Trixbox behind a PIX not working
Submitted by cityguru on Fri, 07/20/2007 - 12:02pm.
I am using a PIX 501, and this is the first time the server is being configured with a local ip such as 10.1.1.2, it can see the outside world and i have opened up all the ports. I can SSH, HTP etc into the box from the outside.
what i cant do is register a single extension onto a device or softphone. I checked the forum and right away i remmeber about nat and sip.conf
I addeded the following to Sip.conf
externip = xxx.xxx.xxx.xxx <- of course this was a real address
localnet=10.1.1.0/255.255.255.0
nat=yes
I re-read config files, i also even rebooted the server and still noting registerrs. I opened up all outside traffic to inside for UDP and no success still. I have completely run out of ideas, any suggestions? this is use Trixbox 2.2
thanks
trixbox behind a pix
Fri, 07/20/2007 - 12:17pm
Some thoughts and suggestions
- have you set nat=yes in the freePBX config of each of the remote extensions you want to use.
- have you opened up a "range" of ports for UDP eg 5060 - 5090 for SIP
- for RTP open 10000 - 20000 for UDP but check the configuration of each type of phone in case they use different RTP settings (I think Xlite does and Cisco does)
- have you tried the fixup sip option in your PIX configuration. I'm not sure which way it works but it is mentioned in a number of threads here, or search the web for references.
hth
John
What Version is on the PIX?
Fri, 07/20/2007 - 12:33pm
Some thoughts and
Fri, 07/20/2007 - 3:08pm
Some thoughts and suggestions
- have you set nat=yes in the freePBX config of each of the remote extensions you want to use.
Answer: YES
- have you opened up a "range" of ports for UDP eg 5060 - 5090 for SIP
Answer: YES
- for RTP open 10000 - 20000 for UDP but check the configuration of each type of phone in case they use different RTP settings (I think Xlite does and Cisco does)
Answer: YES
- have you tried the fixup sip option in your PIX configuration. I'm not sure which way it works but it is mentioned in a number of threads here, or search the web for references.
ANSWER: this i will check, its a PIX 501 so if you know where this setting would be in the ADSM manager that would be great.
Shoot just checked it out,
Fri, 07/20/2007 - 3:20pm
Shoot just checked it out, fixup for SIP under ADSM (located under advanced under System properties is already "enabled" the exact name is Enable SIP over UDP Port 5060 and its checked, so no luck there. this is really really strange. i know if i statically assign the ip address straight to the box then there is no problem.
Try setting up a network
Sat, 07/21/2007 - 12:33am
Try setting up a network route in the trixbox linux for the PIX...
route add -net aaa.aaa.aaa.aaa netmask 255.255.255.0 gw ppp.ppp.ppp.ppp
where a is the appropriate network for the phone side of the pix and p is the address of the pix on the trixbox side. Netmast is appropriate for the a address.
If you need more info let me know.
To Fixup or not to Fixup
Sat, 07/21/2007 - 10:36pm
I have followed this thread, and some say fixup, while others say not to fixup. This reminds me of the SMTP fixup command, where a clear division once existed, ant then everyone simply said no fixup, too many variables, too many mime types to deal with.
Ok folks, I gotta ask, do you fixup or not on SIP, and what was the ultimate solution?
Looking forward,
Matthew
***
Matthew Earley - Technologist - Network, Voice and Security
NON WORKING TRIXBOX
Sun, 05/11/2008 - 6:05pm
I've recently became interested in voip, and I've heard a lot about trixbox. I am running Cisco pix 501 and can't seem to get Trixbox to work, I have to port forward some ports. I need to forward ports in range (1000-2000). I can't figure out how to do it. If anyone sucessful got the trixbox to work with pix 501. Please HELP. I am desperate!!!
Same question - does anybody
Wed, 07/30/2008 - 11:11am
Same question - does anybody know how to forward RTP traffic (10000-20000 udp) inside PIX 501 (v6.3)?
static (inside,outside) doesn't support range of ports options, I've tried to create object-group service siprtp udp, but it's not working also.
VoipPIX(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FjuZyP9YWJlQErqH encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname VoipPIX
domain-name local
clock timezone PST -5
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.140 trixbox
object-group service siprtp udp
port-object range 10000 20000
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq 6600
access-list outside_in permit udp any interface outside eq 5060
access-list outside_in permit udp any interface outside eq 5061
access-list outside_in permit tcp any interface outside eq 2222
access-list outside_in permit udp any interface outside object-group siprtp
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location trixbox 255.255.255.255 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface 6600 trixbox 6600 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp trixbox ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www trixbox www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5060 trixbox 5060 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5061 trixbox 5061 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2222 trixbox ssh netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.50 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 45
console timeout 0
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4d931e36b0fa33c05b562424cd6e410f
: end
VoipPIX(config)#
Do you only have a single IP
Wed, 07/30/2008 - 12:02pm
Do you only have a single IP on the outside subnet?
If you can dedicate a single IP this would be much simpler. Just map everything then control it with a conduit like this:
conduit permit udp host maitrix range 10000 20000 any
This is from my office PIX.
--
Scott
aka "Skyking"
Had issue with TB 2.6.1 to
Wed, 07/30/2008 - 1:27pm
Had issue with TB 2.6.1 to IPComms on SIP trunks, dumped the PIX 501 in favor of a PFSense / Soekris box and configured it identical. The PFSense must have the magic smoke because even though the sip debug traces look identical on the TB box everything now works great..
Not the first time i have had issue with the PIX 501...
----------------------------------
Yes, I do have just one
Wed, 07/30/2008 - 1:35pm
Yes, I do have just one public IP on outside interface.
Is your host maitrix within inside subnet?
It has accepted:
conduit permit udp host trixbox range 10000 20000 any
but still no voice traffic
If I use
static (inside,outside) interface trixbox
all my traffic would be locked with just only one host.
can you posted all your sh run please
Thanks, Scott
Let me answer your questions
Wed, 07/30/2008 - 1:57pm
Let me answer your questions in order.
Quote:
Yes, I do have just one public IP on outside interface.
That may preclude this from working easily. I use the 501's to terminate VPN's I have never had a need to do what you are doing.
Quote:
Is your host maitrix within inside subnet?
Yes it is, it should actually be in one of the DMZ interfaces (this PIX has four interfaces) however right now it is in the inside network.
Quote:
can you posted all your sh run please
I can't do that, and it is not feasible the config over 500 lines long. We have a load of servers in the DMZ and another boat load of VPN tunnels. The network connect to the outside interface also has an entire class C of public addresses. The PIX also has a router in front of it on the inside interface to terminate the T1 lines.
Can you obtain another IP address?
If you can this config example from my production box may be of some help. I have sanitized the public IP.
show run | include maitrix name 66.xx.xx.62 maitrix static (inside,outside) maitrix 10.20.1.155 netmask 255.255.255.255 0 0 conduit permit udp host maitrix eq 5060 any conduit permit udp host maitrix range 10000 20000 any conduit permit icmp host maitrix any conduit permit udp host maitrix eq 4569 any conduit permit tcp host maitrix eq 4569 any
The tcp conduit for IAX2 is probably not necessary.
When I get a few minutes I am going to check the 'object-group service RDP' command and see if it will be of any use to you.
--
Scott
aka "Skyking"
That is exactly my problem I
Wed, 07/30/2008 - 2:25pm
That is exactly my problem I have only one dynamic IP on outside interface, if I would have a dedicated one, I know how to handle it.
But I'm sure PIX should have the way to configure it. Maybe trixbox need to be only in DMZ in order to handle range of ports forwarding?
Another shout
Wed, 07/30/2008 - 3:35pm
Okay, I am assuming your service group command is working however you are only mapping one port. Just for sh*ts and grins try this:
static (inside,outside) udp interface trixbox netmask 255.255.255.255
clear xlate
Then try again.
What this should do is allow all UDP traffic to the trixbox. The port constraint is in the access list. I would also not map www or ftp to the outside. Setup a vpdn group for pptp access to admin the box. Once we get this working I can help you with that also.
--
Scott
aka "Skyking"
Scott,
PIX does not
Thu, 07/31/2008 - 9:59am
Scott,
PIX does not accept
static (inside,outside) udp interface trixbox netmask 255.255.255.255
but it does:
static (inside,outside) interface trixbox netmask 255.255.255.255
however all current static forwarding should be removed otherwise it gives an overlapping warning.
In this case everything is working fine (including voice), but as I previously mentioned all traffic locked only on trixbox that not something I want to go permanently. It just a simple inside LAN range of ports forwarding what I can easy configure on any cheap SOHO router, I do not believe cisco can't handle it.
Thanks, for notice on www and ftp ports in ACL, I opened it for testing and forgot to remove then.
Quote:
It just a simple
Thu, 07/31/2008 - 1:29pm
Quote:
It just a simple inside LAN range of ports forwarding what I can easy configure on any cheap SOHO router, I do not believe cisco can't handle it.
I am not sure the PIX can handle it with a single outside IP address. Prior to version 6.0 you could not use the outside interface as a NAT source address (global)!!
--
Scott
aka "Skyking"
Member Since:
2006-06-02