Solved

Asterisk

Posted on 2012-03-11
40
663 Views
Last Modified: 2013-11-12
I need help with Asterisk Server

i have Cisco asa 5505 WIth Linux Server (located at USA)
o have An other Dedicated Server which is Located at Singapore
i have Anotehr Dedicated SErver which is located at USA

i have some help regardding this
0
Comment
Question by:zedpoint
  • 28
  • 8
40 Comments
 
LVL 16

Expert Comment

by:santoshmotwani
ID: 37707992
what are you trying to achieve here ? please explain in detail

Thanks
0
 

Author Comment

by:zedpoint
ID: 37710900
Thanks for ur Reply.. Let me Explain you

my clients are using Wimax(dynamic) bandwidth and its connected VOIP devices under NAT

what i wanted to do

Linux Server will connect SIP Server Cisco asa 5505 proxy Server
because 5060 port is blocked here so i need to do maybe nat travels or something.. actually its not clear to me.. i have read documents from NAT+VOIP NAT travels also asterisk
0
 

Author Comment

by:zedpoint
ID: 37710904
can i talk to PV?
0
 

Author Comment

by:zedpoint
ID: 37711648
is there anybody here? who can help me pls
0
 

Author Comment

by:zedpoint
ID: 37711687
in my coutry 5060  1720 port is blocked so what is the way to VOIP Devices will work through NAT with linux server ... i think i need to do vpn with my SIP proxy server Cisco asa 5505.. but its not clear to me.. http://www.voip-info.org/wiki/view/Asterisk+sip+nat.. i have those tutial but its not clear pls guide me to do that!
0
 

Author Comment

by:zedpoint
ID: 37712206
How my multiple Client will Register my SIP proxy Cisco asa ?  Client end  what do i need to do ? and how to bypass block port from my Client end and VOIP call will pass .. please guide me do that
0
 

Author Comment

by:zedpoint
ID: 37712246
i dont know the configuration i did just included but i dont know how my End point user will connect and how do they register Like sip.conf A01@.... 192.168.101.1
ASA Version 7.2(4)
names
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 206.160.33.11 255.255.248.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.8.0.1 255.255.252.0
!
interface Ethernet0/0
 description Connects to Switch
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
 shutdown
!
interface Ethernet0/3
 switchport access vlan 2
 shutdown
!
interface Ethernet0/4
 switchport access vlan 2
 shutdown
!
interface Ethernet0/5
 switchport access vlan 2
 shutdown
!
interface Ethernet0/6
 switchport access vlan 2
 shutdown
!
interface Ethernet0/7
 switchport access vlan 2
 shutdown
!


ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 201.168.139.84
 domain-name omegabd.net
object-group service Allworx_UDP udp
access-list inside-in extended permit ip any any
access-list outside-in extended permit icmp any any
access-list outside-in extended permit tcp any host 209.160.33.163 eq ssh
access-list outside-in extended permit tcp any host 209.160.33.163 eq telnet
access-list outside-in extended permit tcp any host 209.160.33.163 eq domain
access-list outside-in extended permit tcp any host 209.160.33.163 eq www
access-list outside-in extended permit tcp any host 209.160.33.163 eq https
access-list outside-in extended permit udp any host 209.160.33.163 eq 22
access-list outside-in extended permit udp any host 209.160.33.163 eq domain
access-list outside-in extended permit udp any host 209.160.33.163 eq www
access-list outside-in extended permit udp any host 209.160.33.163 eq 3128
access-list outside-in extended permit udp any host 209.160.33.163 eq sip
access-list outside-in extended permit tcp any host 209.160.33.163
access-list outside-in extended permit udp any host 206.160.33.11 eq 22
access-list outside-in extended permit tcp any host 206.160.33.11 eq ssh
access-list outside-in extended permit tcp any host 206.160.33.11 eq telnet
access-list outside-in extended permit tcp any host 206.160.33.11 eq domain
access-list outside-in extended permit tcp any host 206.160.33.11 eq www
access-list outside-in extended permit tcp any host 206.160.33.11 eq https
access-list outside-in extended permit udp any host 206.160.33.11 eq domain
access-list outside-in extended permit udp any host 206.160.33.11 eq www
access-list outside-in extended permit udp any host 206.160.33.11 eq 3128
access-list outside-in extended permit udp any host 206.160.33.11 eq sip
access-list outside-in extended permit udp any host 209.160.33.163 eq tftp
                                                                                                                                                             
access-list nonat remark ACL for Nat Bypass
access-list nonat remark ACL for Nat Bypass
access-list serverA extended permit tcp any host 206.160.33.11 eq www
access-list http_client extended permit tcp host 10.8.0.1 any eq www
                                                                                 
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) 209.160.32.163 10.8.0.2 netmask 255.255.255.255

access-group outside-in in interface outside
access-group inside-in in interface inside
route outside 0.0.0.0 0.0.0.0 209.160.31.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds                                                                                         28800
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto dynamic-map dynmap 30 set security-association lifetime seconds 28800
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set pfs group1
crypto map outside_map0 1 set peer 206.160.33.11
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 11
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
no vpn-addr-assign dhcp
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0

webvpn
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 sso-server alpha type siteminder
  policy-server-secret zerpoint
 svc enable
 customization DfltCustomization
  title text Welcome to Alpha
  login-title text WElcome to Alpa World
  logo none
 tunnel-group-list enable
tunnel-group 180.211.234.11.200 type ipsec-l2l
tunnel-group 180.211.234.11.200 ipsec-attributes
pre-shared-key *
tunnel-group 206.160.33.11 type ipsec-l2l
tunnel-group 206.160.33.11 ipsec-attributes
 pre-shared-key *
!
class-map http_serverB
class-map http_serverA
 match access-list serverA
class-map class_map_name
class-map http_client
 match access-list http_client
class-map mgcp_port
class-map tftp-port
 match port udp eq tftp
class-map inspection_default
 match default-inspection-traffic
class-map http_traffic
 match port tcp eq www
class-map http-server
class-map sbo
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map tftp_policy
 class tftp-port
  inspect tftp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map http_client
 class http_client
policy-map http_traffic_policy
 class http_traffic
  inspect http
policy-map type inspect skinny sbo
 description string
 parameters
!
service-policy global_policy global
service-policy tftp_policy interface outside
service-policy http_client interface inside
prompt hostname context
Cryptochecksum:391e110d77993ab274
: end
0
 

Author Comment

by:zedpoint
ID: 37722952
still i didnt get any help !!!!
0
 

Author Comment

by:zedpoint
ID: 37728241
Hello is there anybody can helP me plssssss
Is it possible to give me example if sip client asterisk server behind nat with VoIP devices connected which will bypass 5060 port to 10000-20000' through cisco asa sip server
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 37737997
I need to know a little more about what you're trying to do.

You say that ports 5060 and 1720 are blocked by your country. (Which country is this?).

Your best best would be to put asterisk boxes at ALL endpoints, and use IAX (udp/4569) to trunk calls between these locations.

In the on the un-filtered sids, the asterisk box can connect to SIP, and then transcode to send to your country on the unfiltered UDP/4569 port. This is how I would handle it anyway. IAX (Inter-Asterisk eXchange) protocol offers multiple benefits over SIP. The primary benefit is that it is VERY NAT friendly. The secondary benefit is that it multiplexes the calls into a single stream, which conserves bandwidth and increases quality.

If that doesn't work for you, then we could setup a VPN. Unfortunately, I don't know the first hing about Cisco stuff. However, I have successfully used monowall (http://m0n0.ch/wall/) along with Alix boards (See: http://pcengines.ch/alix.htm) to create box to box VPNs with Asterisk that worked LIKE A CHARM. I have them deployed all over the world.

Bottom line is this: SIP + NAT = headache. It's awful to get it to work properly. Deploy asterisk boxes at each of the end points so that you can access IAX, and you'll have a much more stable, much more efficient system.
0
 

Author Comment

by:zedpoint
ID: 37740118
Dear Sir

Thanks a Lot for your Reply..
u have explained exactly what i wanted but i really confused bout 1 thing.. which is

where i need to create my sip user?

i can setup the endpoint asterisk but i dont know which outside VPN server i n eed to setup thats why i told about Cisco because all of my Endpoint is dynamic so i need vpn also
0
 

Author Comment

by:zedpoint
ID: 37740123
And ill b glad if u help me to Setup those Stuff.. Please let me know...

Thanks a lot
0
 

Author Comment

by:zedpoint
ID: 37740126
Each user have multiple VOIP Devices so i need Dedicated IP to provide them to pass VOIP call...
0
 

Author Comment

by:zedpoint
ID: 37740321
our best best would be to put asterisk boxes at ALL endpoints, and use IAX (udp/4569) to trunk calls between these locations.In the on the un-filtered sids, the asterisk box can connect to SIP, and then transcode to send to your country on the unfiltered UDP/4569 port. <<<<<<<<<


Dedicated IP i meant for carier will push thier cALL TO Ddedicated Static Public ip .. so whay dhould i need to do ?and multiple asterisk boxes how do register my sip server (might be linux or Cisco) if you can pls help me to do this... Will u please provide Me both Linux some Example one Asterisk Server of atleast 2 new sip ;login example .. With


end Point Sip or Some example.. and also please if u can setup please let me know


THANKS A LOT
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 37742249
Are you saying you need to run a VPN between these sites and then run the phone network insdie that or was the VPN just to circumvent the government blocks on those ports?
0
 

Author Comment

by:zedpoint
ID: 37744808
Thanks a lot for your reply..

sorry i cudnt clear to you.. the first one u suggested exactly what i needed.. but i have establish asterisk behind nat with devices and after taht  the sip@xxxx.xxxxx.xxxx for register
where it will register? i need to setup asterisk server again on  outisde  data center server?
which way u want to suggest me pleasdee give me some manual or step by step as i newbie..
and also i would like to know the way to minimize the bandwidth..

i want to do that  through 384kbps uplaod/1 mbps download wimax bandwdith
and please include the way to reduce the bandwdith





Thanks
0
 

Author Comment

by:zedpoint
ID: 37749675
can u please provide me what would be the setting of outisde asterisk Server where the user will register?  pls Explain step by step both end if its possible then i might b success to setup
0
 

Author Comment

by:zedpoint
ID: 37750109
Dear Sir

and also i would like  to do all sip calls will b split to many ports .. i dont need to exncrypt
to show only one foreign IP and 1 Local IP tunnel 4569 ...
is it possible tto do that ?
Like when i download something ic an see my ip  which is split with so many diffefrent ports are conencted.. i just want to do that withStatic bypass VOIP call passthroguh with
Bandwidth Reducer and also

the way of tcp + udp voip pls tell me

Thanks
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:zedpoint
ID: 37750346
Asterisk as a SIP client behind nat, connecting to outside SIP Proxies
 

how do i make Cisco asa SIP procies


and

how can i minimize VOIP bandwidth at client end



and

What would b the Server Side configuretion do i need to setup nelow the Client sip conf is given below



[general]
bindport=4050
disallow=all
allow=g723
allow=g729
allow=ulaw
allow=alaw
register => user_1:user_1@xx.xx.xx.xx:4579


[user_1]
type=friend
host=XX.XXX.XXX.XX
secret=hello12
context=DHPC2_7
context=DHPC2_8
context=DHPC2_9
context=DHPC2_10
context=TEST_15
oo_tunnel=yes
===


[general]
enabled = yes
;webenabled = yes
port = 5038


[oo]
secret=hello12
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.0.0.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
=====
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 37750535
You have WAY too many questions in this one question.

Let's do them one at a time.

The first thing you need to do is setup the VPN. Without that working, none of the rest of this will be possible.

I have suggested using Monowall at all the sites. If you need Cisco help, then please ask another question the Cisco area, I cannot help you with Cisco. Once you have the site-to-site VPN up and working, we can start the VOIP process.

I will answer another question you have, however, there is NO SUCH THING as tcp + udp SIP or IAX or VoIP. VoIP is UDP only.

To reduce bandwidth, purchase G.729 licenses. http://store.digium.com/productview.php?category_id=5&product_code=8G729CODEC
0
 

Author Comment

by:zedpoint
ID: 37750709
Thanks a lot for your Reply..
If that doesn't work for you, then we could setup a VPN. can u pls help me about this?
im sorry im so much confused thats why i asked so many question..
can u please tell me.. end point has been setup but how  my multiple user with thier own VPN
or might be sip proxy will register where? do i need to Setup SIP trunk now?
can u pls give me a example of sip.conf (asterisk Server) and sip.conf(asterisk client)
0
 

Author Comment

by:zedpoint
ID: 37750714
i mean First how to VPN because im over nat with (dynamic IP)
can is end u my asterisk sip client configuration then u might be clear.
0
 

Author Comment

by:zedpoint
ID: 37750723
Description: G.729 Codec License for use with Asterisk, 1 Concurrent Call ... but
my voip Carrier will  throw the calls so i need to buy each call for 10$!!!!!
0
 

Author Comment

by:zedpoint
ID: 37750735
can u please tell me how can i able to do that? suppose 8 Devices is atcched with asterisk client server now which vpn service i need to do first time?
plssss tell me step by steppp pls
0
 

Author Comment

by:zedpoint
ID: 37750750
actually 5060 port is blocked so which way i should go?
B2BUA<<? iax? because i have dynamic ip so that i must need VPN ID after that they will bypass voip call through that IP

im really sorry im asking so many question ...
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 37750833
It's not that your quantity of questions are too much, it's that you're asking too many at once. You're trying to solve too many variables at once. You'll never get this working unless you do it one step at a time.

Step 1: CLEARLY DEFINE what ports are blocked. Is UDP/4569 blocked, YES OR NO?
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 37750835
PS. IAX DOES NOT use 5060. So that's a moot point.
0
 
LVL 32

Accepted Solution

by:
DrDamnit earned 500 total points
ID: 37750844
PPS. If you want to do this step by step... you'll need to answer my questions one at a time.

Here are the steps (as an overview):

1. Clearly define what ports are available.
2. Determine if a VPN is needed.
3. Setup VPN if needed.
4. Create IAX Trunk config between two places. (This should be done as a separate question).
5. Work on compression. GSM is free, and is 13kbps, but poor quality. g.729 is $10 / concurrent call ($80 for 8 concurrent calls. One-time fee), but the quality is superior.
6. Replicate the config for the other places. (Separate question)
7. Create dialplan routing. (Separate question)

I have indicated which of these should be asked as a separate question because I am not always available, and asking this as a new question will get additional experts to look at it as well.

I would also ask that you diagram what you're trying to do. Use gliffy.com (the free one) to make a diagram of what you're trying to build so we can better communicate your project requirements.
0
 

Author Comment

by:zedpoint
ID: 37750876
Thanks a Lot for your Reply.. actually i wanted 5060 port will be forward  as well also split to or bypass 10000-20000  ports(which is i needed badly) though my IP is dynamic so carrier needs
Static dedicated IP  so that which way i need to take? if i use any openvpn or ipip or ipsec Only one IP shows bandwdith (up and down )which i dont want to ..
is it possible to get if anyone trace the ip over nat
:src ip 22222. dstip 111111 port 12939
22222. dstip 111111 port 11000
22222. dstip 111111 port 17890
22222. dstip 111111 port 12345
22222. dstip 111111 port 15900


Thnaks a lot once again
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 37750933
You seem to not want to answer my questions in an order that I can understand.

Diagram the setup you want, and post it here. Otherwise, I cannot help you because you're not answering my questions.
0
 

Author Comment

by:zedpoint
ID: 37755077
Im really sorry to make u confuse ,.exactly I wanted this whichu described.. In the on the un-filtered sids, the asterisk box can connect to SIP, and then transcode to send to your country on the unfiltered UDP/4569 port. This is how I would handle it anyway. IAX (Inter-Asterisk eXchange) protocol offers multiple benefits over SIP. The primary benefit is that it is VERY NAT friendly. The secondary benefit is that it multiplexes the calls into a single stream, which conserves bandwidth and increases quality.



If u give me some example both side ... Sip configure which u need to do then I might b solve my problem
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 37755190
Last time I am going to ask... Diagram the setup.
0
 

Author Comment

by:zedpoint
ID: 37775324
DEar sir

this topology i wanted

VOIP DEVICES>linuxServer BEhind NAT(WIMAX Bandwidth dynamic)=Outside Server=Carrier
0
 

Author Comment

by:zedpoint
ID: 37808931
hello still im not able to do that.. please guideme.. or pls advise me if anybody can help me to do with remote setup
0
 

Author Comment

by:zedpoint
ID: 37846389
hello

still nobody gives me perfect solution.. only u the one who can guide me the perfect way. because already u have described..ill be glad if u describe briefly.
0
 

Author Comment

by:zedpoint
ID: 37848301
here is the diagram..
0
 

Author Closing Comment

by:zedpoint
ID: 37868454
i know its a solution but still i cudnt made that .. so pls gide me more if itspossible
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now