Hi Steve,
yes I am able to pass rtp/udp packets through the pix firewall. Actualy now I am able to make calls between all the phones, except the person who is using the ATA phone (behind the firewall) is unable to hear the person usong the cisco 7960 phone. The phones ring on both sides, just the traffic from 7960 to the ATA is getting lost somwhere. Funny part is if I make a call from x-lite to that same ATA phone everything works without a problem.
thanks fil
Steve Blair wrote:
Check your SER logs to see what IP address appears in the REGISTER message from the ATA.
Then make sure you know which UDP ports are being used in the media exchange between the 7960 and ATA. Your PIX needs to allow RTP/UDP between these two endpoints, along with the SIP signaling of course, to have a conversation.
Once you know what IP address the ATA attempts to register with make sure that address is reachable from the 7960 and SER.
lists wrote:
Hi,
I know that this problem has been discussed before, but being new to SER I am having difficulty making CISCO ATA 186 behind a CISCO 501 NAT work with my SER setup. Here is how I have it set up.
+---------+ +----------------+ |cisco ata|----| cisco pix (NAT)|----+ +---------- +----------------+ | +---+ +-----------+ |SER|--+--|asterisk vm| +---+ | +-----------+ +--------------------------+ | | +-------------+ |cisco 7960 and xten phones|---------+ +--|cisco pstn gw| +--------------------------+ +-------------+
All the calls between 7960, xten, voice mail and pstn work great. When I initiate a call from ata I get audio only one way I can hear ata user but he cant hear anthing from 7960 phones or voicemail, and I am unable to initiate calls from any device to ATA. Ok its quite obvious that NAT is preventing this fom working. I tired setting up rtp proxy but that doesn't even let me register the ATA phone correctly. Can anybody help me make this work. I am including my ser.cfg file.
Thanks fil
ser.cfg ------------ Initial global variables debug=4 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=yes # (cmd line: -E) check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 ##children=4 fifo="/tmp/ser_fifo" listen=a.b.c.d mhomed=yes memlog=3 sip_warning=yes server_signature=yes #syn_branch=yes #reply_to_via=no
# ------------------ module loading ---------------------------------- loadmodule "/usr/local/lib/ser/modules/mysql.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so" loadmodule "/usr/local/lib/ser/modules/acc.so" loadmodule "/usr/local/lib/ser/modules/exec.so" loadmodule "/usr/local/lib/ser/modules/group.so" loadmodule "/usr/local/lib/ser/modules/print.so" loadmodule "/usr/local/lib/ser/modules/textops.so" loadmodule "/usr/local/lib/ser/modules/uri.so" loadmodule "/usr/local/lib/ser/modules/uri_db.so" ##loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters --------------- modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24) modparam("rr", "enable_full_lr", 1) modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 3) modparam("usrloc", "db_mode", 2) modparam("usrloc", "timer_interval", 10) modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") ##modparam("registrar", "nat_flag", 6) ##modparam("nathelper", "natping_interval", 10) ##modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# ------------------------- request routing logic ------------------- route{ # messed up setup if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; };
# someonw is doing something bad if (msg:len >= max_len ) { sl_send_reply("513", "Message too big"); break; }; # record all routes if (!method=="REGISTER") record_route(); # separate the destination r-uri from the set of proxies thatmust be traversed loose_route();
# if the host portion of the request uri is not local, send itdirectly # to route processing. if (!(uri==myself)) { route(2); break; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol## if(method=="REGISTER") { ## setflag(1); # remember this is ATA ## force_rport(); ## fix_nated_contact(); ## log("LOG: In NAT clause\n"); ## fix_nated_sdp("3"); ## };
# All REGISTER attempts are processed and must always beauthenticated if (method=="REGISTER") { # make sure that users don't register infinite loops if (search("^(Contact|m): .*@(a.b.c.d|xxxxx.xxxxx.com)")) { log(1, "**************** LOG: alert: someone trying to set aor==contact\n"); sl_send_reply("476", "No Server Address in Contacts Allowed" ); break; }; # digest authentcation if (!www_authorize("xxxxx", "subscriber")) { www_challenge("xxxxx", "0"); break; };
# it is an authenticated request, update Contactdatabase now if (!save("location")) { sl_reply_error(); }; break; };
# find canonical names lookup("aliases"); #if not local domain after alias lookup forward it away if(!(uri=~"^sip:(.+@)?(a.b.c.d|xxxxx.)?xxxxx.com)([:;?].*)?$")) { log(1, "**************** LOG: route(5)\n"); route(5); break; };
#pstn 911, 9911, all number between 7 and 20 digits if ( (uri=~"^sip:911@.*") | (uri=~"^sip:9911@.*") |(uri=~"sip:[0-9]{7,20}@.*") ) { log(1, "**************** LOG: route(3)\n"); route(3); break; };
#voice mail if (is_user_in("Request-URI", "voicemail")) { log(1, "**************** LOG: voicemail\n"); t_on_failure("4"); setflag(4); }; if (!lookup("location")) { log(1, "**************** LOG: route(4)\n"); route(4); break; }; # check whether some inventive user has uploaded gateway # contacts to usrloc to bypass authorization logic if (uri=~"@192\.168\.0\.1|209\.208\.224\.4([;:].*)*" ) { log(1, "**************** LOG: Gateway address inUsrLoc\n"); route(3); break; };
# this flag is used with the acc module to report missed calls # to syslog. setflag(3); # do it (words to live by) append_hf("P-hint: usrloc applied\r\n"); route(1);}
# ------------- process all local traffic route[1] { if (!t_relay()) { sl_reply_error(); break; }; }
# ------------- process traffic leaving fikus for Internet route[2] {
# outbound requests are allowed only for registered BigU users if (!(src_ip==a.b.c.d) & !(src_ip==192.168.0.15) &!(proxy_authorize("fikus", "subscriber"))) { # ACK and CANCEL have no security mechanisms so they are just # noted if (method=="ACK" | method=="BYE") { log("**************** LOG: failed outbound authentication for ACK granted\n"); } else if (method=="CANCEL") { log("**************** LOG: failed outbound authentication for CANCEL granted\n"); } else { proxy_challenge("fikus", "0"); break; }; };
# to maintain credibility of our proxy, we check From in INVITEs if (!src_ip==a.b.c.d & !src_ip==192.168.0.15 & method=="INVITE"& !check_from()) { log(1, "**************** LOG: Spoofed from attempt\n"); sl_send_reply("403", "Use From=id next time"); break; };
append_hf("P-hint: OUTBOUND ON INTERNET\r\n"); if (!t_relay()) { sl_reply_error(); break; };}
# ------------- process traffic leaving Internet for PSTN route[3] { # all calls through the gateway must be record routed to assure # acl acceptance on the gateway record_route();
# send out emergency calls to pstn gateway immediately if ((uri=~"^sip:911@.*") | (uri=~"^sip:9911@.*")) { rewritehostport("a.b.c.e:5060"); forward(uri:host, uri:port); break; }; # seven digit numeric addresses are internal freebies sent tothe pbx # without authentication if (uri=~"^sip:[0-9]{7}@(a.b.c.d|192.168.0.15|xxxxx|(xxxx,)?.xxxx.com)") { rewritehostport("a.b.c.d.f:5060"); forward(uri:host, uri:port); break; };
# all numeric addresses beginning with 9 go to the pbx on the way # to the PSTN # first the caller needs to be authenticated if (uri=~"^sip:9[0-9]*@(a\.b\.c\.d|xxxxx|192\.168\.0\.15)") { if (!(src_ip==209.208.224.15 | src_ip==192.168.0.15 |method==ACK | method=="CANCEL" | method=="BYE")) { if (!proxy_authorize("xxxxx", "subscriber")) { proxy_challenge("xxxxxx","0"); break; } else if (method=="INVITE" & !check_from()) { log(1, "**************** LOG: Spoofed from attempt\n"); sl_send_reply("403", "Use From=id next time"); break; }; }; if (method=="INVITE") { # if the r-uri begins 91, does the authenticated user have # permission for long distance if (uri=~"sip:91[0-9]*@.*") { if (!is_user_in("credentials", "ld")) { sl_send_reply("403", "Local calls only"); break; }; }; };
# authenticated and authorized, now accounting is set setflag(1); }; rewritehostport("a.b.c.f:5060"); append_hf("P-hint: GATEWAY\r\n"); if (!t_relay()) { sl_reply_error(); break; };}
# ------------- process calls for users offline route[4] { log (1, "**************** INSIDE ROUTE[4]\n");
if (!t_newtran()) { sl_reply_error(); }; if (!t_reply("404", "Not Found")) { sl_reply_error(); }; break;}
# ------------- process aliased outbound traffic # inbound requests that have been aliased to a non-fikus domain # are not authenticated by fikus route[5] { append_hf("P-hint: ALIASED-OUTBOUND\r\n"); if (!t_relay()) { sl_reply_error(); break; }; }
# ------------- CC-Diversion to voicemail failure_route[4] { log (1, "**************** FAILURE_ROUTE CALLING VOICEMAIL\n"); # forward to voicemail now append_branch("sip:2000@a.b.c.d.e"); append_urihf("CC-Diversion: ", "\r\n"); append_hf("P-hint: OFFLINE-VOICEMAIL\r\n"); t_relay(); }
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers