Request help forwarding RTP /SIP from ADSL through PIX Firewall

Problem I am having is, ADSL modem/router can forward to pix on a port to port, meaning no range. ADSL is using NAT. Pix 515E is using NAT.
I trying to use a virual IP on the ADSL router will only let me chose IP address that the ADSL router ses incoming. I have SMTP/POP3/SIP working. The problem is RTP, call can establish but only one-way audio. Phone server is Trixbox.  I might be trying the wrong kind of NAT statement on the PIX-515E. Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gagylesAuthor Commented:
PIX Version 7.2(2)
hostname Gyles-Firewall
enable password 8Ry2YjIyt7RRXU24 encrypted
name asterisk description VOIP
name default
name Server description Domain and mail
interface Ethernet0
 nameif Outside
 security-level 0
 ip address
 ospf cost 10
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
 ospf cost 10
 rip send version 2
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address
 ospf cost 10
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix722.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup Outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object-group service TCP-NNTP tcp
 port-object range https https
 port-object range 563 563
object-group service UDP-NNTP udp
 port-object range 443 443
 port-object range 563 563
object-group network Home
 network-object default
object-group service voip udp
 port-object range 10000 20000
 port-object eq www
 port-object range sip 5070
 port-object range 4569 4569
access-list inside_nat_static extended permit tcp host Server eq smtp any eq smtp
access-list inside_nat_outbound extended permit ip object-group Home any
access-list DMZ_nat_outbound extended permit ip any
access-list smtp_in extended permit tcp any interface Outside eq pop3
access-list smtp_in extended permit tcp any interface Outside eq smtp
access-list smtp_in extended permit udp any interface Outside object-group voip
access-list smtp_in extended permit icmp any interface Outside
access-list smtp_in extended permit tcp any interface inside eq pptp
pager lines 24
logging enable
logging timestamp
logging list George level informational
logging list email message 106015
logging list email message 106023
logging trap George
logging history informational
logging asdm informational
logging mail email
logging from-address
logging host inside
logging class auth asdm debugging
logging class ids trap warnings
logging class ip trap warnings
logging class rip trap informational
no logging message 305006
mtu Outside 1492
mtu inside 1500
mtu DMZ 1500
ip local pool gyles mask
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit name info info action alarm
ip audit name outside attack action drop
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound dns
nat (DMZ) 1 access-list DMZ_nat_outbound dns
static (inside,Outside) tcp interface smtp access-list inside_nat_static
static (inside,Outside) udp interface 4569 asterisk 4569 netmask
static (inside,Outside) tcp interface pop3 Server pop3 netmask  dns
access-group smtp_in in interface Outside
route Outside 1
route inside 1
route inside 1
route inside default 1
router rip
 network default
 version 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy gyles internal
group-policy gyles attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 default-domain value
username george password tanKe2TM2zVSQkOG encrypted privilege 15
username george attributes
 vpn-group-policy gyles
http server enable
http inside
http default inside
http inside
snmp-server host inside community S@msungg21 version 2c
snmp-server location Naples Italy
snmp-server contact George Gyles
snmp-server community S@msungg21
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 0
no service resetoutbound interface Outside
no service resetoutbound interface inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group gyles type ipsec-ra
tunnel-group gyles general-attributes
 address-pool gyles
 default-group-policy gyles
tunnel-group gyles ipsec-attributes
 pre-shared-key *
telnet default inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd enable inside
class-map global-class-rtp
 match rtp 10000 10000
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map type inspect sip Voip
  max-forwards-validation action drop log
  no traffic-non-sip
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
 class global-class-rtp
  inspect sip Voip
service-policy global_policy global
client-update enable
prompt hostname context
: end
asdm image flash:/asdm-522.bin
asdm history enable
Have you tried setting the DSL modem to bridge mode so that the PIX gets the real public IP address?
gagylesAuthor Commented:
Modem is locked down, so I cant make very many changes. Would love to change outside of PIX to PPPoE connection, with modem locked down unable to. Also this modem uses a smart card for it's configuration. If I try a differnet modem, I dont receive my static IP, switches over to a dynamic address.
Ron MalmsteadInformation Services ManagerCommented:
SIP with NAT is a problem many have faced....not everyones solution is likely to be the same.
The problem gets easier if you start using "best practice" configurations/setups...

I agree with lrmoore.
Except, I would put the Asterisk server in the DMZ and give it an public IP Address..

If you do this, you should start by contacting your ISP, and they can help you configure your modem to allow your Firewall to have a public IP address.


If you don't want to go that route, ... here's some links.

You could also try using a stun server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gagylesAuthor Commented:
no more responses
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.