cleard
asked on
phone connection to inside asterisk through my pix 515e
hi all,
i am having a problem ip phone system (asterisk)
the problem is that someone from outsite connecting to or asterisk voip system, from inside i can ear them bout he can't here me, so it is working only one way
is there a special thing about config?
I did open a static rule with port 5060, bout i dont know how to make static rule on the on port range 10000 to 20000, it will take only one port at the time.
here is my config:
PIX Version 8.0(3)
!
hostname xxxxxxxxxxx
domain-name x.x
enable password xxxxxxxxxxxxxxxxx encrypted
names
name 192.168.2.29 PBX description ASTERISK
name 192.168.2.106 Mabe
name x.x.x.189 Outside_Interface
name x.x.x.190 OutSide_IP
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_Interface 255.255.255.192
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.4 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
nameif dmz
security-level 4
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server Mabe
name-server 192.168.2.80
domain-name x.x
dns server-group xxxx
name-server 208.85.113.10
name-server 208.71.9.130
object-group service Asterisk udp
port-object range sip 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit udp any host OutSide_IP object-group Asterisk
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
logging from-address
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.0 outside
asdm image flash:/asdm-603.bin
asdm location PBX 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) udp OutSide_IP sip PBX sip netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route outside OutSide_IP 255.255.255.255 x.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server Cleard protocol radius
aaa-server Cleard host 192.168.2.107
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
crl configure
crypto ca certificate chain ASDM_TrustPoint2
certificate 31
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxx
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.2.107 source inside prefer
ssl encryption rc4-sha1 3des-sha1 des-sha1
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou p Cleard
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1280
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 192.168.2.83
prompt hostname context
Cryptochecksum:xxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxx
Thanks
cleard
i am having a problem ip phone system (asterisk)
the problem is that someone from outsite connecting to or asterisk voip system, from inside i can ear them bout he can't here me, so it is working only one way
is there a special thing about config?
I did open a static rule with port 5060, bout i dont know how to make static rule on the on port range 10000 to 20000, it will take only one port at the time.
here is my config:
PIX Version 8.0(3)
!
hostname xxxxxxxxxxx
domain-name x.x
enable password xxxxxxxxxxxxxxxxx encrypted
names
name 192.168.2.29 PBX description ASTERISK
name 192.168.2.106 Mabe
name x.x.x.189 Outside_Interface
name x.x.x.190 OutSide_IP
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_Interface 255.255.255.192
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.4 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
nameif dmz
security-level 4
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server Mabe
name-server 192.168.2.80
domain-name x.x
dns server-group xxxx
name-server 208.85.113.10
name-server 208.71.9.130
object-group service Asterisk udp
port-object range sip 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit udp any host OutSide_IP object-group Asterisk
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
logging from-address
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.0 outside
asdm image flash:/asdm-603.bin
asdm location PBX 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) udp OutSide_IP sip PBX sip netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route outside OutSide_IP 255.255.255.255 x.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server Cleard protocol radius
aaa-server Cleard host 192.168.2.107
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
crl configure
crypto ca certificate chain ASDM_TrustPoint2
certificate 31
xxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.2.107 source inside prefer
ssl encryption rc4-sha1 3des-sha1 des-sha1
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1280
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 192.168.2.83
prompt hostname context
Cryptochecksum:xxxxxxxxxxx
Thanks
cleard
The thing is that if you do PAT, you have to create a static for every port (all 10.000 of them :-~ ). That is because you can't use a port range in a static statement. If you do a one to one NAT (if you have an extra public address, and by the looks of the subnet you have) you can define the port range in the access list rule.
If you don't want to use a dedicated public address there should be a way in asterisk to limit the number of ports that specific phone (connection) uses. I have it set up for one of my offices, one of the emplyees works from home with a voip phone and that phone can only connect over 30 possible ports. Don't ask me how that is done, the asterisk guy did that for me. But that is also an option.
If you don't want to use a dedicated public address there should be a way in asterisk to limit the number of ports that specific phone (connection) uses. I have it set up for one of my offices, one of the emplyees works from home with a voip phone and that phone can only connect over 30 possible ports. Don't ask me how that is done, the asterisk guy did that for me. But that is also an option.
ASKER
hi sage,
this doc is made for •pix software release 6.3.1 bout i have release 8.0
here is my log:
x.x.x.154 PBX Teardown UDP connection 45596 for outside:x.x.x.154/0 to inside:PBX/5060 duration 0:01:03 bytes 0
Pre-allocate SIP SIGNALLING UDP secondary channel for inside:PBX/5060 to outside:x.x.x.154 from 401 message
this doc is made for •pix software release 6.3.1 bout i have release 8.0
here is my log:
x.x.x.154 PBX Teardown UDP connection 45596 for outside:x.x.x.154/0 to inside:PBX/5060 duration 0:01:03 bytes 0
Pre-allocate SIP SIGNALLING UDP secondary channel for inside:PBX/5060 to outside:x.x.x.154 from 401 message
ASKER
erniebeek,
yes i can use one dedicaded ip for that, what should change.
here is my config:
PIX Version 8.0(3)
!
hostname CleardPix
domain-name cleard.local
enable password xxxxxxxxxxxxxx encrypted
names
name 192.168.2.29 PBX description ASTERISK
name 192.168.2.106 Mabe
name x.x.x.189 Outside_Interface
name x.x.x.190 OutSide_IP
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_Interface 255.255.255.192
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.4 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
nameif dmz
security-level 4
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
passwd x encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.107
name-server 192.168.2.80
domain-name x.x
dns server-group PreToPost
name-server 208.85.113.10
name-server 208.71.9.130
object-group service Asterisk udp
port-object range sip 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit udp any host OutSide_IP range sip 65000
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
logging from-address x@x
logging recipient-address x@x.x level errors
logging ftp-bufferwrap
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.0 outside
asdm image flash:/asdm-603.bin
asdm location PBX 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) OutSide_IP PBX netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route outside OutSide_IP 255.255.255.255 x.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server Cleard protocol radius
aaa-server Cleard host 192.168.2.107
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
fqdn CleardPix
subject-name CN=xxxxxxxxxxx
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint2
certificate 31
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxx
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.2.107 source inside prefer
ssl encryption rc4-sha1 3des-sha1 des-sha1
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou p Cleard
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1280
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 192.168.2.83
prompt hostname context
Cryptochecksum:xxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxx
yes i can use one dedicaded ip for that, what should change.
here is my config:
PIX Version 8.0(3)
!
hostname CleardPix
domain-name cleard.local
enable password xxxxxxxxxxxxxx encrypted
names
name 192.168.2.29 PBX description ASTERISK
name 192.168.2.106 Mabe
name x.x.x.189 Outside_Interface
name x.x.x.190 OutSide_IP
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_Interface 255.255.255.192
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.4 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
nameif dmz
security-level 4
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
passwd x encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.107
name-server 192.168.2.80
domain-name x.x
dns server-group PreToPost
name-server 208.85.113.10
name-server 208.71.9.130
object-group service Asterisk udp
port-object range sip 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit udp any host OutSide_IP range sip 65000
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
logging from-address x@x
logging recipient-address x@x.x level errors
logging ftp-bufferwrap
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.0 outside
asdm image flash:/asdm-603.bin
asdm location PBX 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) OutSide_IP PBX netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route outside OutSide_IP 255.255.255.255 x.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server Cleard protocol radius
aaa-server Cleard host 192.168.2.107
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
fqdn CleardPix
subject-name CN=xxxxxxxxxxx
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint2
certificate 31
xxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.2.107 source inside prefer
ssl encryption rc4-sha1 3des-sha1 des-sha1
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1280
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 192.168.2.83
prompt hostname context
Cryptochecksum:xxxxxxxxxxx
ASKER
erniebeek,
Can you explain one to one nat or point me to the right place? I should not use static?
Thanks for your help
Can you explain one to one nat or point me to the right place? I should not use static?
Thanks for your help
Well the setup looks good.
Just get rid of: access-list outside_access_in extended permit ip any any . That's a tricky one.
Also access-group inside_access_in in interface inside isn't really necessary (as you permit everything).
This was just a bit of cleaning up, now for the sip: remove inspect sip and see what happens. The PIX is trying to 'help' with that inspect but that doesn't always give the right results.
Oh and a short explanation for the statics.
When you do: static (inside,outside) udp OutSide_IP sip PBX sip netmask 255.255.255.255 you forward one port from you public address to a port on one of your private addresses. This way you can forward different ports from one public address to several internal addresses (PAT).
When you do: static (inside,outside) OutSide_IP PBX netmask 255.255.255.255 you hook up the public address exclusively to one internal address (one to one NAT).
That's the difference. You use the static statement for both types only the syntax and the result are somewhat different.
Just get rid of: access-list outside_access_in extended permit ip any any . That's a tricky one.
Also access-group inside_access_in in interface inside isn't really necessary (as you permit everything).
This was just a bit of cleaning up, now for the sip: remove inspect sip and see what happens. The PIX is trying to 'help' with that inspect but that doesn't always give the right results.
Oh and a short explanation for the statics.
When you do: static (inside,outside) udp OutSide_IP sip PBX sip netmask 255.255.255.255 you forward one port from you public address to a port on one of your private addresses. This way you can forward different ports from one public address to several internal addresses (PAT).
When you do: static (inside,outside) OutSide_IP PBX netmask 255.255.255.255 you hook up the public address exclusively to one internal address (one to one NAT).
That's the difference. You use the static statement for both types only the syntax and the result are somewhat different.
ASKER
erniebeek,
Thanks for the reply.
Did remove
access-list outside_access_in extended permit ip any any
and
access-group inside_access_in in interface inside
unable to remove inspect sip
in did no inspect sip and it is not removing
it seems to be in a default group
is there a way to remove it from that group?
Thanks for the reply.
Did remove
access-list outside_access_in extended permit ip any any
and
access-group inside_access_in in interface inside
unable to remove inspect sip
in did no inspect sip and it is not removing
it seems to be in a default group
is there a way to remove it from that group?
ASKER
erniebeek,
I tried it without removing inspec sip did not work
I just get one way in working exp: voice in bout voice out not working
so from outside inside is working bout inside outside is not working.
is the route ok?
route outside 0.0.0.0 0.0.0.0 173.246.64.129 1
route outside OutSide_IP 255.255.255.255 173.246.64.129 1
x.x.x.129 is the geteway external gateway of the pix
here is my config:
PIX Version 8.0(3)
!
hostname x
domain-name x.x
enable password xxxxxxxxxxxxxxx encrypted
names
name 192.168.2.29 PBX description ASTERISK
name 192.168.2.106 Mabe
name x.x.x.189 Outside_Interface
name x.x.x.190 OutSide_IP
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_Interface 255.255.255.192
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.4 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
nameif dmz
security-level 4
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
passwd xxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.107
name-server 192.168.2.80
domain-name cleard.local
dns server-group PreToPost
name-server 208.85.113.10
name-server 208.71.9.130
object-group service Asterisk udp
port-object range sip 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit udp any host OutSide_IP range sip 65000
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.0 outside
asdm image flash:/asdm-603.bin
asdm location PBX 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) OutSide_IP PBX netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route outside OutSide_IP 255.255.255.255 x.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server Cleard protocol radius
aaa-server Cleard host 192.168.2.107
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
fqdn xxxxxxxx
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint2
certificate 31
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxx
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.2.107 source inside prefer
ssl encryption rc4-sha1 3des-sha1 des-sha1
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou p Cleard
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1280
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 192.168.2.83
prompt hostname context
Cryptochecksum:xxxxxxxxxxx xxxxxxxxxx x
I tried it without removing inspec sip did not work
I just get one way in working exp: voice in bout voice out not working
so from outside inside is working bout inside outside is not working.
is the route ok?
route outside 0.0.0.0 0.0.0.0 173.246.64.129 1
route outside OutSide_IP 255.255.255.255 173.246.64.129 1
x.x.x.129 is the geteway external gateway of the pix
here is my config:
PIX Version 8.0(3)
!
hostname x
domain-name x.x
enable password xxxxxxxxxxxxxxx encrypted
names
name 192.168.2.29 PBX description ASTERISK
name 192.168.2.106 Mabe
name x.x.x.189 Outside_Interface
name x.x.x.190 OutSide_IP
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_Interface 255.255.255.192
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.4 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
nameif dmz
security-level 4
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
passwd xxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.107
name-server 192.168.2.80
domain-name cleard.local
dns server-group PreToPost
name-server 208.85.113.10
name-server 208.71.9.130
object-group service Asterisk udp
port-object range sip 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit udp any host OutSide_IP range sip 65000
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.0 outside
asdm image flash:/asdm-603.bin
asdm location PBX 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) OutSide_IP PBX netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route outside OutSide_IP 255.255.255.255 x.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server Cleard protocol radius
aaa-server Cleard host 192.168.2.107
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
fqdn xxxxxxxx
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint2
certificate 31
xxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.2.107 source inside prefer
ssl encryption rc4-sha1 3des-sha1 des-sha1
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1280
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
!
service-policy global_policy global
smtp-server 192.168.2.83
prompt hostname context
Cryptochecksum:xxxxxxxxxxx
ASKER
erniebeek,
Here is my pix log:
x.x.x.154 Pre-allocate SIP SIGNALLING UDP secondary channel for inside:PBX/5060 to outside:209.217.98.154 from 401 message
x.x.x.154 PBX Teardown UDP connection 3107 for outside :x.x.x.154/0 to inside:PBX/5060 duration 0:01:02 bytes 0
Here is my pix log:
x.x.x.154 Pre-allocate SIP SIGNALLING UDP secondary channel for inside:PBX/5060 to outside:209.217.98.154 from 401 message
x.x.x.154 PBX Teardown UDP connection 3107 for outside :x.x.x.154/0 to inside:PBX/5060 duration 0:01:02 bytes 0
ASKER
erniebeek,
also getting this log message:
x.x.x.154 Pre-allocate SIP Via UDP secondary channel for outside:x.x.x.145/5060 to outside:x.x.x.154 from REGISTER message
I guess this one is a hard one ;-{
also getting this log message:
x.x.x.154 Pre-allocate SIP Via UDP secondary channel for outside:x.x.x.145/5060 to outside:x.x.x.154 from REGISTER message
I guess this one is a hard one ;-{
Well, I got it to work so we should be able to get it working with you to :)
First, remove: route outside OutSide_IP 255.255.255.255 x.x.x.129 (not good).
To remove the inspect:
conf t
policy-map global_policy
class inspection_default
no inspect sip
Then let's see if that helps.
First, remove: route outside OutSide_IP 255.255.255.255 x.x.x.129 (not good).
To remove the inspect:
conf t
policy-map global_policy
class inspection_default
no inspect sip
Then let's see if that helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was the config of the asterisk, this line externip = x.x.x.190
The phone guy did not know about this one.
Thanks for your time erniebeek, Your or the best ;-)
The phone guy did not know about this one.
Thanks for your time erniebeek, Your or the best ;-)
Glad I could help and that memory serves me well ;)
Thx for the points.
Thx for the points.
check this link
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801fc74a.shtml