[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Pix 501 and Asterisk

Posted on 2012-09-11
14
Medium Priority
?
725 Views
Last Modified: 2012-09-19
Hello,

I am having some problem getting sip clients/phones to register with a asterisk server sitting behind a pix 501. The http and ftp traffic getting forwarded behind the pix works just fine, but the sip is not.

Here is the PIX's config file. Can anyone tell me what I'm doing wrong. Thanks in advanced.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit udp any any range 5060 5090
no pager
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.*** 255.255.255.248
ip address inside 192.168.9.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) interface 192.168.9.25 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80

Open in new window

0
Comment
Question by:Pyromanci
  • 7
  • 7
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38386864
There are some more ports involved:

Port 5060 TCP and UDP
Port 5004 UDP
Port 10000 UDP (sipgate Stun service - usually 3478/9)
Ports 16348-32768 UDP (RTP, RTCP multimedia streaming)

Especially the latter line poses a challenge. If the server is on the inside and the clients are on the outside, you need to open up all those UDP ports to the astersk server :-~
The asterisk negotiates one of those ports with the phone for the call.
It should be possible to configure the asterisk server in such a way that it uses lesser ports or another range though.
0
 
LVL 5

Author Comment

by:Pyromanci
ID: 38386916
I have modified the configuration to

no fixup protocol sip 5060
no fixup protocol sip udp 5060
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit udp any any range 5060 65535
access-list outside_access_in permit tcp any any range 5060 65535
access-list outside_access_in permit udp any any eq 5004

But this still doesn't help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38386974
Because of:

static (inside,outside) interface 192.168.9.25 netmask 255.255.255.255

You now doing a 1:1 nat on your outside interface to an inside address. Is anything working besides the 192.168.9.25?

I'd suggest using a separate public for that. And make some changes to the access list. Don't use any any, instead use any host x.x.x.x (x.x.x.x being the public IP).

And I also remember that it could be necessary to configure the asterisk so that it is aware of the public IP it is sitting behind (can't remember how though).
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
LVL 5

Author Comment

by:Pyromanci
ID: 38386993
Asterisk is already aware of the public IP.

192.168.9.25 is actually a a virtual IP address that floats between 2 servers. As i have a DRDB  replication functioning  between the 2. Beyond those 2 servers there is nothing else behind the pix.

So your saying that I should program each static port.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38387020
Ah ok. Perhaps the issue is with the virtual ip. You could try the real IP and see if that works.
As long as you use a 1:1 NAT like you do,  you don't need to program each port (and you wouldn't want that I think :)

You could check the logging on the PIX as well to see if anything shows up there.
0
 
LVL 5

Author Comment

by:Pyromanci
ID: 38387105
So it was the virtual IP that was causing the problem. So here is my next question.

Since I'm using heartbeat and drbd to create a failover system for our asterisk server, how would you recommend that? If the 1:1 nat wont let me use my virtual IP for the fail over. At this point do i have to do statics for each port (i know it would be a pain, but i've gotten use to doing things like this)?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38387163
Well I think it doesn't make a difference if you use NAT or PAT. The issue lies with the virtual IP in this case. You would need some sort of failover to the inside..... Hm, haven't done that before, let me think.
0
 
LVL 5

Author Comment

by:Pyromanci
ID: 38387193
I'm also pretty adept at programming. I could even make a simple program that fires off when heartbeat does it's switch over to log into the pix and fire off commands to change out it's configs to point to the new ip.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 38387218
Well, I think that might be the easiest way. The only thing it needs to do is:

Remove current static.
Add static to other inside IP.
Clear xlate.

That would be easier to implement than to try and set it up on the PIX.
0
 
LVL 5

Author Comment

by:Pyromanci
ID: 38387268
Well it will take me a day or 2 to write something up that will be usable via both servers and get it tested. I will let know.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38387352
I'll be here :)
0
 
LVL 5

Assisted Solution

by:Pyromanci
Pyromanci earned 0 total points
ID: 38398968
Ya the script seems like it will work just fine. Now to just get it to fire off via heartbeat. Which i've always had issues doing.

I did it in java as I am not a fan of doing socket programming in C. Here it is in case someone else ends up needing it.

You simple supply 4 arguments to it in this order <pix_ip> <pix_pass> <the_new_ip> <the_old_ip>
It also assumes that the enable password and telnet passwords are the same.

import java.io.DataInputStream;
import java.io.PrintWriter;
import java.net.Socket;

public class Main {
	
	public static void main(String args[]) throws Exception
	{
		String ip = args[0];
		String password = args[1];
		String myip = args[2];
		String oldip = args[3];
		
		Socket soc=new Socket(ip,23);
		PrintWriter out = new PrintWriter(soc.getOutputStream(), true);
		DataInputStream in = new DataInputStream(soc.getInputStream());    
		
		StringBuilder sb = new StringBuilder();
		String reponse = "";
		boolean asking_for_pass = false;
		boolean first_line = false;
		boolean commands_sent = false;
		boolean mem_wrote = false;
		int step = 0;
		while (true) {
			int aval = in.available();
			if ( aval > 0)
			{
				char c = (char)in.read();
				if (c == '\n')
				{
					reponse = sb.toString();
					sb.setLength(0);
					
					if (reponse.contains("User Access Verification")) {
						asking_for_pass = true;
						continue;
					}
				} else if (sb.toString().contains("Password:")) {
					if (asking_for_pass) {
						asking_for_pass = false;
						out.write(password+"\n\r");
						out.flush();
						sb.setLength(0);
						continue;
					}
				} else if (sb.toString().endsWith(">")) {
					out.write("enable\n\r");
					out.flush();
					sb.setLength(0);
					asking_for_pass = true;
					continue;
				} else if (sb.toString().contains("[OK]") && commands_sent) {
					mem_wrote = true;
				} else if (sb.toString().endsWith("#") && !commands_sent) {
					if (!first_line)
						first_line = true;
					else if (step == 0) {
						out.write("config t\n\r");
						out.flush();
						sb.setLength(0);
						step++;
						continue;
					} else if (step == 1) {
						out.write("no static (inside,outside) interface " + oldip +" netmask 255.255.255.255 0 0\n\rstatic (inside,outside) interface " + myip +" netmask 255.255.255.255 0 0\n\rclear xlate\n\rwrite mem\n\r");
						out.flush();
						sb.setLength(0);
						step++;
						commands_sent = true;
						continue;
					}
					
				} else if (sb.toString().endsWith("#") && commands_sent) {
					if (mem_wrote) {
						break;
					}
				} else {
					if (c != '\r')
						sb.append(c);
				}
			} 
		}
		
	   System.out.println("All Done.");
       soc.close();  //close port 
       in.close();  //close input stream      
       out.close(); //close output stream        
	}
}

Open in new window

0
 
LVL 5

Author Closing Comment

by:Pyromanci
ID: 38412896
The script seems like it will work just fine. I can for see some possible future problems, but those are not critical and can be easily dealt with when they arise.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38414071
Looking good, adding it to my knowledge base :)

And, of course, thx 4 the points.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month18 days, 16 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question