WaitExten >>>>>>> >>>>>>> ;Dial said extensions >>>>>>> >>>>>>> exten => 5,1,Dial(SIP/[EMAIL PROTECTED],30) >>>>>>> >>>>>>> [incoming] >>>>>>> >>>>>>> exten => 4025901000,1,Goto(1000,1) >>>>>>> >>>>>>> exten => 1000,1,Goto(customer_ivr,s,1) >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> sunMoonstar. >>>>>>> >>>>>>> >>>>>>> >> ------------------------------------------------------------------------ >> >>>>>>> _______________________________________________ >>>>>>> -- Bandwidth and Colocation Provided by >>>>>>> >>> http://www.api-digital.com -- >>> >>>>>>> asterisk-users mailing list >>>>>>> To UNSUBSCRIBE or update options visit: >>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> -- Bandwidth and Colocation Provided by >>>> >> http://www.api-digital.com >> >>> -- >>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>> >>>> >>> >>> _______________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com >>> >> -- >> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> > > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
