Trixbox with PIX VPN. Remote phone can call but not receive calls

Posted on 2010-01-05
Last Modified: 2013-11-12
I've searched a great deal but haven't yes been able to find an answer that solves my problem.
In the main office I have a PIX 515e with static IP. In the remote office I have a PIX 501. I'm using cisco 7940/7960 phones.

I edited the sip_nat.conf file by adding the following:

localnet= # VPN1 to
localnet= # VPN2 to

I also disabled the sip fixup protocols on both PIXs:

no fixup protocol sip 5060
no fixup protocol sip udp 5060

The remote phone can call any extension of a phone in the main office and the call works perfectly. I notice that trixbox doesn't show the remote phone as connected though and also phones in the main office cannot dial the remote extension. I'm thinking its a firewall configuration but am not sure. Any help would be greatly appreciated.
Question by:frebb
    LVL 1

    Expert Comment

    and you have the UDP ports open - it sounds like a firewall issue at the main office

    Double check all of your port configurations, and get a port checker utility to double check the ports ( or ping , telnet to them )

    Author Comment

    I guess my confusion comes in because Our phones to the outside work just fine, as well as the other remote phone dialing in over vpn. I didn't think that the firewall settings would affect the VPN. Here is the config file on the main office 515e:

    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname iwf01
    clock timezone MST -7
    clock summer-time MDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    no fixup protocol sip 5060
    no fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list 100 permit ip
    access-list 100 permit ip
    access-list 100 permit ip
    pager lines 24
    logging on
    logging buffered debugging
    logging trap errors
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside
    ip address inside
    no ip address dmz
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool clientpool
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0 0
    conduit permit icmp any any
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside ciscoip
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set myset
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside
    isakmp enable outside
    isakmp key ******** address netmask no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup unityclient address-pool clientpool
    vpngroup unityclient dns-server
    vpngroup unityclient wins-server
    vpngroup unityclient default-domain
    vpngroup unityclient idle-time 1800
    vpngroup unityclient password ********
    telnet timeout 5
    ssh inside
    ssh timeout 60
    management-access inside
    console timeout 0
    dhcpd address inside
    dhcpd dns
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username admin password fLy3Wsy3Rjmat29s encrypted privilege 15
    terminal width 80

    Accepted Solution

    I figured it out. My configuration was just fine, the remote phone was configured to register with proxy. i just added:

    proxy_register: 1

    to my SIPDefault.cnf file and rebooted the phone. Everything works fine.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now