asterisk / sip / nat

I have a pix firewall and an asterisk computer behind it.  I have 2 grandstream telephones outside of the pix and behind linksys firewalls.  We can dial each other, but we can not hear each other.  How do I setup this up to hear each other.

Also I have to use qualify=2000 to keep the port open, but if the network is slow, the phone does not return back quick enough, is there a time out value I can set long to avoid this situation?

Here are the config files for the pix, asterisk, and sip:

 Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname cenetstptrsrtr01

domain-name inetstptrsds.local

fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service RTP udp

  description For SIP

  port-object range 10000 20000

object-group service SIP udp

  description SIP port 5060-5061

  port-object eq 5060

access-list 102 permit tcp any host 67.103.170.6 eq 3389

access-list 102 permit tcp any host 67.103.170.7 eq 3389

access-list 102 permit tcp any host 67.103.170.6 eq pop3

access-list 102 permit tcp any host 67.103.170.6 eq smtp

access-list 102 permit tcp any host 67.103.170.7 eq https

access-list 102 permit tcp any host 67.103.170.7 eq www

access-list 102 permit tcp any host 67.103.170.8 eq www

access-list 102 permit tcp any host 67.103.170.9 eq www

access-list 102 permit tcp any host 67.103.170.10 eq www

access-list 102 permit tcp any host 67.103.170.11 eq www

access-list 102 permit tcp any host 67.103.170.12 eq www

access-list 102 permit tcp any host 67.103.170.13 eq www

access-list 102 permit tcp any host 67.103.170.14 eq www

access-list 102 permit tcp any host 67.103.170.15 eq www

access-list 102 permit esp any any

access-list 102 permit udp any any eq isakmp

access-list 102 permit udp any any eq 4500

access-list 102 permit udp any any eq 10000

access-list 102 permit tcp any host 67.103.170.18 eq www

access-list 102 permit udp any host 67.103.170.3 range 5004 5082

access-list 102 permit tcp any host 67.103.170.3 range 5004 5082

access-list 102 permit udp any host 67.103.170.3 range 10000 20000

access-list 102 permit tcp any host 67.103.170.3 range 10000 20000

access-list 102 permit udp any host 67.103.170.3 eq 4569

access-list 102 permit tcp any host 67.103.170.3 eq 4569

access-list 102 permit tcp any host 67.103.170.3 eq www

access-list 102 permit tcp any host 67.103.170.3 eq ssh

access-list 102 permit tcp any host 67.103.170.7 eq ssh

access-list 102 permit tcp any host 67.103.170.7 eq smtp

access-list 102 permit tcp any host 67.103.170.7 eq pop3

access-list 102 permit tcp any host 67.103.170.6 eq www

access-list 102 permit tcp any host 67.103.170.3 eq smtp

access-list 102 permit tcp any host 67.103.170.3 eq pop3

access-list 102 permit tcp any host 67.103.170.3 eq https

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list vpnlist permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list VPN_SPLIT permit ip 192.168.2.0 255.255.255.0 192.168.254.0 255.255.255.0

pager lines 24

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 67.103.170.5 255.255.255.240

ip address inside 192.168.2.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_POOL 192.168.254.1-192.168.254.254

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 67.103.170.2

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 67.103.170.6 pop3 192.168.2.22 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.6 smtp 192.168.2.22 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.6 3389 192.168.2.22 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.7 3389 192.168.2.20 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.7 www 192.168.2.22 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.7 https 192.168.2.22 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.8 www 192.168.2.8 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.9 www 192.168.2.9 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.10 www 192.168.2.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.11 www 192.168.2.11 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.12 www 192.168.2.12 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.13 www 192.168.2.13 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.14 www 192.168.2.14 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.103.170.15 www 192.168.2.15 www netmask 255.255.255.255 0 0

static (inside,outside) 67.103.170.4 192.168.2.99 netmask 255.255.255.255 0 0

static (inside,outside) 67.103.170.3 192.168.2.2 netmask 255.255.255.255 0 0

access-group 102 in interface outside

conduit permit udp any object-group RTP any

conduit permit udp any object-group SIP any

route outside 0.0.0.0 0.0.0.0 67.103.170.1 1

route outside 192.168.254.0 255.255.255.0 67.103.170.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

: end

 

Here is my asterisk rtp configuration

 

;

; RTP Configuration

;

[general]

;

; RTP start and RTP end configure start and end addresses

;

; Defaults are rtpstart=5000 and rtpend=31000

;

rtpstart=10000

rtpend=20000

;

; Whether to enable or disable UDP checksums on RTP traffic

;

;rtpchecksums=no

;

; The amount of time a DTMF digit with no 'end' marker should be

; allowed to continue (in 'samples', 1/8000 of a second)

;

;dtmftimeout=3000

~

~

~

 sip.conf

[1131]

type=friend

nat=yes

canreinvite=yes

dtmfmode=rfc2833

disallow=all

allow=ulaw

allow=alaw

username=1131

secret=1131

host=dynamic

context=druid-default

callerid="1131" <1131>

mailbox=1131@default

video=no

restrictcid=no

qualify=2000

 

[1130]

type=friend

nat=yes

canreinvite=yes

dtmfmode=rfc2833

disallow=all

allow=ulaw

allow=alaw

username=1130

secret=1130

host=dynamic

context=druid-default

callerid="1130" <1130>

mailbox=1130@default

video=no

restrictcid=no

qualify=2000

Thanks

Eric