Cannot reach destination (sip.conf)
Submitted by bsod on Wed, 06/18/2008 - 6:59am.
I just reloaded my Trixbox Pro SE (122509) and setup the firewall to allow the ports. We had gotten additional IP addresses from our ISP, so I setup the firewall to port all traffic coming in on x.x.x.75 to the server. All of a sudden, we were unable to get any voice over the lines. I called our SIP Trunk provider and they told me it was sending the return flag of x.x.x.66 (the outside address of our firewall).
I did some research and found the setting in sip.conf to change. I went in and edited it to show externip as x.x.x.75 and made a test call. Worked perfect. Mid-celebration, another test call was tried and it wouldn't work. The sip.conf had changed back to x.x.x.66.
How do I keep this from reverting?
Any changes you need in
Wed, 06/18/2008 - 8:58am
Any changes you need in sip.conf have to be made via the GUI since that file is auto-generated.
Try reading the page below, since it addresses some of the same settings you're trying to change:
http://www.freepbx.org/support/documentation/howtos/howto-resolvi...
Well, there are two
Wed, 06/18/2008 - 9:03am
Well, there are two options.
1. You force all outbound traffic from your trixbox Pro system to have the source address of .75, so ping_main.pl (the application responsible for alerting our systems of your internal/external IP address for purposes of sip.conf, iax.conf (linked servers), and sXXXXXX.trixbox.fonality.com) will recognize the .75 address.
2. Support modifies your sip.conf so that the externip line (the one changing) ends with a comment "; DON'T CHANGE", which will force our end to never update that entry.
Which works best for you?
Ben
Fonality, Inc.
Option 1 would require you
Wed, 06/18/2008 - 9:15am
Option 1 would require you to make the change in your firewall/router. You want something called bi-directional NAT (atleast that's what my router/firewall of choice calls it -- OpenBSD/pf). I couldn't tell you what you would need to change on your particular router/firewall.
Ben
Fixed
Wed, 06/18/2008 - 10:58am
I had setup already a bi-directional NAT on the ASA, so was confused as to why it wasn't working. After a bit of tinkering, I changed the sip.conf from:
externip=X.X.X.X
to
; externip=X.X.X.X
and changed
NAT=yes
to
NAT=no
And for anyone using a Cisco ASA 5505, here are the required lines:
static (inside,outside) outsideip insideip netmask 255.255.255.255
access-list outside_access_in permit udp any host outsideip range 10000 20000
access-list outside_access_in permit tcp any host outsideip range 10000 20000
access-group outside_access_in in interface outside
Hope this helps!
You might want to look at
Wed, 06/18/2008 - 12:34pm
You might want to look at disabling any SIP fixup on your Cisco ASA. I bet if it has that enabled that would explain why having externip set it causes things to not work. I'm happy to add the line to your sip.conf, but to be honest it would be better if the ASA didn't mangle the SIP packets, which is what I suspect is happening.
Ben
Is it possible that you
Wed, 06/18/2008 - 4:21pm
Is it possible that you didn't issue a 'sip reload' from the asterisk console after making your changes?
If you've disabled SIP fixup, and have the bi-NAT turned on and it works with nat=yes, and externip set why don't we go ahead and removed the "DONT CHANGE" comment from your sip.conf and see how things go from there.
Does this work for you?
Ben
ASA
Thu, 06/19/2008 - 6:19am
Hey bsod, I use the ASA all the time with trixbox installs. I have never had to change the sip.conf file like this. In the ASA you need to add another global (outside) statement for the public ip of trixbox server.
static (inside,outside) x.x.x.75 insideip netmask 255.255.255.255
global (outside) 1 interface
global (outside) 1 x.x.x.75
and then set your access-lists accordingly.
Adding that second global statement will allow any traffic from the trixbox server going outbound to have the x.x.x.75 source address instead of the firewalls external IP.
Derek,
I have never seen
Thu, 06/19/2008 - 8:05am
Derek,
I have never seen this as an issue. Please elaborate.
If you assign a one to one static NAT to an IP from the same subnet as the 'Outside' (Level0) interface then inside to outside traffic will follow the same static rule and be natted to the static entry.
Global is for many to one PAT on Outbound traffic not specifically excluded with a STATIC entry.
Since it solved the users problem I am even more confused.
Scott
--
Scott
aka "Skyking"
Actually it depends on how
Thu, 06/19/2008 - 8:22am
Actually it depends on how you have your global (outside) statement.
If you have it set like this:
global (outside) 1 x.x.x.5-x.x.x.30
and your trixbox is using x.x.x.10, then yes you are correct.
Although if you only have:
global (outside) 1 interface
then "ALL" outbound traffic will go out with the source address of the external IP address of the firewall regardless of the static nat translations that you have. The static nat will still work and all inbound traffic will route correctly, but outbound traffic will go out the other address.
Thanks for the explanation.
Thu, 06/19/2008 - 9:14pm
Thanks for the explanation. I can see the command global (outside) 1 interface useful if you are trying to conserve address space. I have always specified a global pool and never understood the distinction.
This will be useful as I have to setup a PIX 501 with a cable modem that only has two static IP addresses next week.
Scott
--
Scott
aka "Skyking"
Hey ddavidson
Sun, 09/14/2008 - 1:49pm
I have the same problem. I have a trixbox instaled in my company and I am able to connect to it within my local lan.
I also want to have the possibility to connect to it form outside. Below is a part of my configuration form ASA. I don't know why I still get message:
Registration of Internet number 220 failed. Remote site reports reason for error 403
access-list outside_access_in remark Asterisk
access-list outside_access_in extended permit tcp any host xx.xx.xx.28 eq ssh
access-list outside_access_in remark Asterisk
access-list outside_access_in extended permit ip any host xx.xx.xx.28
access-list outside_access_in remark Asterisk
access-list outside_access_in extended permit icmp any host xx.xx.xx.28
access-list outside_access_in remark Asterisk-port-range
access-list outside_access_in extended permit udp any host xx.xx.xx.28 range 10000 20000
access-list outside_access_in extended permit udp any host xx.xx.xx.28 range sip 5082
access-list outside_access_in extended permit tcp any host xx.xx.xx.28 range sip 5082
access-list outside_access_in extended permit tcp any host xx.xx.xx.28 range 10000 20000
global (outside) 1 interface
global (outside) 1 xx.xx.xx.28
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.xx.28 192.168.1.249 netmask 255.255.255.255
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect ipsec-pass-thru
inspect mgcp
inspect pptp
inspect icmp
inspect sip
service-policy global_policy global
What am I doing wrong?
Hi Cheeta,
I am assuming you
Mon, 09/22/2008 - 2:08pm
Hi Cheeta,
I am assuming you are using Polycom IP phones? If not what phones are you using?
One thing you need to do is remove:
inspect sip
There are several access-lists that you do not need. If you continue to have issues. Please give me a call. I would be happy to help you.
Member Since:
2008-05-08