Re: [asterisk-users] Asterisk behind a PIX firewall?
On Tue, 27 Nov 2007 09:40:56 -0500, Matt wrote: This is a dual NAT situation. PIX on Asterisk side, and Netgear on phone side. HOWEVER.The Asterisk box has it's own IP but it is being tunneled through the PIX.I guess the PIX must be messing something up? could you post a 'sip debug peer ' of the call ? depending on your setup, you may need to set externip in sip.conf to the external ip addy of the pix firewall, so the addresses placed in the SIP packets are correct. -- Regards, /\_/\ All dogs go to heaven. [EMAIL PROTECTED](0 0) http://www.openmalaysiablog.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo The opinions here in no way reflect the opinions of my $a $b. | | done; done | +=+ ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
which version of the pix ? there is some bugs in old 6.3 with sip... _ De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Matt Envoyé : mardi 27 novembre 2007 14:11 À : Asterisk Users Mailing List - Non-Commercial Discussion Objet : [asterisk-users] Asterisk behind a PIX firewall? Is there anything special that anyone here has had to do to get an Aastra phone (on the Internet) to talk to Asterisk behind a PIX firewall? Ports 1-2 UDP are open on the PIX and forwarding to the Asterisk server. The Asterisk server's RTP.CONF is set to use 1-2.The phone registers, and will place AND receive calls, however, no audio is passed. The phone is an Aastra 9133i. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
ST == Steve Totaro [EMAIL PROTECTED] writes: ST Trust me on this, I have tried almost everything to get it to ST work, the best you can hope for is one way audio in a dual NAT. ST The answer has to do with where the packets are sent from and ST where they seem to be sent from. I have a Nokia E70 behind a NAT connecting to an asterisk behind another NAT. As far as I can tell from tcpdump, the E70 cannot find a STUN server and therefore does not use STUN. Neither of the NAT's have SIP support. This should not work, but somehow it does. Audio goes through without problems -- as long as canreinvite=no. /Benny ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Oh My Word! Let's not talk about the siparator! I just had a client who had an aweful time with it, and I never want to hear about that wretched product again! :) On Nov 28, 2007 2:49 AM, Vidura Senadeera [EMAIL PROTECTED] wrote: Hi all, use ingate siparator. www.ingate.com ingate will help you to get rid of these issues. Regards, Vidura Senadeera Tel - +9466596 yahoo, skype - vidurased Sri Lanka. = You can also create the vpn using the existing pix and netgear, eliminating more hardware and points of failure. - Original Message - From: Ricardo Carvalho [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Sent: Tuesday, November 27, 2007 7:30:35 AM (GMT-0800) America/Los_Angeles Subject: Re: [asterisk-users] Asterisk behind a PIX firewall? Try to just open port 5060 for SIP signaling on the PIX and also enable the INSPECT SIP rule. That way, your PIX firewall will inspect SIP signalling and open the necessary UDP ports for the RTP. If you have NAT uptream in the network, you should see if in the layer 4 the IPs shown in the SIP messages got rewritten by its public IPs, it should have, or else you'll never get it working right. Regards, Ricardo Carvalho. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk behind a PIX firewall?
Is there anything special that anyone here has had to do to get an Aastra phone (on the Internet) to talk to Asterisk behind a PIX firewall? Ports 1-2 UDP are open on the PIX and forwarding to the Asterisk server. The Asterisk server's RTP.CONF is set to use 1-2.The phone registers, and will place AND receive calls, however, no audio is passed. The phone is an Aastra 9133i. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Matt wrote: Is there anything special that anyone here has had to do to get an Aastra phone (on the Internet) to talk to Asterisk behind a PIX firewall? Ports 1-2 UDP are open on the PIX and forwarding to the Asterisk server. The Asterisk server's RTP.CONF is set to use 1-2. The phone registers, and will place AND receive calls, however, no audio is passed. The phone is an Aastra 9133i. Just checking NAT=yes, canreinvite=no ? Thanks, Steve Totaro 888.777.1888 ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Just checking NAT=yes, canreinvite=no ? Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Matt wrote: Just checking NAT=yes, canreinvite=no ? Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I live OpenVPN bridges for double NAT situations, of course you could try IAX2 but I have seen too many sound quality issues surrounding IAX2 so I try to stick with SIP, even if that means setting up VPNs. Thanks, Steve 888.777.1888 ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I live OpenVPN bridges for double NAT situations, of course you could try IAX2 but I have seen too many sound quality issues surrounding IAX2 so I try to stick with SIP, even if that means setting up VPNs. This is a dual NAT situation. PIX on Asterisk side, and Netgear on phone side. HOWEVER.The Asterisk box has it's own IP but it is being tunneled through the PIX.I guess the PIX must be messing something up? ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Matt wrote: Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I live OpenVPN bridges for double NAT situations, of course you could try IAX2 but I have seen too many sound quality issues surrounding IAX2 so I try to stick with SIP, even if that means setting up VPNs. This is a dual NAT situation. PIX on Asterisk side, and Netgear on phone side. HOWEVER.The Asterisk box has it's own IP but it is being tunneled through the PIX.I guess the PIX must be messing something up? It is being tunneled or forwarded? Does the Asterisk box have a public IP or does the PIX have the public which just forwards to the private? If it is just forwarding, it will never work without either putting one side on a public IP, using a VPN solution, or IAX2. Thanks, Steve 888.777.1888 ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
This is a dual NAT situation. PIX on Asterisk side, and Netgear on phone side. HOWEVER.The Asterisk box has it's own IP but it is being tunneled through the PIX.I guess the PIX must be messing something up? If I remove the phone from behind the Netgear... then I get the audio from the Asterisk PBX so traffic seems to be flowing but why would it not get behind the firewalls? ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
On Nov 27, 2007 9:59 AM, Matt [EMAIL PROTECTED] wrote: This is a dual NAT situation. PIX on Asterisk side, and Netgear on phone side. HOWEVER.The Asterisk box has it's own IP but it is being tunneled through the PIX.I guess the PIX must be messing something up? If I remove the phone from behind the Netgear... then I get the audio from the Asterisk PBX so traffic seems to be flowing but why would it not get behind the firewalls? This is what I see on the debug: etransmitting #6 (NAT) to 63.174.244.147:5060: SIP/2.0 200 OK Via: SIP/2.0/UDP 63.174.244.147;branch=z9hG4bK7e4d50af2;received= 63.174.244.147 From: Remote Test sip:[EMAIL PROTECTED]:5060;tag=c302787b4625316 To: 93372806 sip:[EMAIL PROTECTED]:5060;tag=as1c9e4806 Call-ID: [EMAIL PROTECTED] CSeq: 1136993892 INVITE User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Contact: sip:[EMAIL PROTECTED] Content-Type: application/sdp Content-Length: 242 The From and To shouldn't be the same, though... should they? ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Matt wrote: This is a dual NAT situation. PIX on Asterisk side, and Netgear on phone side. HOWEVER.The Asterisk box has it's own IP but it is being tunneled through the PIX.I guess the PIX must be messing something up? If I remove the phone from behind the Netgear... then I get the audio from the Asterisk PBX so traffic seems to be flowing but why would it not get behind the firewalls? Trust me on this, I have tried almost everything to get it to work, the best you can hope for is one way audio in a dual NAT. The answer has to do with where the packets are sent from and where they seem to be sent from. If you are not familiar with OpenVPN, you should check it out. It is a great piece of software and will solve your issues. Thanks, Steve Totaro 888.777.1888 ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
It is being tunneled or forwarded? Does the Asterisk box have a public IP or does the PIX have the public which just forwards to the private? If it is just forwarding, it will never work without either putting one side on a public IP, using a VPN solution, or IAX2. It IS being forwarded. Asterisk has a private, and the PIX forwards... and I do see what is happening. Makes sense. Guess it's going to have to run over the VPN! ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Matt, If your phone is using SIP, then you should enable sip inspection (7.x code or above) or fixup sip (6.x code) and have a rule that allows source (wherever you need) inbound on the outside interface to TCP 5060 (SIP port). The sip inspection or fixup should enable the proper ports for the require RTP streams. I had this working through an ASA at some point, but I don't remember if both ends were doing NAT or only one end. I don't know the phone you are talking about, but you also might want to look into STUN or ICE to get beyond the NAT Traversal issue, if that is what's causing the problem. In the Firewall log, are you seeing Denys? or drops? Have you tried debug sip on the firewall console? I've been dealing with several ASA SIP issues lately. SIP trunking with NAT will certainly not work and there is a Cisco Bug that my company discovered when setting up our PBX. Shlomo in Israel On 11/27/07, Matt [EMAIL PROTECTED] wrote: Is there anything special that anyone here has had to do to get an Aastra phone (on the Internet) to talk to Asterisk behind a PIX firewall? Ports 1-2 UDP are open on the PIX and forwarding to the Asteriskserver. The Asterisk server's RTP.CONF is set to use 1-2.The phone registers, and will place AND receive calls, however, no audio is passed. The phone is an Aastra 9133i. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Trust me on this, I have tried almost everything to get it to work, the best you can hope for is one way audio in a dual NAT. The answer has to do with where the packets are sent from and where they seem to be sent from. If you are not familiar with OpenVPN, you should check it out. It is a great piece of software and will solve your issues. Steve, Thanks for the informationI guess we will go with VPN. A little Sokris board isn't that expensive to throw at each site. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Try to just open port 5060 for SIP signaling on the PIX and also enable the INSPECT SIP rule. That way, your PIX firewall will inspect SIP signalling and open the necessary UDP ports for the RTP. If you have NAT uptream in the network, you should see if in the layer 4 the IPs shown in the SIP messages got rewritten by its public IPs, it should have, or else you'll never get it working right. Regards, Ricardo Carvalho. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Shlomo, My understanding is I have to do a no fixup sip 5060. This from Cisco. Without doing the no fixup the registration ports get all mangled. On Nov 27, 2007 10:11 AM, Shlomo Dubrowin [EMAIL PROTECTED] wrote: Matt, If your phone is using SIP, then you should enable sip inspection (7.xcode or above) or fixup sip ( 6.x code) and have a rule that allows source (wherever you need) inbound on the outside interface to TCP 5060 (SIP port). The sip inspection or fixup should enable the proper ports for the require RTP streams. I had this working through an ASA at some point, but I don't remember if both ends were doing NAT or only one end. I don't know the phone you are talking about, but you also might want to look into STUN or ICE to get beyond the NAT Traversal issue, if that is what's causing the problem. In the Firewall log, are you seeing Denys? or drops? Have you tried debug sip on the firewall console? I've been dealing with several ASA SIP issues lately. SIP trunking with NAT will certainly not work and there is a Cisco Bug that my company discovered when setting up our PBX. Shlomo in Israel On 11/27/07, Matt [EMAIL PROTECTED] wrote: Is there anything special that anyone here has had to do to get an Aastra phone (on the Internet) to talk to Asterisk behind a PIXfirewall? Ports 1-2 UDP are open on the PIX and forwarding to the Asteriskserver. The Asterisk server's RTP.CONF is set to use 1-2.The phone registers, and will place AND receive calls, however, no audio is passed. The phone is an Aastra 9133i. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
You can also create the vpn using the existing pix and netgear, eliminating more hardware and points of failure. - Original Message - From: Ricardo Carvalho [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Sent: Tuesday, November 27, 2007 7:30:35 AM (GMT-0800) America/Los_Angeles Subject: Re: [asterisk-users] Asterisk behind a PIX firewall? Try to just open port 5060 for SIP signaling on the PIX and also enable the INSPECT SIP rule. That way, your PIX firewall will inspect SIP signalling and open the necessary UDP ports for the RTP. If you have NAT uptream in the network, you should see if in the layer 4 the IPs shown in the SIP messages got rewritten by its public IPs, it should have, or else you'll never get it working right. Regards, Ricardo Carvalho. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
On Nov 27, 2007 9:08 AM, Steve Totaro [EMAIL PROTECTED] wrote: Matt wrote: Just checking NAT=yes, canreinvite=no ? Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I disagree with you, setting in sip.conf: externhost=ddnsname;or set the next setting externip=x.x.x.x;external ip externrefresh=10;for dns localnet=192.168.0.0/255.255.0.0 should take care of this, I have never had a problem with dual nat like this, using Aastra, Cisco, Polycom and linksys. I live OpenVPN bridges for double NAT situations, of course you could try IAX2 but I have seen too many sound quality issues surrounding IAX2 so I try to stick with SIP, even if that means setting up VPNs. Thanks, Steve 888.777.1888 ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Enabling the fixup breaks the registration. On Nov 27, 2007 10:30 AM, Ricardo Carvalho [EMAIL PROTECTED] wrote: Try to just open port 5060 for SIP signaling on the PIX and also enable the INSPECT SIP rule. That way, your PIX firewall will inspect SIP signalling and open the necessary UDP ports for the RTP. If you have NAT uptream in the network, you should see if in the layer 4 the IPs shown in the SIP messages got rewritten by its public IPs, it should have, or else you'll never get it working right. Regards, Ricardo Carvalho. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
C F wrote: On Nov 27, 2007 9:08 AM, Steve Totaro [EMAIL PROTECTED] wrote: Matt wrote: Just checking NAT=yes, canreinvite=no ? Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I disagree with you, setting in sip.conf: externhost=ddnsname;or set the next setting externip=x.x.x.x;external ip externrefresh=10;for dns localnet=192.168.0.0/255.255.0.0 should take care of this, I have never had a problem with dual nat like this, using Aastra, Cisco, Polycom and linksys. You are probably right. I think the first and last time I attempted double NATs, there was no sip.conf, I have to keep up with the times, lol. Worth a shot. I still like the OpenVPN solution for security and other added benefits. I live OpenVPN bridges for double NAT situations, of course you could try IAX2 but I have seen too many sound quality issues surrounding IAX2 so I try to stick with SIP, even if that means setting up VPNs. Thanks, Steve 888.777.1888 ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
On Tue, 27 Nov 2007, Matt wrote: Shlomo, My understanding is I have to do a no fixup sip 5060. This from Cisco. Without doing the no fixup the registration ports get all mangled. So yet another router with a broken SIP ALG... (Juniper NetScreen is one I had issues with) Gordon ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Steve Totaro wrote: C F wrote: On Nov 27, 2007 9:08 AM, Steve Totaro [EMAIL PROTECTED] wrote: Matt wrote: Just checking NAT=yes, canreinvite=no ? Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I disagree with you, setting in sip.conf: externhost=ddnsname;or set the next setting externip=x.x.x.x;external ip externrefresh=10;for dns localnet=192.168.0.0/255.255.0.0 should take care of this, I have never had a problem with dual nat like this, using Aastra, Cisco, Polycom and linksys. You are probably right. I think the first and last time I attempted double NATs, there was no sip.conf, I have to keep up with the times, lol. Worth a shot. I still like the OpenVPN solution for security and other added benefits. Sorry, those options were not available in sip.conf is what I meant to say. I live OpenVPN bridges for double NAT situations, of course you could try IAX2 but I have seen too many sound quality issues surrounding IAX2 so I try to stick with SIP, even if that means setting up VPNs. Thanks, Steve 888.777.1888 ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
On Nov 27, 2007 11:02 AM, C F [EMAIL PROTECTED] wrote: On Nov 27, 2007 9:08 AM, Steve Totaro [EMAIL PROTECTED] wrote: Matt wrote: Just checking NAT=yes, canreinvite=no ? Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I disagree with you, setting in sip.conf: externhost=ddnsname;or set the next setting externip=x.x.x.x;external ip externrefresh=10;for dns localnet=192.168.0.0/255.255.0.0 should take care of this, I have never had a problem with dual nat like this, using Aastra, Cisco, Polycom and linksys. LO! This worked! All it needed was an externip entry! ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Matt wrote: On Nov 27, 2007 11:02 AM, C F [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Nov 27, 2007 9:08 AM, Steve Totaro [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Matt wrote: Just checking NAT=yes, canreinvite=no ? Correct, I have those settings set for this phone. Asterisk has been reloaded even restarted. Is this a dual NAT situation? NAT on the phone side and NAT at the PIX? If so, I fear it will never work, you might get one way audio though. I disagree with you, setting in sip.conf: externhost=ddnsname;or set the next setting externip=x.x.x.x;external ip externrefresh=10;for dns localnet=192.168.0.0/255.255.0.0 http://192.168.0.0/255.255.0.0 should take care of this, I have never had a problem with dual nat like this, using Aastra, Cisco, Polycom and linksys. LO! This worked! All it needed was an externip entry! This is good to hear. Now I know it can be done this way, although I still prefer OpenVPN for it's security and ability to let you do other things such as AMI or whatever. It is kind of hard to portscan 5060 when it is not open. I bet I could do a portscan on 5060 and of those hits try username 100 password 100 all the way up to and eventually get some toll fraud access in a day's time. Thanks, Steve ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
This is good to hear. Now I know it can be done this way, although I still prefer OpenVPN for it's security and ability to let you do other things such as AMI or whatever. It is kind of hard to portscan 5060 when it is not open. I bet I could do a portscan on 5060 and of those hits try username 100 password 100 all the way up to and eventually get some toll fraud access in a day's time. GADS! I hope not! We are using fairly complex passwords :) ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Matt wrote: This is good to hear. Now I know it can be done this way, although I still prefer OpenVPN for it's security and ability to let you do other things such as AMI or whatever. It is kind of hard to portscan 5060 when it is not open. I bet I could do a portscan on 5060 and of those hits try username 100 password 100 all the way up to and eventually get some toll fraud access in a day's time. GADS! I hope not! We are using fairly complex passwords :) No, then you are good, but I would bet my life that there are a good many systems that use the extension for both password and username and can be accessed from the net. Thanks, Steve ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
No, then you are good, but I would bet my life that there are a good many systems that use the extension for both password and username and can be accessed from the net. O yeah.. I can imagine.. wonder how many open systems are out there :) ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Steve Totaro wrote: Matt wrote: This is a dual NAT situation. PIX on Asterisk side, and Netgear on phone side. HOWEVER.The Asterisk box has it's own IP but it is being tunneled through the PIX.I guess the PIX must be messing something up? If I remove the phone from behind the Netgear... then I get the audio from the Asterisk PBX so traffic seems to be flowing but why would it not get behind the firewalls? Trust me on this, I have tried almost everything to get it to work, the best you can hope for is one way audio in a dual NAT. I'm in a dual-NAT situation and it works ok... with Sipura ATAs, Linksys 941 and 841, softphones, and one polycom 330. I had to enable NAT keep alive on the Linksys/Sipuras. Ugo ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk behind a PIX firewall?
Hi all, use ingate siparator. www.ingate.com ingate will help you to get rid of these issues. Regards, Vidura Senadeera Tel - +9466596 yahoo, skype - vidurased Sri Lanka. = You can also create the vpn using the existing pix and netgear, eliminating more hardware and points of failure. - Original Message - From: Ricardo Carvalho [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Sent: Tuesday, November 27, 2007 7:30:35 AM (GMT-0800) America/Los_Angeles Subject: Re: [asterisk-users] Asterisk behind a PIX firewall? Try to just open port 5060 for SIP signaling on the PIX and also enable the INSPECT SIP rule. That way, your PIX firewall will inspect SIP signalling and open the necessary UDP ports for the RTP. If you have NAT uptream in the network, you should see if in the layer 4 the IPs shown in the SIP messages got rewritten by its public IPs, it should have, or else you'll never get it working right. Regards, Ricardo Carvalho. ___ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users