[asterisk-users] Cisco 7971 behind NAT
Hi all, does anyone have any luck using a Cisco 7971 (SIP) behind NAT with two different accounts on the same server (i.e. two different extensions)? I am using Cisco-CP7971G-GE/8.3.0 and asterisk V1.4.something. The phone sends SIP packets from a high-numbered UDP port but expects a reply on port 5060. Fine, I do some magic with iptables to rewrite the packets (which limits me to one phone at that location, unless I'm mistaken). Incoming calls work fine on both accounts, but outgoing calls work only from the most recently registered account (the order is random due to timing) since both appear to asterisk as IP:5060. An outgoing call from the other account is rejected with an authentication mismatch, which makes sense. Asterisk matches the most recently registered peer by IP/port and if the user name differs, it complains, even if the password is the same for both accounts. So, is this the worst SIP implementation ever in those Cisco 7971's or am I doing something very wrong here? Technically even without NAT this confusion would occur as both accounts use IP:5060 so Asterisk cannot tell them apart during the initial peer matching stage. Of course the source port the Cisco selects is different with every dialog, so that doesn't help either. Any input would be appreciated before I throw that phone out of the window. Thanks, Luki ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971 behind NAT
You need to enable SIP transformations on the firewall, the packets will have to be dynamically re-written to handle multiple Cisco phones of these models. Be sure 'nat=no' is set in sip.conf for the phones as well, or Asterisk will reply to the incorrect ports (source instead of the mangled contact header). In this case, you'll need to compile in the SIP connection tracking/NAT bits in the kernel, they should be able to mangle the packets appropriately. I have never tested this, as all my deployments have hardware firewalls with SIP support built-in. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Luki Sent: Monday, November 16, 2009 20:30 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Cisco 7971 behind NAT Hi all, does anyone have any luck using a Cisco 7971 (SIP) behind NAT with two different accounts on the same server (i.e. two different extensions)? I am using Cisco-CP7971G-GE/8.3.0 and asterisk V1.4.something. The phone sends SIP packets from a high-numbered UDP port but expects a reply on port 5060. Fine, I do some magic with iptables to rewrite the packets (which limits me to one phone at that location, unless I'm mistaken). Incoming calls work fine on both accounts, but outgoing calls work only from the most recently registered account (the order is random due to timing) since both appear to asterisk as IP:5060. An outgoing call from the other account is rejected with an authentication mismatch, which makes sense. Asterisk matches the most recently registered peer by IP/port and if the user name differs, it complains, even if the password is the same for both accounts. So, is this the worst SIP implementation ever in those Cisco 7971's or am I doing something very wrong here? Technically even without NAT this confusion would occur as both accounts use IP:5060 so Asterisk cannot tell them apart during the initial peer matching stage. Of course the source port the Cisco selects is different with every dialog, so that doesn't help either. Any input would be appreciated before I throw that phone out of the window. Thanks, Luki ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971 behind NAT
Darryl, OK, that could work but it makes the use of these phones behind consumer routers rather impossible. How many of those will inspect and transform SIP packets? Oh why does Cisco have to do things differently from everyone else... Luki 2009/11/16 Darryl Dunkin ddun...@netos.net: You need to enable SIP transformations on the firewall, the packets will have to be dynamically re-written to handle multiple Cisco phones of these models. Be sure 'nat=no' is set in sip.conf for the phones as well, or Asterisk will reply to the incorrect ports (source instead of the mangled contact header). In this case, you'll need to compile in the SIP connection tracking/NAT bits in the kernel, they should be able to mangle the packets appropriately. I have never tested this, as all my deployments have hardware firewalls with SIP support built-in. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971 behind NAT
On Mon, Nov 16, 2009 at 10:53 PM, Luki lugos...@gmail.com wrote: Darryl, OK, that could work but it makes the use of these phones behind consumer routers rather impossible. How many of those will inspect and transform SIP packets? Oh why does Cisco have to do things differently from everyone else... Luki 2009/11/16 Darryl Dunkin ddun...@netos.net: You need to enable SIP transformations on the firewall, the packets will have to be dynamically re-written to handle multiple Cisco phones of these models. Be sure 'nat=no' is set in sip.conf for the phones as well, or Asterisk will reply to the incorrect ports (source instead of the mangled contact header). In this case, you'll need to compile in the SIP connection tracking/NAT bits in the kernel, they should be able to mangle the packets appropriately. I have never tested this, as all my deployments have hardware firewalls with SIP support built-in. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users I use two accounts on a Cisco 7941 at home that is connected to my asterisk server running at a datacenter. My home has NAT, my asterisk server does not. I do not need to do any of the packet mangling stuff, just set nat=no in the sip.conf entry for the Cisco phone. Not sure how much different the 7971 is though... -- Thanks, --Warren Selby http://www.selbytech.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971
Matthew Gibson wrote: http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+md5secret then in your sip.conf [ext] ... ;secret=123 md5secret=MD5SECRET Hey Martin, thanks for your response... Still no dice: Quick questions... Where are the following coming from? Is this something you placed, something generated, if so by what, CCM, the phone itself. authenticationURLhttp://YOUR.PBX.IP.HERE/cisco/authenticate.php/authenticationURL directoryURLhttp://YOUR.PBX.IP.HERE/cisco/directory.php/directoryURL informationURLhttp://YOUR.PBX.IP.HERE/cisco/help.php/informationURL servicesURLhttp://YOUR.PBX.IP.HERE/cisco/services.php/servicesURL Second... loadInformationSIP70.8-3-3S/loadInformation I don't have SIP70.8-3-3s I have term71.default.loads which includes all images listed inside the file: # cat term71.default.loads # This file contains a list of archive image files that will be requested by the # RELEASE load version 8-3-3ES2 # jar70sip.8-3-3ES2.sbn cnu70.8-3-3ES2.sbn apps70.8-3-3ES2.sbn dsp70.8-3-3ES2.sbn cvm70sip.8-3-3ES2.sbn I tried posting both term71.default and cvm70sip.8-3-3ES2 loadInformationterm71.default/loadInformation loadInformationcvm70sip.8-3-3ES2/loadInformation For NAT, when I have it set to true on SEP.xml, phone registers and this is what happens in the course of 5 seconds: natReceivedProcessingtrue/natReceivedProcessing natEnabledtrue/natEnabled -- Registered SIP '9' at 64.xxx.xxx.xx port 49344 expires 3600 -- Saved useragent Cisco-CP7971G-GE/8.3.0 for peer 9 [Mar 31 07:17:02] NOTICE[2743]: chan_sip.c:15322 sip_poke_noanswer: Peer '9' is now UNREACHABLE! Last qualify: 0 On sip show peer: (truncated) ToHost : 64.xxx.xxx.xx Addr-IP : 64.xxx.xxx.xx Port 49344 Defaddr-IP : 0.0.0.0 Port 5060 Def. Username: 123 SIP Options : (none) Codecs : 0x104 (ulaw|g729) Codec Order : (g729:20,ulaw:20) Auto-Framing: No Status : UNREACHABLE Useragent: Cisco-CP7971G-GE/8.3.0 Reg. Contact : sip:[EMAIL PROTECTED]:5060;transport=udp So I set contact to match: astterm*CLI -- Registered SIP '9' at 192.168.1.145 port 5060 expires 3600 -- Saved useragent Cisco-CP7971G-GE/8.3.0 for peer 9 [Mar 31 07:28:12] NOTICE[2743]: chan_sip.c:15322 sip_poke_noanswer: Peer '9' is now UNREACHABLE! Last qualify: 0 Now it matches but the same disconnect occurs: sip show peer truncated ToHost : 64.xxx.xxx.xx Addr-IP : 192.168.1.145 Port 5060 Defaddr-IP : 0.0.0.0 Port 5060 Def. Username: 9 SIP Options : (none) Codecs : 0x104 (ulaw|g729) Codec Order : (g729:20,ulaw:20) Auto-Framing: No Status : UNREACHABLE Useragent: Cisco-CP7971G-GE/8.3.0 Reg. Contact : sip:[EMAIL PROTECTED]:5060;transport=udp About to kick this 7971 ;) Nope, no firewall, clean connection, and no NAT is being used period. Most appreciated response if any. I'm definitely scratching my head on this one. 7970's I have working fine, never had a problem getting those to work. I'm wondering if its the sip firmware version I'm using at this point. J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB smime.p7s Description: S/MIME Cryptographic Signature ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971
Make sure you are using md5secret for your password, and turn off the regular secret. Here's my file working on a 7970 with SIP 8.3.3 - device deviceProtocolSIP/deviceProtocol sshUserIdroot/sshUserId sshPasswordsupersecretone/sshPassword devicePool dateTimeSetting dateTemplateM/D/Ya/dateTemplate timeZoneEastern Standard/Daylight Time/timeZone ntps ntp name136.159.2.2/name ntpModeUnicast/ntpMode /ntp ntp name192.43.244.18/name ntpModeUnicast/ntpMode /ntp /ntps /dateTimeSetting callManagerGroup tftpDefaulttrue/tftpDefault members member priority=0 callManager nameYOUR.PBX.IP.HERE/name descriptionAsterPBX/description ports ethernetPhonePort2000/ethernetPhonePort sipPort5060/sipPort securedSipPort5061/securedSipPort /ports processNodeNameYOUR.PBX.IP.HERE/processNodeName /callManager /member /members /callManagerGroup mlppDomainId-1/mlppDomainId mlppIndicationStatusDefault/mlppIndicationStatus preemptionDefault/preemption connectionMonitorDuration120/connectionMonitorDuration /devicePool sipProfile sipProxies registerWithProxytrue/registerWithProxy /sipProxies sipCallFeatures cnfJoinEnabledtrue/cnfJoinEnabled callForwardURIx-cisco-serviceuri-cfwdall/callForwardURI callPickupURIx-cisco-serviceuri-pickup/callPickupURI callPickupListURIx-cisco-serviceuri-opickup/callPickupListURI callPickupGroupURIx-cisco-serviceuri-gpickup/callPickupGroupURI meetMeServiceURIx-cisco-serviceuri-meetme/meetMeServiceURI abbreviatedDialURIx-cisco-serviceuri-abbrdial/abbreviatedDialURI rfc2543Holdtrue/rfc2543Hold callHoldRingback2/callHoldRingback localCfwdEnabletrue/localCfwdEnable semiAttendedTransfertrue/semiAttendedTransfer anonymousCallBlock2/anonymousCallBlock callerIdBlocking2/callerIdBlocking dndControl1/dndControl remoteCcEnabletrue/remoteCcEnable /sipCallFeatures sipStack sipInviteRetx6/sipInviteRetx sipRetx10/sipRetx timerInviteExpires180/timerInviteExpires timerRegisterExpires3600/timerRegisterExpires timerRegisterDelta5/timerRegisterDelta timerKeepAliveExpires120/timerKeepAliveExpires timerSubscribeExpires120/timerSubscribeExpires timerSubscribeDelta5/timerSubscribeDelta timerT1500/timerT1 timerT24000/timerT2 maxRedirects70/maxRedirects remotePartyIDtrue/remotePartyID userInfoNone/userInfo /sipStack autoAnswerTimer1/autoAnswerTimer autoAnswerAltBehaviorfalse/autoAnswerAltBehavior autoAnswerOverridetrue/autoAnswerOverride transferOnhookEnabledfalse/transferOnhookEnabled enableVadfalse/enableVad preferredCodecg711u/preferredCodec dtmfAvtPayload101/dtmfAvtPayload dtmfDbLevel3/dtmfDbLevel dtmfOutofBandavt/dtmfOutofBand alwaysUsePrimeLinefalse/alwaysUsePrimeLine alwaysUsePrimeLineVoiceMailfalse/alwaysUsePrimeLineVoiceMail kpml3/kpml phoneLabelFlewid Inc/phoneLabel stutterMsgWaiting1/stutterMsgWaiting callStatsfalse/callStats offhookToFirstDigitTimer15000/offhookToFirstDigitTimer silentPeriodBetweenCallWaitingBursts10/silentPeriodBetweenCallWaitingBursts disableLocalSpeedDialConfigfalse/disableLocalSpeedDialConfig startMediaPort16384/startMediaPort stopMediaPort32766/stopMediaPort sipLines line button=1 featureID9/featureID featureLabelx123 - Line 1/featureLabel proxyYOUR.PBX.IP.HERE/proxy name123/name displayNameYour Name/displayName autoAnswer autoAnswerEnabled2/autoAnswerEnabled /autoAnswer callWaiting3/callWaiting authName123/authName authPassword321/authPassword sharedLinefalse/sharedLine messageWaitingLampPolicy1/messageWaitingLampPolicy messagesNumber*98/messagesNumber ringSettingIdle4/ringSettingIdle ringSettingActive5/ringSettingActive contact123/contact forwardCallInfoDisplay
Re: [asterisk-users] Cisco 7971
On Sat, 2008-03-29 at 05:25 -0400, Matthew Gibson wrote: Make sure you are using md5secret for your password, and turn off the regular secret. Here's my file working on a 7970 with SIP 8.3.3 [snip big cisco config file] Maybe it has a different name but I don't see any option containing md5 in the config you pasted. What is the md5 option called? I would like to setup md5 authentication between my 7961 on SIP 8.3.3 with Asterisk 1.4.18. Thanks, Patrick ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971
http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+md5secret then in your sip.conf [ext] ... ;secret=123 md5secret=MD5SECRET Thanks, Matt On Sat, Mar 29, 2008 at 1:13 PM, Patrick [EMAIL PROTECTED] wrote: On Sat, 2008-03-29 at 05:25 -0400, Matthew Gibson wrote: Make sure you are using md5secret for your password, and turn off the regular secret. Here's my file working on a 7970 with SIP 8.3.3 [snip big cisco config file] Maybe it has a different name but I don't see any option containing md5 in the config you pasted. What is the md5 option called? I would like to setup md5 authentication between my 7961 on SIP 8.3.3 with Asterisk 1.4.18. Thanks, Patrick ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971
Matthew Gibson wrote: What are you trying to do? I run a 7970 here with SIP. Get it to work ;) I can get the phone to register but something via way of NAT (I'm not using it) is getting in the way. I was hoping to find an example SEPxxx.xml file from someone using the 7971. Firmware is 8.3.3 -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB smime.p7s Description: S/MIME Cryptographic Signature ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Cisco 7971
Anyone have some up-to-date (within the past 3 months) on Asterisk and the 7971. Searched voip-info, Google, etc., etc., to no avail. Documentation I found was scattered, vague. Thanks in advance. -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB smime.p7s Description: S/MIME Cryptographic Signature ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Cisco 7971
What are you trying to do? I run a 7970 here with SIP. Thanks, Matt On Thu, Mar 27, 2008 at 7:02 AM, J. Oquendo [EMAIL PROTECTED] wrote: Anyone have some up-to-date (within the past 3 months) on Asterisk and the 7971. Searched voip-info, Google, etc., etc., to no avail. Documentation I found was scattered, vague. Thanks in advance. -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perlhttp://www.infiltrated.net/sig%7Cperl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
