Request help forwarding RTP /SIP from ADSL through PIX Firewall

Posted on 2008-11-08
Last Modified: 2013-11-12
Problem I am having is, ADSL modem/router can forward to pix on a port to port, meaning no range. ADSL is using NAT. Pix 515E is using NAT.
I trying to use a virual IP on the ADSL router will only let me chose IP address that the ADSL router ses incoming. I have SMTP/POP3/SIP working. The problem is RTP, call can establish but only one-way audio. Phone server is Trixbox.  I might be trying the wrong kind of NAT statement on the PIX-515E. Thanks
Question by:gagyles

    Author Comment

    PIX Version 7.2(2)
    hostname Gyles-Firewall
    enable password 8Ry2YjIyt7RRXU24 encrypted
    name asterisk description VOIP
    name default
    name Server description Domain and mail
    interface Ethernet0
     nameif Outside
     security-level 0
     ip address
     ospf cost 10
    interface Ethernet1
     speed 100
     duplex full
     nameif inside
     security-level 100
     ip address
     ospf cost 10
     rip send version 2
    interface Ethernet2
     speed 100
     duplex full
     nameif DMZ
     security-level 50
     ip address
     ospf cost 10
    passwd 2KFQnbNIdI.2KYOU encrypted
    boot system flash:/pix722.bin
    ftp mode passive
    clock timezone EEST 2
    clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    dns domain-lookup Outside
    dns domain-lookup inside
    dns domain-lookup DMZ
    dns server-group DefaultDNS
    same-security-traffic permit intra-interface
    object-group service TCP-NNTP tcp
     port-object range https https
     port-object range 563 563
    object-group service UDP-NNTP udp
     port-object range 443 443
     port-object range 563 563
    object-group network Home
     network-object default
    object-group service voip udp
     port-object range 10000 20000
     port-object eq www
     port-object range sip 5070
     port-object range 4569 4569
    access-list inside_nat_static extended permit tcp host Server eq smtp any eq smtp
    access-list inside_nat_outbound extended permit ip object-group Home any
    access-list DMZ_nat_outbound extended permit ip any
    access-list smtp_in extended permit tcp any interface Outside eq pop3
    access-list smtp_in extended permit tcp any interface Outside eq smtp
    access-list smtp_in extended permit udp any interface Outside object-group voip
    access-list smtp_in extended permit icmp any interface Outside
    access-list smtp_in extended permit tcp any interface inside eq pptp
    pager lines 24
    logging enable
    logging timestamp
    logging list George level informational
    logging list email message 106015
    logging list email message 106023
    logging trap George
    logging history informational
    logging asdm informational
    logging mail email
    logging from-address
    logging host inside
    logging class auth asdm debugging
    logging class ids trap warnings
    logging class ip trap warnings
    logging class rip trap informational
    no logging message 305006
    mtu Outside 1492
    mtu inside 1500
    mtu DMZ 1500
    ip local pool gyles mask
    ip verify reverse-path interface inside
    ip verify reverse-path interface DMZ
    ip audit name info info action alarm
    ip audit name outside attack action drop
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-522.bin
    asdm history enable
    arp timeout 14400
    global (Outside) 1 interface
    nat (inside) 1 access-list inside_nat_outbound dns
    nat (DMZ) 1 access-list DMZ_nat_outbound dns
    static (inside,Outside) tcp interface smtp access-list inside_nat_static
    static (inside,Outside) udp interface 4569 asterisk 4569 netmask
    static (inside,Outside) tcp interface pop3 Server pop3 netmask  dns
    access-group smtp_in in interface Outside
    route Outside 1
    route inside 1
    route inside 1
    route inside default 1
    router rip
     network default
     version 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy gyles internal
    group-policy gyles attributes
     dns-server value
     vpn-tunnel-protocol IPSec
     default-domain value
    username george password tanKe2TM2zVSQkOG encrypted privilege 15
    username george attributes
     vpn-group-policy gyles
    http server enable
    http inside
    http default inside
    http inside
    snmp-server host inside community S@msungg21 version 2c
    snmp-server location Naples Italy
    snmp-server contact George Gyles
    snmp-server community S@msungg21
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    sysopt connection tcpmss 0
    no service resetoutbound interface Outside
    no service resetoutbound interface inside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map Outside_dyn_map 20 set pfs
    crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
    crypto map Outside_map interface Outside
    crypto isakmp enable Outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    tunnel-group gyles type ipsec-ra
    tunnel-group gyles general-attributes
     address-pool gyles
     default-group-policy gyles
    tunnel-group gyles ipsec-attributes
     pre-shared-key *
    telnet default inside
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address inside
    dhcpd enable inside
    class-map global-class-rtp
     match rtp 10000 10000
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum 512
    policy-map type inspect sip Voip
      max-forwards-validation action drop log
      no traffic-non-sip
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect http
     class global-class-rtp
      inspect sip Voip
    service-policy global_policy global
    client-update enable
    prompt hostname context
    : end
    asdm image flash:/asdm-522.bin
    asdm history enable
    LVL 79

    Expert Comment

    Have you tried setting the DSL modem to bridge mode so that the PIX gets the real public IP address?

    Author Comment

    Modem is locked down, so I cant make very many changes. Would love to change outside of PIX to PPPoE connection, with modem locked down unable to. Also this modem uses a smart card for it's configuration. If I try a differnet modem, I dont receive my static IP, switches over to a dynamic address.
    LVL 25

    Accepted Solution

    SIP with NAT is a problem many have faced....not everyones solution is likely to be the same.
    The problem gets easier if you start using "best practice" configurations/setups...

    I agree with lrmoore.
    Except, I would put the Asterisk server in the DMZ and give it an public IP Address..

    If you do this, you should start by contacting your ISP, and they can help you configure your modem to allow your Firewall to have a public IP address.


    If you don't want to go that route, ... here's some links.

    You could also try using a stun server.

    Author Closing Comment

    no more responses

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now