Re: [asterisk-users] Cisco PIX firewall and nat=yes

Wed, 23 Aug 2006 09:30:35 -0700

If you are running a new version of PIX sw (6.3.4 or 6.3.5), then leave fixup on and set "nat=no". The PIX is the only firewall that I have seen that truly does nat correctly. It nat's both the source and dest inside the packet. You can even do reinvite with multiple phones behind a PIX and it works correctly. One other thing to check. If you have qualify off, then you need to set the phone to re-register in less time that the SIP timeout value in the PIX. For example, if the timeout is 10 mins, then the phone needs to have a register value less than 10 mins. 

Scott Pinhorne wrote:

Hi

I use a PIX 515 and had a similar problem when I started.

I turned on the fixup for SIP (as well as having nat in sip entry) and 
it seems to do the trick for me.


Good Luck
SP

Bill Gibbs wrote:

Also the phone can dial out from behind the PIX…but obviously not 
receive calls.



 


Bill


 


------------------------------------------------------------------------


*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Bill 
Gibbs

*Sent:* Wednesday, August 23, 2006 11:53 AM
*To:* Asterisk Users Mailing List - Non-Commercial Discussion
*Subject:* [asterisk-users] Cisco PIX firewall and nat=yes


 

I have a Polycom 501 that works great from behind simple firewalls, 
like Dlink, etc however behind a Cisco PIX Firewall I see the register 
messages for the extensions on the Asterisk CLI but when I do a sip 
show peers I see:



 


702/702                    x.x.x.x     D   N      54297    UNREACHABLE

701/701                    x.x.x.x     D   N      54297    UNREACHABLE

700/700                    x.x.x.x     D   N      54297    UNREACHABLE


 


But I see stuff like

n       Registered SIP '702' at x.x.x.x port 54297 expires 60


 

I have a single phone with multiple extensions in the example above.  
As a test I changed that phone to a single extension (700), I see the 
Registered line but it still says UNREACHABLE.



 

I know the Asterisk config is good because every device (soft, hard 
phone) works and I know the NAT works because I’ve tested that out.



 


So…I’m thinking it has something to do with the PIX.  Any ideas?


 


Bill


------------------------------------------------------------------------

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users




--

Network stuff you didn't know....
http://www.networkoblivion.com

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users






















					Reply via email to