RE: [asterisk-users] Asterisk & Pix firewalls
That is probably because you did not disable SIP fixup protocol. When you set up a PiX correctly it works. Guaranteed! -Original Message- From: Ed Nuñez [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 6:31 AM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: RE: [asterisk-users] Asterisk & Pix firewalls Don This may not be a solution to your question, but I would like to share that Ive been having one way audio issues when connecting point to sight to a PIX 515E using SIP. I changed to IAX and this is working perfectly now. It was paynless to configure IAX2, so you might want to consider it. Ed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don E. Wisdom Sent: Tuesday, April 24, 2007 8:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Asterisk & Pix firewalls Hi, I asked this last week but i didn't get any answer So i will elaborate on my question. I need to setup a pix 515 firewall (running 7.2.2 OS) to allow sip traffic thru it from a sip phone wherever i may be. The pix is where all my servers are colocated and i will need to connect thru it from softphones / hardphones wherever i happen to be traveling. I need help setting up the pix for inbound and outbound sip/iax traffic. Any help would be greatly appreciated. Thanks --Don ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [asterisk-users] Asterisk & Pix firewalls
Pix usually uses NAT, A quick fix is to simply forward the ports in your NAT statements. If the pix is new, call Cisco and cheat like I do so often! Brad _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Nuñez Sent: Wednesday, April 25, 2007 9:31 AM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: RE: [asterisk-users] Asterisk & Pix firewalls Don This may not be a solution to your question, but I would like to share that Ive been having one way audio issues when connecting point to sight to a PIX 515E using SIP. I changed to IAX and this is working perfectly now. It was paynless to configure IAX2, so you might want to consider it. Ed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don E. Wisdom Sent: Tuesday, April 24, 2007 8:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Asterisk & Pix firewalls Hi, I asked this last week but i didn't get any answer So i will elaborate on my question. I need to setup a pix 515 firewall (running 7.2.2 OS) to allow sip traffic thru it from a sip phone wherever i may be. The pix is where all my servers are colocated and i will need to connect thru it from softphones / hardphones wherever i happen to be traveling. I need help setting up the pix for inbound and outbound sip/iax traffic. Any help would be greatly appreciated. Thanks --Don ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [asterisk-users] Asterisk & Pix firewalls
Don This may not be a solution to your question, but I would like to share that Ive been having one way audio issues when connecting point to sight to a PIX 515E using SIP. I changed to IAX and this is working perfectly now. It was paynless to configure IAX2, so you might want to consider it. Ed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don E. Wisdom Sent: Tuesday, April 24, 2007 8:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Asterisk & Pix firewalls Hi, I asked this last week but i didn't get any answer So i will elaborate on my question. I need to setup a pix 515 firewall (running 7.2.2 OS) to allow sip traffic thru it from a sip phone wherever i may be. The pix is where all my servers are colocated and i will need to connect thru it from softphones / hardphones wherever i happen to be traveling. I need help setting up the pix for inbound and outbound sip/iax traffic. Any help would be greatly appreciated. Thanks --Don ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [asterisk-users] Asterisk & Pix firewalls
Again, is the 1-2 not an urban myth? Someone correct me if I'm wrong. I run about 10 external extensions and limit the ports to 1-10025. I just can't see why you would need to open 1 ports to the outside world unless your going to have 1 simultaneous conversations. -Original Message- From: Tzafrir Cohen [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 9:32 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Asterisk & Pix firewalls On Tue, Apr 24, 2007 at 11:04:53PM -0400, Lee Jenkins wrote: > Noah Miller wrote: > >SIP: > >TCP and UDP port 5060 (signalling) - can be changed in sip.conf UDP > >ports 1-2 (RTP stream) - can be changed in rtp.conf > > Yes. See rtp.conf (at least on your side). Also, if the firewall understands SIP, it may be smart enough to open the ports for the relevant RTP ports upon the beginning of a SIP session. So consider trying not to open any port for RTP. -- Tzafrir Cohen icq#16849755jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [asterisk-users] Asterisk & Pix firewalls
Yes, we found (at least with Aastra phones) that we had to disable the SIP fixup protocols on a pix 501. Here is the whole setup. NOTE: I could be wrong but I believe the requirement to open ports 1-2 for remote extensions has become an urban myth. I don't think you need to open any more than you have extensions + maybe a few more as a buffer. That is what we are doing and haven't had any problems. I'm no expert so someone please correct me if I'm wrong. Here is the procedure: start>>> Firewall/Router configuration: The following ports needed to be forwarded to the asterisk server for various remote access Port 80 (Freepbx web access) Port 4445 (Flash Operator Panel web access) Port 4569 (IAX remote phone clients) Port 5059-5061 (registration and proxy server access, default is 5060) Port 1-10025 (ports reserved for RTP voice packets for SIP phone conversations) Aastra Phones as external extensions This assumes the Asterisk server is configured for external extensions and the extension configuration in asterisk is configured to be used as an external extension. Both are described earlier in this guide(sip_nat.conf, nat=yes). Reset the phone to factory defaults. All you need to configure in the phone are phone number, callerID, authentication name, password, Proxy IP and Registrar IP. Leave everything else at default and it should work. I also changed registration retry timer and BLF subscription period to 120s. Special note about Cisco PIX firewall In order to make Aastra phones work outside a Cisco PIX firewall to the Asterisk server inside the firewall, we needed to remove fixup protocol sip 5060, and fixup protocol sip udp 5060 which are both enabled by default. no fixup protocol sip 5060 no fixup protocol sip udp 5060 Special note about extensions over VPN In order to make extensions work over VPN's we had to add the VPN subnets to sip_nat.conf to make the phones on the 192.168.2.0 and 192.168.3.0 subnets work with the Asterisk Server on the 192.168.1.0 subnet. Here is the whole sip_nat.conf file nat=yes externip=xxx.xxx.xxx.xxx localnet=192.168.1.0/255.255.255.0 localnet=192.168.2.0/255.255.255.0 # VPN1 to 192.168.1.0 localnet=192.168.3.0/255.255.255.0 # VPN2 to 192.168.1.0 externrefresh=10 <<mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 8:31 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Asterisk & Pix firewalls AFAIK asterisk does't yet suport TCP, it is therefore not necessary to open TCP 5060. On Cisco PIX you might also need to disalbe SIP fixup On 4/24/07, Lee Jenkins <[EMAIL PROTECTED]> wrote: > Noah Miller wrote: > > Hi Don > > > >> I asked this last week but i didn't get any answer So i will > >> elaborate on > >> my question. I need to setup a pix 515 firewall (running 7.2.2 OS) to > >> allow sip traffic thru it from a sip phone wherever i may be. The > >> pix is where all my servers are colocated and i will need to > >> connect thru it from > >> softphones / hardphones wherever i happen to be traveling. I need help > >> setting up the pix for inbound and outbound sip/iax traffic. Any help > >> would be greatly appreciated. > > > > If you're looking for which ports to open: > > > > SIP: > > TCP and UDP port 5060 (signalling) - can be changed in sip.conf UDP > > ports 1-2 (RTP stream) - can be changed in rtp.conf > > > > IAX: > > UDP Port 4569 > > > > > > Is it possible to reduce the number of ports to be opened if there is > moderate traffic? > > -- > > Warm Regards, > > Lee > > > > ___ > --Bandwidth and Colocation provided by Easynews.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
>> Is it possible to reduce the number of ports to be opened if there is >> moderate traffic? > > YEs, you could set rtpstart and rtpend in rtp.conf to whatever. I Have > > rtpstart 1 > rtpend 10100 > > This is about enough for 25 concurrent conversations > Nice. Thanks. Another way to reduce the number of ports is just to not allow SIP outside your firewall. That may not be possible in all situations, but if you only use IAX on the outside, you'll only have to open UDP 4569. And, if you're dealing with static addresses, you can limit the traffic to a small number of IPs. - Noah ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
Remco Post wrote: Lee Jenkins wrote: Is it possible to reduce the number of ports to be opened if there is moderate traffic? YEs, you could set rtpstart and rtpend in rtp.conf to whatever. I Have rtpstart 1 rtpend 10100 This is about enough for 25 concurrent conversations Nice. Thanks. -- Warm Regards, Lee ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
Olivier wrote: With SIP fixup, would you say usual firewall traversal issues are solved so that for instance, you can connect home workers to enterprise PBX ? regards ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users No. SIP fixup doesn't always solve the issues. One of the things I've noticed with home users is they're almost always behind a router that has its own firewall and that firewall is almost never configured properly. Create a how to for those workers and if possible, have that user isolate their phone to a DMZ if possible. Also depending on your internal networking, remember NAT + Certain VoIP phones (Polycom!) = headache. Whenever possible while dealing with Asterisk, I personally try to lock down the machine and place it in a DMZ so home workers won't have to deal with DMZ's, NAT, and other terms that will leave them like a deer in a headlight. This varies according to the client though, since I deal with managed PBX's its also easier for me to administrate then it would be for me to have to wait for someone on their IT side to punch a hole in their network to let me in solely to add an extension or clear someone's voicemail. (So... Results may vary). I've recently had a client who had three or four remote locations with a PIX in each location doing VPN's. PIX's fixup did little and I ended up having to butcher up rules to get things to work properly. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
With SIP fixup, would you say usual firewall traversal issues are solved so that for instance, you can connect home workers to enterprise PBX ? regards ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
Lee Jenkins wrote: >> > > Is it possible to reduce the number of ports to be opened if there is > moderate traffic? > YEs, you could set rtpstart and rtpend in rtp.conf to whatever. I Have rtpstart 1 rtpend 10100 This is about enough for 25 concurrent conversations -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
I second that. the PIX has SIP fixup which allows RTP traffic to pass dynamically based on SDP information, so you don't need to create a rule for the RTP range - just allow SIP UDP 5060. On 4/25/07, Tzafrir Cohen <[EMAIL PROTECTED]> wrote: On Tue, Apr 24, 2007 at 11:04:53PM -0400, Lee Jenkins wrote: > Noah Miller wrote: > >SIP: > >TCP and UDP port 5060 (signalling) - can be changed in sip.conf > >UDP ports 1-2 (RTP stream) - can be changed in rtp.conf > > Yes. See rtp.conf (at least on your side). Also, if the firewall understands SIP, it may be smart enough to open the ports for the relevant RTP ports upon the beginning of a SIP session. So consider trying not to open any port for RTP. -- Tzafrir Cohen icq#16849755jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
On Tue, Apr 24, 2007 at 11:04:53PM -0400, Lee Jenkins wrote: > Noah Miller wrote: > >SIP: > >TCP and UDP port 5060 (signalling) - can be changed in sip.conf > >UDP ports 1-2 (RTP stream) - can be changed in rtp.conf > > Yes. See rtp.conf (at least on your side). Also, if the firewall understands SIP, it may be smart enough to open the ports for the relevant RTP ports upon the beginning of a SIP session. So consider trying not to open any port for RTP. -- Tzafrir Cohen icq#16849755jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
AFAIK asterisk does't yet suport TCP, it is therefore not necessary to open TCP 5060. On Cisco PIX you might also need to disalbe SIP fixup On 4/24/07, Lee Jenkins <[EMAIL PROTECTED]> wrote: Noah Miller wrote: > Hi Don > >> I asked this last week but i didn't get any answer So i will >> elaborate on >> my question. I need to setup a pix 515 firewall (running 7.2.2 OS) to >> allow sip traffic thru it from a sip phone wherever i may be. The pix is >> where all my servers are colocated and i will need to connect thru it >> from >> softphones / hardphones wherever i happen to be traveling. I need help >> setting up the pix for inbound and outbound sip/iax traffic. Any help >> would be greatly appreciated. > > If you're looking for which ports to open: > > SIP: > TCP and UDP port 5060 (signalling) - can be changed in sip.conf > UDP ports 1-2 (RTP stream) - can be changed in rtp.conf > > IAX: > UDP Port 4569 > > Is it possible to reduce the number of ports to be opened if there is moderate traffic? -- Warm Regards, Lee ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
Noah Miller wrote: Hi Don - I asked this last week but i didn't get any answer So i will elaborate on my question. I need to setup a pix 515 firewall (running 7.2.2 OS) to allow sip traffic thru it from a sip phone wherever i may be. The pix is where all my servers are colocated and i will need to connect thru it from softphones / hardphones wherever i happen to be traveling. I need help setting up the pix for inbound and outbound sip/iax traffic. Any help would be greatly appreciated. If you're looking for which ports to open: SIP: TCP and UDP port 5060 (signalling) - can be changed in sip.conf UDP ports 1-2 (RTP stream) - can be changed in rtp.conf IAX: UDP Port 4569 Is it possible to reduce the number of ports to be opened if there is moderate traffic? -- Warm Regards, Lee ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk & Pix firewalls
Hi Don - I asked this last week but i didn't get any answer So i will elaborate on my question. I need to setup a pix 515 firewall (running 7.2.2 OS) to allow sip traffic thru it from a sip phone wherever i may be. The pix is where all my servers are colocated and i will need to connect thru it from softphones / hardphones wherever i happen to be traveling. I need help setting up the pix for inbound and outbound sip/iax traffic. Any help would be greatly appreciated. If you're looking for which ports to open: SIP: TCP and UDP port 5060 (signalling) - can be changed in sip.conf UDP ports 1-2 (RTP stream) - can be changed in rtp.conf IAX: UDP Port 4569 - Noah ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users