Very cool, I believe that did the trick. Thank you for your time. On Sat, Oct 18, 2008 at 7:42 PM, Darryl Dunkin <[EMAIL PROTECTED]> wrote: > Oh, you are using ip inspect as well. > > I have this setup on a few routers when using the FW feature set: > ip inspect udp idle-time 900 > > -----Original Message----- > From: Stephen Reese [mailto:[EMAIL PROTECTED] > Sent: Saturday, October 18, 2008 14:41 > To: Asterisk Users Mailing List - Non-Commercial Discussion; Darryl > Dunkin > Subject: Re: [asterisk-users] Cisco 7960 not always receiving incoming > calls > > I tried increasing the value and even set it to never and added the > qualify line but that did not help. Do I need to poke any holes in the > firewall on the nat device for the udp traffic to stay persistent? I > have included my routers configuration in case someone notices > something I may need to make the connection work correctly. Also when > I call the phone within the "OK" reachable time after the call > disconnects the status immediately become "UNREACHABLE". > > ns1*CLI>sip show peers > Name/username Host Dyn Nat ACL Port > Status > vitel-outbound/rsreese 64.2.142.22 5060 > Unmonitored > vitel-inbound/rsreese 64.2.142.116 5060 > Unmonitored > 101/101 68.156.63.118 D N 1038 > UNREACHABLE > 3 sip peers [Monitored: 0 online, 1 offline Unmonitored: 2 online, 0 > offline] > > > [Oct 18 16:55:09] NOTICE[21216]: chan_sip.c:15231 > handle_response_peerpoke: Peer '101' is now Reachable. (217ms / > 2000ms) > > ns1*CLI> sip show peers > Name/username Host Dyn Nat ACL Port Status > vitel-outbound/rsreese 64.2.142.22 5060 > Unmonitored > vitel-inbound/rsreese 64.2.142.116 5060 > Unmonitored > 101/101 68.156.63.118 D N 1038 OK (217 > ms) > 3 sip peers [Monitored: 1 online, 0 offline Unmonitored: 2 online, 0 > offline] > > [Oct 18 17:24:16] NOTICE[21216]: chan_sip.c:19339 sip_p > oke_noanswer: Peer '101' is now UNREACHABLE! Last qualify: 134 > > CISCO CONF FOLLOWS: > > > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime > service password-encryption > ! > hostname 3725router > ! > boot-start-marker > boot system flash:/c3725-adventerprisek9-mz.124-21.bin > boot-end-marker > ! > logging buffered 8192 debugging > logging console informational > enable secret 5 > ! > aaa new-model > ! > ! > aaa authentication login default local > aaa authentication ppp default local > aaa authorization exec default local > aaa authorization network default local > ! > aaa session-id common > clock timezone EST -5 > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 > network-clock-participate slot 1 > network-clock-participate slot 2 > no ip source-route > ! > ip traffic-export profile IDS-SNORT > interface FastEthernet0/0 > bidirectional > mac-address 000c.2989.f93a > ip cef > ! > ! > no ip dhcp use vrf connected > ip dhcp excluded-address 172.16.2.1 > ip dhcp excluded-address 172.16.3.1 > ! > ip dhcp pool VLAN2clients > network 172.16.2.0 255.255.255.0 > default-router 172.16.2.1 > dns-server 205.152.144.23 205.152.132.23 > option 66 ip 172.16.2.10 > option 150 ip 172.16.2.10 > ! > ip dhcp pool VLAN3clients > network 172.16.3.0 255.255.255.0 > default-router 172.16.3.1 > dns-server 205.152.144.23 205.152.132.23 > ! > ! > ip domain name neocipher.net > ip name-server 205.152.144.23 > ip name-server 205.152.132.23 > ip inspect name SDM_LOW cuseeme > ip inspect name SDM_LOW dns > ip inspect name SDM_LOW ftp > ip inspect name SDM_LOW h323 > ip inspect name SDM_LOW https > ip inspect name SDM_LOW icmp > ip inspect name SDM_LOW netshow > ip inspect name SDM_LOW rcmd > ip inspect name SDM_LOW realaudio > ip inspect name SDM_LOW rtsp > ip inspect name SDM_LOW sqlnet > ip inspect name SDM_LOW streamworks > ip inspect name SDM_LOW tftp > ip inspect name SDM_LOW tcp > ip inspect name SDM_LOW udp > ip inspect name SDM_LOW vdolive > ip inspect name SDM_LOW imap > ip inspect name SDM_LOW pop3 > ip inspect name SDM_LOW esmtp > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > ip ips sdf location flash://256MB.sdf > ip ips notify SDEE > ip ips name sdm_ips_rule > vpdn enable > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > crypto pki trustpoint TP-self-signed-995375956 > enrollment selfsigned > subject-name cn=IOS-Self-Signed-Certificate-995375956 > revocation-check none > rsakeypair TP-self-signed-995375956 > ! > ! > crypto pki certificate chain TP-self-signed-995375956 > certificate self-signed 01 > > quit > username user privilege 15 secret 5 > ! > ! > ip ssh authentication-retries 2 > ! > ! > crypto isakmp policy 3 > encr 3des > authentication pre-share > group 2 > ! > crypto isakmp policy 10 > hash md5 > authentication pre-share > crypto isakmp key cisco address 10.0.0.2 no-xauth > ! > crypto isakmp client configuration group VPN-Users > key > dns 2 > domain neocipher.net > pool VPN_POOL > acl 115 > include-local-lan > netmask 255.255.255.0 > crypto isakmp profile IKE-PROFILE > match identity group VPN-Users > client authentication list default > isakmp authorization list default > client configuration address initiate > client configuration address respond > virtual-template 1 > ! > ! > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > mode transport > ! > crypto ipsec profile IPSEC_PROFILE1 > set transform-set ESP-3DES-SHA > set isakmp-profile IKE-PROFILE > ! > ! > crypto dynamic-map DYNMAP 10 > set transform-set ESP-3DES-SHA > ! > ! > crypto map CLIENTMAP client authentication list default > crypto map CLIENTMAP isakmp authorization list default > crypto map CLIENTMAP client configuration address respond > crypto map CLIENTMAP 1 ipsec-isakmp > set peer 10.0.0.2 > set transform-set ESP-3DES-SHA > match address 100 > crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP > ! > ! > ! > ! > interface Loopback0 > ip address 192.168.0.1 255.255.255.0 > no ip unreachables > ip virtual-reassembly > ! > interface Tunnel0 > description HE.net > no ip address > ipv6 address > ipv6 enable > tunnel source FastEthernet0/0 > tunnel destination > tunnel mode ipv6ip > ! > interface Null0 > no ip unreachables > ! > interface FastEthernet0/0 > description $ETH-WAN$$FW_OUTSIDE$ > ip address dhcp client-id FastEthernet0/0 hostname 3725router > ip access-group 104 in > no ip unreachables > ip nat outside > ip inspect SDM_LOW out > ip ips sdm_ips_rule in > ip virtual-reassembly > speed 100 > full-duplex > crypto map CLIENTMAP > ! > interface Serial0/0 > description $FW_OUTSIDE$ > ip address 10.0.0.1 255.255.240.0 > ip access-group 105 in > ip verify unicast reverse-path > no ip unreachables > ip inspect SDM_LOW out > ip virtual-reassembly > clock rate 2000000 > crypto map CLIENTMAP > ! > interface FastEthernet0/1 > no ip address > no ip unreachables > ip virtual-reassembly > duplex auto > speed auto > ! > interface FastEthernet0/1.2 > description $FW_INSIDE$ > encapsulation dot1Q 2 > ip address 172.16.2.1 255.255.255.0 > ip access-group 101 in > no ip unreachables > ip nat inside > ip virtual-reassembly > crypto map CLIENTMAP > ! > interface FastEthernet0/1.3 > description $FW_INSIDE$ > encapsulation dot1Q 3 > ip address 172.16.3.1 255.255.255.0 > ip access-group 102 in > no ip unreachables > ip nat inside > ip virtual-reassembly > ! > interface FastEthernet0/1.10 > ! > interface Serial0/1 > no ip address > no ip unreachables > shutdown > clock rate 2000000 > ! > interface Virtual-Template1 type tunnel > description $FW_INSIDE$ > ip unnumbered Loopback0 > ip access-group 103 in > no ip unreachables > ip virtual-reassembly > tunnel mode ipsec ipv4 > tunnel protection ipsec profile IPSEC_PROFILE1 > ! > ip local pool VPN_POOL 192.168.0.100 192.168.0.105 > ip forward-protocol nd > ip route 172.16.10.0 255.255.255.0 10.0.0.2 > ! > ! > ip http server > ip http authentication local > ip http secure-server > ip http timeout-policy idle 600 life 86400 requests 10000 > ip nat translation udp-timeout never > ip nat inside source list 1 interface FastEthernet0/0 overload > ! > logging trap debugging > logging origin-id hostname > logging 172.16.2.5 > access-list 1 permit 172.16.2.0 0.0.0.255 > access-list 1 permit 172.16.3.0 0.0.0.255 > access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 > access-list 101 remark auto generated by SDM firewall configuration > access-list 101 remark SDM_ACL Category=1 > access-list 101 permit ahp any host 172.16.2.1 > access-list 101 permit esp any host 172.16.2.1 > access-list 101 permit udp any host 172.16.2.1 eq isakmp > access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp > access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 > access-list 101 deny ip 10.0.0.0 0.0.15.255 any log > access-list 101 deny ip 192.168.0.0 0.0.0.255 any log > access-list 101 deny ip 172.16.3.0 0.0.0.255 any log > access-list 101 deny ip host 255.255.255.255 any log > access-list 101 deny ip 127.0.0.0 0.255.255.255 any log > access-list 101 deny tcp any any range 1 chargen log > access-list 101 deny tcp any any eq whois log > access-list 101 deny tcp any any eq 93 log > access-list 101 deny tcp any any range 135 139 log > access-list 101 deny tcp any any eq 445 log > access-list 101 deny tcp any any range exec 518 log > access-list 101 deny tcp any any eq uucp log > access-list 101 permit ip any any > access-list 102 remark auto generated by SDM firewall configuration > access-list 102 remark SDM_ACL Category=1 > access-list 102 deny ip 172.16.2.0 0.0.0.255 any log > access-list 102 deny ip 10.0.0.0 0.0.15.255 any log > access-list 102 deny ip 192.168.0.0 0.0.0.255 any log > access-list 102 deny ip host 255.255.255.255 any log > access-list 102 deny ip 127.0.0.0 0.255.255.255 any log > access-list 102 permit ip any any > access-list 103 remark auto generated by SDM firewall configuration > access-list 103 remark SDM_ACL Category=1 > access-list 103 deny ip 172.16.2.0 0.0.0.255 any > access-list 103 deny ip 10.0.0.0 0.0.15.255 any > access-list 103 deny ip 172.16.3.0 0.0.0.255 any > access-list 103 deny ip host 255.255.255.255 any > access-list 103 deny ip 127.0.0.0 0.255.255.255 any > access-list 103 permit ip any any > access-list 104 remark auto generated by SDM firewall configuration > access-list 104 remark SDM_ACL Category=1 > access-list 104 permit udp host 205.152.132.23 eq domain any > access-list 104 permit udp host 205.152.144.23 eq domain any > access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29 > access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp > access-list 104 permit ahp any any > access-list 104 permit esp any any > access-list 104 permit udp any any eq isakmp > access-list 104 permit udp any any eq non500-isakmp > access-list 104 deny ip 10.0.0.0 0.0.15.255 any log > access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 > access-list 104 deny ip 172.16.2.0 0.0.0.255 any log > access-list 104 deny ip 192.168.0.0 0.0.0.255 any log > access-list 104 deny ip 172.16.3.0 0.0.0.255 any log > access-list 104 permit udp any eq bootps any eq bootpc > access-list 104 permit icmp any any echo-reply > access-list 104 permit icmp any any time-exceeded > access-list 104 permit icmp any any unreachable > access-list 104 deny icmp any any echo log > access-list 104 deny icmp any any mask-request log > access-list 104 deny icmp any any redirect log > access-list 104 deny ip 10.0.0.0 0.255.255.255 any log > access-list 104 deny ip 172.16.0.0 0.15.255.255 any log > access-list 104 deny ip 192.168.0.0 0.0.255.255 any log > access-list 104 deny ip 127.0.0.0 0.255.255.255 any log > access-list 104 deny ip 224.0.0.0 15.255.255.255 any log > access-list 104 deny ip host 255.255.255.255 any log > access-list 104 deny tcp any any range 6000 6063 log > access-list 104 deny tcp any any eq 6667 log > access-list 104 deny tcp any any range 12345 12346 log > access-list 104 deny tcp any any eq 31337 log > access-list 104 deny udp any any eq 2049 log > access-list 104 deny udp any any eq 31337 log > access-list 104 deny udp any any range 33400 34400 log > access-list 104 deny ip any any log > access-list 105 remark auto generated by SDM firewall configuration > access-list 105 remark SDM_ACL Category=1 > access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29 > access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp > access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1 > access-list 105 permit esp host 10.0.0.2 host 10.0.0.1 > access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp > access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmp > access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 > access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp > access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog > access-list 105 deny ip 172.16.2.0 0.0.0.255 any > access-list 105 deny ip 192.168.0.0 0.0.0.255 any > access-list 105 deny ip 172.16.3.0 0.0.0.255 any > access-list 105 permit icmp any host 10.0.0.1 echo-reply > access-list 105 permit icmp any host 10.0.0.1 time-exceeded > access-list 105 permit icmp any host 10.0.0.1 unreachable > access-list 105 deny ip 10.0.0.0 0.255.255.255 any > access-list 105 deny ip 172.16.0.0 0.15.255.255 any > access-list 105 deny ip 192.168.0.0 0.0.255.255 any > access-list 105 deny ip 127.0.0.0 0.255.255.255 any > access-list 105 deny ip host 255.255.255.255 any > access-list 105 deny ip host 0.0.0.0 any > access-list 105 deny ip any any log > access-list 115 permit ip 172.16.0.0 0.0.255.255 any > access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 > access-list 120 permit ip 172.16.0.0 0.0.255.255 any > snmp-server community public RO > ipv6 route ::/0 Tunnel0 > ! > ! > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > password 7 05080F1C2243 > transport input ssh > line vty 5 903 > transport input ssh > ! > ntp clock-period 17180643 > ntp server 129.6.15.29 source FastEthernet0/0 prefer > ! > end >
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
