• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1598
  • Last Modified:

Request help forwarding RTP /SIP from ADSL through PIX Firewall

Problem I am having is, ADSL modem/router can forward to pix on a port to port, meaning no range. ADSL is using NAT. Pix 515E is using NAT.
I trying to use a virual IP on the ADSL router will only let me chose IP address that the ADSL router ses incoming. I have SMTP/POP3/SIP working. The problem is RTP, call can establish but only one-way audio. Phone server is Trixbox.  I might be trying the wrong kind of NAT statement on the PIX-515E. Thanks
show-running-config-asdm
0
gagyles
Asked:
gagyles
  • 3
1 Solution
 
gagylesAuthor Commented:
PIX Version 7.2(2)
!
hostname Gyles-Firewall
domain-name gagyles.org
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 192.168.111.17 asterisk description VOIP
name 192.168.3.0 default
name 192.168.3.17 Server description Domain and mail
!
interface Ethernet0
 nameif Outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.2.2 255.255.255.0
 ospf cost 10
 rip send version 2
!
interface Ethernet2
 speed 100
 duplex full
 shutdown
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
 ospf cost 10
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix722.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup Outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 name-server 192.168.3.19
 domain-name gagyles.org
same-security-traffic permit intra-interface
object-group service TCP-NNTP tcp
 port-object range https https
 port-object range 563 563
object-group service UDP-NNTP udp
 port-object range 443 443
 port-object range 563 563
object-group network Home
 network-object 192.168.111.0 255.255.255.0
 network-object 192.168.168.0 255.255.255.0
 network-object default 255.255.255.0
object-group service voip udp
 port-object range 10000 20000
 port-object eq www
 port-object range sip 5070
 port-object range 4569 4569
access-list inside_nat_static extended permit tcp host Server eq smtp any eq smtp
access-list inside_nat_outbound extended permit ip object-group Home any
access-list DMZ_nat_outbound extended permit ip 192.168.4.0 255.255.255.0 any
access-list smtp_in extended permit tcp any interface Outside eq pop3
access-list smtp_in extended permit tcp any interface Outside eq smtp
access-list smtp_in extended permit udp any interface Outside object-group voip
access-list smtp_in extended permit icmp any interface Outside
access-list smtp_in extended permit tcp any interface inside eq pptp
pager lines 24
logging enable
logging timestamp
logging list George level informational
logging list email message 106015
logging list email message 106023
logging trap George
logging history informational
logging asdm informational
logging mail email
logging from-address Pix@gagyles.org
logging host inside 192.168.3.16
logging class auth asdm debugging
logging class ids trap warnings
logging class ip trap warnings
logging class rip trap informational
no logging message 305006
mtu Outside 1492
mtu inside 1500
mtu DMZ 1500
ip local pool gyles 192.168.3.125-192.168.3.128 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit name info info action alarm
ip audit name outside attack action drop
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound dns
nat (DMZ) 1 access-list DMZ_nat_outbound dns
static (inside,Outside) tcp interface smtp access-list inside_nat_static
static (inside,Outside) udp interface 4569 asterisk 4569 netmask 255.255.255.255
static (inside,Outside) tcp interface pop3 Server pop3 netmask 255.255.255.255  dns
access-group smtp_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.168.0 255.255.255.0 192.168.2.1 1
route inside 192.168.111.0 255.255.255.0 192.168.2.1 1
route inside default 255.255.255.0 192.168.2.1 1
!
router rip
 network default
 version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy gyles internal
group-policy gyles attributes
 dns-server value 192.168.3.17
 vpn-tunnel-protocol IPSec
 default-domain value gagyles.org
username george password tanKe2TM2zVSQkOG encrypted privilege 15
username george attributes
 vpn-group-policy gyles
http server enable
http 192.168.2.0 255.255.255.0 inside
http default 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.3.16 community S@msungg21 version 2c
snmp-server location Naples Italy
snmp-server contact George Gyles
snmp-server community S@msungg21
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 0
no service resetoutbound interface Outside
no service resetoutbound interface inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group gyles type ipsec-ra
tunnel-group gyles general-attributes
 address-pool gyles
 default-group-policy gyles
tunnel-group gyles ipsec-attributes
 pre-shared-key *
telnet default 255.255.255.0 inside
telnet 192.168.3.16 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.3-192.168.2.254 inside
dhcpd enable inside
!
!
class-map global-class-rtp
 match rtp 10000 10000
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect sip Voip
 parameters
  max-forwards-validation action drop log
  no traffic-non-sip
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
 class global-class-rtp
  inspect sip Voip
!
service-policy global_policy global
smtp-server 192.168.3.17
client-update enable
prompt hostname context
Cryptochecksum:500dbc8e358e60b2a0b0e8a2c764ae59
: end
asdm image flash:/asdm-522.bin
asdm history enable
0
 
lrmooreCommented:
Have you tried setting the DSL modem to bridge mode so that the PIX gets the real public IP address?
0
 
gagylesAuthor Commented:
Modem is locked down, so I cant make very many changes. Would love to change outside of PIX to PPPoE connection, with modem locked down unable to. Also this modem uses a smart card for it's configuration. If I try a differnet modem, I dont receive my static IP, switches over to a dynamic address.
0
 
Ron MalmsteadInformation Services ManagerCommented:
SIP with NAT is a problem many have faced....not everyones solution is likely to be the same.
The problem gets easier if you start using "best practice" configurations/setups...

I agree with lrmoore.
Except, I would put the Asterisk server in the DMZ and give it an public IP Address..

If you do this, you should start by contacting your ISP, and they can help you configure your modem to allow your Firewall to have a public IP address.

-----------------------------------------------------------------------------------------------------------------------------

If you don't want to go that route, ... here's some links.
http://www.voip-info.org/wiki/index.php?page_id=410&tk=1d50ad363a353d71cc62&comments_page=1

You could also try using a stun server.
http://www.voip-info.org/wiki-STUN
0
 
gagylesAuthor Commented:
no more responses
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now