[cisco-voip] PIX configuration for SIP trunking

Voll, Scott Scott.Voll at wesd.org
Mon Jul 24 15:56:33 EDT 2006 

At a mininimum get rid of the static command:

 

 

No static (outside,inside) 10.96.3.11 64.161.xxx.xxx netmask
255.255.255.255 0 0

 

 

________________________________

From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of IT
Sent: Monday, July 24, 2006 12:52 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] PIX configuration for SIP trunking

 

So I have made a little more progress on my SIP trunk, and I think I
have narrowed down the issue to a pix configuration. Can someone please
post their PIX config (or revise mine) which allows a SIP trunk to make
it through to their CCM server behind the PIX?

 

So far, these are the lines I have which seem to matter.

 

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol sip 5060

fixup protocol sip udp 5060

 

access-list outside_access remark Allowing inbound SIP trunk UDP

access-list outside_access permit udp any host eq 64.161.xxx.xxx 5060
log

access-list outside_access remark Allowing inbound SIP trunk TCP

access-list outside_access permit tcp any host 64.161.xxx.xxx eq 5060
log

access-list outside_access remark Allowing inbound h323 SIP trunk 

access-list outside_access permit tcp any host 64.161.xxx.xxx eq h323
log

 

static (outside,inside) 10.96.3.11 64.161.xxx.xxx netmask
255.255.255.255 0 0

static (inside,outside) 64.161.xxx.xxx 10.96.3.11 netmask
255.255.255.255 0 0

 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

 

 

So, what am I missing?

 

Thanks,

Avidan

 

________________________________

From: IT 
Sent: Friday, July 21, 2006 4:41 PM
To: IT; 'Voll, Scott'; 'cisco-voip at puck.nether.net'
Subject: RE: [cisco-voip] My first SIP trunk

 

Allow me to rephrase, port 5060 is closed on tcp traffic, but
open|filtered for UDP traffic.

 

________________________________

From: IT 
Sent: Friday, July 21, 2006 4:37 PM
To: 'Voll, Scott'; IT; 'cisco-voip at puck.nether.net'
Subject: RE: [cisco-voip] My first SIP trunk

 

I have done the fixup protocol command. I ran nmap port scan against my
CCM, and port 5060 is not open. Am I missing something? Do I need to
tell ccm to open the port? I just made the sip trunk from the web
interface...

 

Here are the new logs:

10793: SIP::Found From addr "sip:3238604990 at 10.96.3.11" (25)

10794: SIP::Found To addr "sip:13239438822 at 4.79.212.236" (28)

10795: SIP::Found Call-ID f729fa00-1dc13710-b-b03600a at 10.96.3.11 (38)

10796: SIP::Found CSeq 101

            Found port 5060

10797: SIP::Embedded IP 4.79.212.236/5060

10798: NAT::NAT UDP 4.79.212.236/5060

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

10799: NAT::table route: embedded host at outside:4.79.212.236/5060

10800: NAT::find/create NAT rule for outside:4.79.212.236/5060 to
outside:4.79.212.236

10801: NAT::receiver and embedded hosts on same interface

10802: NAT::embedded socket translates to outside:4.79.212.236/5060

            Found port 5060

10803: SIP::Embedded IP 10.96.3.11/5060

10804: NAT::NAT UDP 10.96.3.11/5060

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

10805: NAT::reverse route: embedded host at inside:10.96.3.11/5060

10806: NAT::find/create NAT rule for inside:10.96.3.11/5060 to
outside:4.79.212.236

10807: NAT::inside NAT with current xlate

10808: NAT::embedded socket translates to outside:64.161.249.251/5060

10809: SIP::Embedded IP 10.96.3.11/0

10810: NAT::NAT UDP 10.96.3.11/0

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

10811: NAT::reverse route: embedded host at inside:10.96.3.11/0

10812: NAT::find/create NAT rule for inside:10.96.3.11/0 to
outside:4.79.212.236

10813: NAT::inside NAT with current xlate

10814: NAT::embedded socket translates to outside:64.161.249.251/0

10815: SIP::Embedded IP 4.79.212.236/0

10816: NAT::NAT UDP 4.79.212.236/0

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

10817: NAT::table route: embedded host at outside:4.79.212.236/0

10818: NAT::find/create NAT rule for outside:4.79.212.236/0 to
outside:4.79.212.236

10819: NAT::receiver and embedded hosts on same interface

10820: NAT::embedded socket translates to outside:4.79.212.236/0

10821: SIP::Embedded IP 10.96.3.11/0

10822: NAT::NAT UDP 10.96.3.11/0

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

10823: NAT::reverse route: embedded host at inside:10.96.3.11/0

10824: NAT::find/create NAT rule for inside:10.96.3.11/0 to
outside:4.79.212.236

10825: NAT::inside NAT with current xlate

10826: NAT::embedded socket translates to outside:64.161.249.251/0

10827: SIP::INVITE received from inside:10.96.3.11/5060 to
outside:4.79.212.236/5060

10828: SIP::Found From addr "sip:3238604990 at 10.96.3.11" (25)

10829: SIP::Found To addr "sip:13239438822 at 4.79.212.236" (28)

10830: SIP::Found Call-ID c068d80-1dc13711-c-b03600a at 10.96.3.11 (37)

10831: SIP::Found CSeq 101

10832: SIP: Found contact 10.96.3.11, port 5060

            Found port 5060

10833: SIP::Embedded IP 4.79.212.236/5060

10834: NAT::NAT UDP 4.79.212.236/5060

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

10835: NAT::table route: embedded host at outside:4.79.212.236/5060

10836: NAT::find/create NAT rule for outside:4.79.212.236/5060 to
outside:4.79.212.236

10837: NAT::receiver and embedded hosts on same interface

10838: NAT::embedded socket translates to outside:4.79.212.236/5060

            Found port 5060

 

 

________________________________

From: Voll, Scott [mailto:Scott.Voll at wesd.org] 
Sent: Friday, July 21, 2006 1:54 PM
To: IT; cisco-voip at puck.nether.net
Subject: RE: [cisco-voip] My first SIP trunk

 

I believe there is a fixup protocol SIP 5060 is that in your config on
the pix?  What version of FOS is on your pix?  

 

Scott

 

________________________________

From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of IT
Sent: Friday, July 21, 2006 1:51 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] My first SIP trunk

 

I have decided to start playing around with SIP trunks, as my company
needs more and more varied area code terminations (we have 4 PRI's and
counting). I signed up for a demo with bandwidth.com and all they gave
me is an ip address and udp port 5060. It looks like im on my own after
that....except for my favorite mailing list ;)

 

Here are the steps I have followed so far:

I created a sip trunk in CCM: http://www.cimgroup.com/temp/sip_setup.jpg

I created a route pattern to use that sip trunk.
http://www.cimgroup.com/temp/route_setup.jpg

I made the proper pokes in my pix, to allow traffic from their SIP
server, to my ccm.

Then, I tried to dial 713239438822  from my IP phone -- no dice.

So, I run a debug sip on my PIX, and I try to make the outbound call
from CCM again, I am getting the following:

 

5175: SIP::INVITE received from inside:10.96.3.11/5060 to
outside:4.79.212.236/5060

5176: SIP::Found From addr "sip:3238604990 at 10.96.3.11" (25)

5177: SIP::Found To addr "sip:13239438822 at 4.79.212.236" (28)

5178: SIP::Found Call-ID a35ae900-1dc136ef-6-b03600a at 10.96.3.11 (38)

5179: SIP::Found CSeq 101

5180: SIP: Found contact 10.96.3.11, port 5060

            Found port 5060

5181: SIP::Embedded IP 4.79.212.236/5060

5182: NAT::NAT UDP 4.79.212.236/5060

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

5183: NAT::table route: embedded host at outside:4.79.212.236/5060

5184: NAT::find/create NAT rule for outside:4.79.212.236/5060 to
outside:4.79.212.236

5185: NAT::receiver and embedded hosts on same interface

5186: NAT::embedded socket translates to outside:4.79.212.236/5060

            Found port 5060

5187: SIP::Embedded IP 10.96.3.11/5060

5188: NAT::NAT UDP 10.96.3.11/5060

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

5189: NAT::reverse route: embedded host at inside:10.96.3.11/5060

5190: NAT::find/create NAT rule for inside:10.96.3.11/5060 to
outside:4.79.212.236

5191: NAT::inside NAT with current xlate

5192: NAT::embedded socket translates to outside:64.161.249.251/5060

5193: SIP::Embedded IP 10.96.3.11/0

5194: NAT::NAT UDP 10.96.3.11/0

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

5195: NAT::reverse route: embedded host at inside:10.96.3.11/0

5196: NAT::find/create NAT rule for inside:10.96.3.11/0 to
outside:4.79.212.236

5197: NAT::inside NAT with current xlate

5198: NAT::embedded socket translates to outside:64.161.249.251/0

5199: SIP::Embedded IP 4.79.212.236/0

5200: NAT::NAT UDP 4.79.212.236/0

            from inside:10.96.3.11/5060 to outside:4.79.212.236/5060

 

 

-------------------------------------------------------

 

IF I try to call the SIP number bandwidth.com gave me (from my
cellphone), I get the following:

 

8312: SIP::Found From addr "sip:+13239438822 at 4.68.250.148" (29)

8313: SIP::Found To addr "sip:+19197416700 at 4.79.212.236:5060" (34)

8314: SIP::Found Call-ID ATLMGC0120060721204432019751 at 209.244.63.45 (42)

8315: SIP::Found CSeq 1

8316: SIP: Found contact 4.68.250.148, port 5060

8317: NAT::requesting UDP conn for 4.79.212.236/0 [0.0.0.0/0]

        from outside:4.79.212.236/5060 to inside:10.96.3.11/5060

8318: NAT::ERROR: invalid sockets: <third>:4.79.212.236/0
<fourth>:0.0.0.0/0

8319: NAT::requesting UDP conn for 4.68.250.148/5060 [0.0.0.0/0]

        from outside:4.79.212.236/5060 to inside:10.96.3.11/5060

8320: NAT::table route: embedded host at outside:4.68.250.148/5060

8321: NAT::pre-allocate connection for inside:10.96.3.11 to
outside:4.68.250.148/5060

8322: NAT::found inside xlate from inside:10.96.3.11/0 to
outside:64.161.249.251/0

8323: NAT::outside NAT not needed

8324: NAT::found UDP conn inside:10.96.3.11/0 <->
outside:4.68.250.148/5060

8325: NAT::requesting UDP conn for 209.244.43.157/60576 [0.0.0.0/0]

        from outside:4.79.212.236/5060 to inside:10.96.3.11/5060

8326: NAT::table route: embedded host at outside:209.244.43.157/60576

8327: NAT::pre-allocate connection for inside:10.96.3.11 to
outside:209.244.43.157/60576

8328: NAT::found inside xlate from inside:10.96.3.11/0 to
outside:64.161.249.251/0

8329: NAT::outside NAT not needed

8330: NAT::found UDP conn inside:10.96.3.11/0 <->
outside:209.244.43.157/60576

8331: SIP::INVITE received from outside:4.79.212.236/5060 to
inside:64.161.249.251/5060

        Found port 5060

8332: SIP::Embedded IP 64.161.249.251/5060

8333: NAT::NAT UDP 64.161.249.251/5060

        from outside:4.79.212.236/5060 to inside:10.96.3.11/5060

8334: NAT::xlate route: embedded host at inside:10.96.3.11/5060

8335: NAT::find/create NAT rule for inside:10.96.3.11/5060 to
inside:10.96.3.11

8336: NAT::receiver and embedded hosts on same interface

8337: NAT::embedded socket translates to inside:10.96.3.11/5060

8338: SIP::Embedded IP 4.79.212.236/0

8339: NAT::NAT UDP 4.79.212.236/0

        from outside:4.79.212.236/5060 to inside:10.96.3.11/5060

 

 

Is this a problem with my PIX configuration, or my SIP trunk
configuration? Anyone have some good SIP documentation?

 

Thanks,

Avidan

 

________________________________

Avidan Ross |  Director of Technology

6922 Hollywood Blvd, Ninth Floor

Los Angeles, CA 90028

P: 323.860.4990 | E: avidan at cimgroup.com

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20060724/b0b003d0/attachment-0001.html

More information about the cisco-voip mailing list