Pix 501 and Asterisk

Hello,

I am having some problem getting sip clients/phones to register with a asterisk server sitting behind a pix 501. The http and ftp traffic getting forwarded behind the pix works just fine, but the sip is not.

Here is the PIX's config file. Can anyone tell me what I'm doing wrong. Thanks in advanced.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit udp any any range 5060 5090
no pager
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.*** 255.255.255.248
ip address inside 192.168.9.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) interface 192.168.9.25 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80

Open in new window

LVL 5
PyromanciAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
Well, I think that might be the easiest way. The only thing it needs to do is:

Remove current static.
Add static to other inside IP.
Clear xlate.

That would be easier to implement than to try and set it up on the PIX.
0
 
Ernie BeekExpertCommented:
There are some more ports involved:

Port 5060 TCP and UDP
Port 5004 UDP
Port 10000 UDP (sipgate Stun service - usually 3478/9)
Ports 16348-32768 UDP (RTP, RTCP multimedia streaming)

Especially the latter line poses a challenge. If the server is on the inside and the clients are on the outside, you need to open up all those UDP ports to the astersk server :-~
The asterisk negotiates one of those ports with the phone for the call.
It should be possible to configure the asterisk server in such a way that it uses lesser ports or another range though.
0
 
PyromanciAuthor Commented:
I have modified the configuration to

no fixup protocol sip 5060
no fixup protocol sip udp 5060
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit udp any any range 5060 65535
access-list outside_access_in permit tcp any any range 5060 65535
access-list outside_access_in permit udp any any eq 5004

But this still doesn't help.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
Ernie BeekExpertCommented:
Because of:

static (inside,outside) interface 192.168.9.25 netmask 255.255.255.255

You now doing a 1:1 nat on your outside interface to an inside address. Is anything working besides the 192.168.9.25?

I'd suggest using a separate public for that. And make some changes to the access list. Don't use any any, instead use any host x.x.x.x (x.x.x.x being the public IP).

And I also remember that it could be necessary to configure the asterisk so that it is aware of the public IP it is sitting behind (can't remember how though).
0
 
PyromanciAuthor Commented:
Asterisk is already aware of the public IP.

192.168.9.25 is actually a a virtual IP address that floats between 2 servers. As i have a DRDB  replication functioning  between the 2. Beyond those 2 servers there is nothing else behind the pix.

So your saying that I should program each static port.
0
 
Ernie BeekExpertCommented:
Ah ok. Perhaps the issue is with the virtual ip. You could try the real IP and see if that works.
As long as you use a 1:1 NAT like you do,  you don't need to program each port (and you wouldn't want that I think :)

You could check the logging on the PIX as well to see if anything shows up there.
0
 
PyromanciAuthor Commented:
So it was the virtual IP that was causing the problem. So here is my next question.

Since I'm using heartbeat and drbd to create a failover system for our asterisk server, how would you recommend that? If the 1:1 nat wont let me use my virtual IP for the fail over. At this point do i have to do statics for each port (i know it would be a pain, but i've gotten use to doing things like this)?
0
 
Ernie BeekExpertCommented:
Well I think it doesn't make a difference if you use NAT or PAT. The issue lies with the virtual IP in this case. You would need some sort of failover to the inside..... Hm, haven't done that before, let me think.
0
 
PyromanciAuthor Commented:
I'm also pretty adept at programming. I could even make a simple program that fires off when heartbeat does it's switch over to log into the pix and fire off commands to change out it's configs to point to the new ip.
0
 
PyromanciAuthor Commented:
Well it will take me a day or 2 to write something up that will be usable via both servers and get it tested. I will let know.
0
 
Ernie BeekExpertCommented:
I'll be here :)
0
 
PyromanciConnect With a Mentor Author Commented:
Ya the script seems like it will work just fine. Now to just get it to fire off via heartbeat. Which i've always had issues doing.

I did it in java as I am not a fan of doing socket programming in C. Here it is in case someone else ends up needing it.

You simple supply 4 arguments to it in this order <pix_ip> <pix_pass> <the_new_ip> <the_old_ip>
It also assumes that the enable password and telnet passwords are the same.

import java.io.DataInputStream;
import java.io.PrintWriter;
import java.net.Socket;

public class Main {
	
	public static void main(String args[]) throws Exception
	{
		String ip = args[0];
		String password = args[1];
		String myip = args[2];
		String oldip = args[3];
		
		Socket soc=new Socket(ip,23);
		PrintWriter out = new PrintWriter(soc.getOutputStream(), true);
		DataInputStream in = new DataInputStream(soc.getInputStream());    
		
		StringBuilder sb = new StringBuilder();
		String reponse = "";
		boolean asking_for_pass = false;
		boolean first_line = false;
		boolean commands_sent = false;
		boolean mem_wrote = false;
		int step = 0;
		while (true) {
			int aval = in.available();
			if ( aval > 0)
			{
				char c = (char)in.read();
				if (c == '\n')
				{
					reponse = sb.toString();
					sb.setLength(0);
					
					if (reponse.contains("User Access Verification")) {
						asking_for_pass = true;
						continue;
					}
				} else if (sb.toString().contains("Password:")) {
					if (asking_for_pass) {
						asking_for_pass = false;
						out.write(password+"\n\r");
						out.flush();
						sb.setLength(0);
						continue;
					}
				} else if (sb.toString().endsWith(">")) {
					out.write("enable\n\r");
					out.flush();
					sb.setLength(0);
					asking_for_pass = true;
					continue;
				} else if (sb.toString().contains("[OK]") && commands_sent) {
					mem_wrote = true;
				} else if (sb.toString().endsWith("#") && !commands_sent) {
					if (!first_line)
						first_line = true;
					else if (step == 0) {
						out.write("config t\n\r");
						out.flush();
						sb.setLength(0);
						step++;
						continue;
					} else if (step == 1) {
						out.write("no static (inside,outside) interface " + oldip +" netmask 255.255.255.255 0 0\n\rstatic (inside,outside) interface " + myip +" netmask 255.255.255.255 0 0\n\rclear xlate\n\rwrite mem\n\r");
						out.flush();
						sb.setLength(0);
						step++;
						commands_sent = true;
						continue;
					}
					
				} else if (sb.toString().endsWith("#") && commands_sent) {
					if (mem_wrote) {
						break;
					}
				} else {
					if (c != '\r')
						sb.append(c);
				}
			} 
		}
		
	   System.out.println("All Done.");
       soc.close();  //close port 
       in.close();  //close input stream      
       out.close(); //close output stream        
	}
}

Open in new window

0
 
PyromanciAuthor Commented:
The script seems like it will work just fine. I can for see some possible future problems, but those are not critical and can be easily dealt with when they arise.
0
 
Ernie BeekExpertCommented:
Looking good, adding it to my knowledge base :)

And, of course, thx 4 the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.