[Serusers] Problems with Cisco ATA 186 + NAT and SER
lists
lists at fikus.com
Mon Oct 18 03:03:13 CEST 2004
Hi,
I know that this problem has been discussed before, but being new to SER
I am having difficulty making CISCO ATA 186 behind a CISCO 501 NAT work
with my SER setup. Here is how I have it set up.
+---------+ +----------------+
|cisco ata|----| cisco pix (NAT)|----+
+---------- +----------------+ |
+---+ +-----------+
|SER|--+--|asterisk vm|
+---+ | +-----------+
+--------------------------+ | | +-------------+
|cisco 7960 and xten phones|---------+ +--|cisco pstn gw|
+--------------------------+ +-------------+
All the calls between 7960, xten, voice mail and pstn work great. When I
initiate a call from ata I get audio only one way I can hear ata user
but he cant hear anthing from 7960 phones or voicemail, and I am unable
to initiate calls from any device to ATA. Ok its quite obvious that NAT
is preventing this fom working. I tired setting up rtp proxy but that
doesn't even let me register the ATA phone correctly. Can anybody help
me make this work. I am including my ser.cfg file.
Thanks
fil
ser.cfg
------------ Initial global variables
debug=4 # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
##children=4
fifo="/tmp/ser_fifo"
listen=a.b.c.d
mhomed=yes
memlog=3
sip_warning=yes
server_signature=yes
#syn_branch=yes
#reply_to_via=no
# ------------------ module loading ----------------------------------
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
loadmodule "/usr/local/lib/ser/modules/exec.so"
loadmodule "/usr/local/lib/ser/modules/group.so"
loadmodule "/usr/local/lib/ser/modules/print.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"
loadmodule "/usr/local/lib/ser/modules/uri_db.so"
##loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
modparam("rr", "enable_full_lr", 1)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 3)
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "timer_interval", 10)
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
##modparam("registrar", "nat_flag", 6)
##modparam("nathelper", "natping_interval", 10)
##modparam("nathelper", "ping_nated_only", 1) # Ping only clients
behind NAT
# ------------------------- request routing logic -------------------
route{
# messed up setup
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
# someonw is doing something bad
if (msg:len >= max_len ) {
sl_send_reply("513", "Message too big");
break;
};
# record all routes
if (!method=="REGISTER")
record_route();
# separate the destination r-uri from the set of proxies that
must be traversed
loose_route();
# if the host portion of the request uri is not local, send it
directly
# to route processing.
if (!(uri==myself)) {
route(2);
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
## if(method=="REGISTER") {
## setflag(1); # remember this is ATA
## force_rport();
## fix_nated_contact();
## log("LOG: In NAT clause\n");
## fix_nated_sdp("3");
## };
# All REGISTER attempts are processed and must always be
authenticated
if (method=="REGISTER")
{
# make sure that users don't register infinite loops
if (search("^(Contact|m):
.*@(a\.b\.c\.d\|xxxxx\.xxxxx\.com)"))
{
log(1, "**************** LOG: alert: someone
trying to set aor==contact\n");
sl_send_reply("476", "No Server Address in
Contacts Allowed" );
break;
};
# digest authentcation
if (!www_authorize("xxxxx", "subscriber")) {
www_challenge("xxxxx", "0");
break;
};
# it is an authenticated request, update Contact
database now
if (!save("location"))
{
sl_reply_error();
};
break;
};
# find canonical names
lookup("aliases");
#if not local domain after alias lookup forward it away
if
(!(uri=~"^sip:(.+@)?(a\.b\.c\.d|xxxxx\.)?xxxxx\.com)([:;\?].*)?$"))
{
log(1, "**************** LOG: route(5)\n");
route(5);
break;
};
#pstn 911, 9911, all number between 7 and 20 digits
if ( (uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*") |
(uri=~"sip:[0-9]{7,20}@.*") )
{
log(1, "**************** LOG: route(3)\n");
route(3);
break;
};
#voice mail
if (is_user_in("Request-URI", "voicemail"))
{
log(1, "**************** LOG: voicemail\n");
t_on_failure("4");
setflag(4);
};
if (!lookup("location")) {
log(1, "**************** LOG: route(4)\n");
route(4);
break;
};
# check whether some inventive user has uploaded gateway
# contacts to usrloc to bypass authorization logic
if (uri=~"@192\.168\.0\.1|209\.208\.224\.4([;:].*)*" )
{
log(1, "**************** LOG: Gateway address in
UsrLoc\n");
route(3);
break;
};
# this flag is used with the acc module to report missed calls
# to syslog.
setflag(3);
# do it (words to live by)
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
# ------------- process all local traffic
route[1]
{
if (!t_relay()) {
sl_reply_error();
break;
};
}
# ------------- process traffic leaving fikus for Internet
route[2]
{
# outbound requests are allowed only for registered BigU users
if (!(src_ip==a.b.c.d) & !(src_ip==192.168.0.15) &
!(proxy_authorize("fikus", "subscriber")))
{
# ACK and CANCEL have no security mechanisms so they
are just
# noted
if (method=="ACK" | method=="BYE")
{
log("**************** LOG: failed outbound
authentication for ACK granted\n");
} else if (method=="CANCEL") {
log("**************** LOG: failed outbound
authentication for CANCEL granted\n");
} else {
proxy_challenge("fikus", "0");
break;
};
};
# to maintain credibility of our proxy, we check From in INVITEs
if (!src_ip==a.b.c.d & !src_ip==192.168.0.15 & method=="INVITE"
& !check_from()) {
log(1, "**************** LOG: Spoofed from attempt\n");
sl_send_reply("403", "Use From=id next time");
break;
};
append_hf("P-hint: OUTBOUND ON INTERNET\r\n");
if (!t_relay()) {
sl_reply_error();
break;
};
}
# ------------- process traffic leaving Internet for PSTN
route[3]
{
# all calls through the gateway must be record routed to assure
# acl acceptance on the gateway
record_route();
# send out emergency calls to pstn gateway immediately
if ((uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*"))
{
rewritehostport("a.b.c.e:5060");
forward(uri:host, uri:port);
break;
};
# seven digit numeric addresses are internal freebies sent to
the pbx
# without authentication
if
(uri=~"^sip:[0-9]{7}@(a.b.c.d|192.168.0.15|xxxxx|(xxxx\,)?\.xxxx\.com)")
{
rewritehostport("a.b.c.d.f:5060");
forward(uri:host, uri:port);
break;
};
# all numeric addresses beginning with 9 go to the pbx on the way
# to the PSTN
# first the caller needs to be authenticated
if (uri=~"^sip:9[0-9]*@(a\.b\.c\.d|xxxxx|192\.168\.0\.15)")
{
if (!(src_ip==209.208.224.15 | src_ip==192.168.0.15 |
method==ACK | method=="CANCEL" | method=="BYE"))
{
if (!proxy_authorize("xxxxx", "subscriber"))
{
proxy_challenge("xxxxxx","0");
break;
} else if (method=="INVITE" & !check_from()) {
log(1, "**************** LOG: Spoofed
from attempt\n");
sl_send_reply("403", "Use From=id next
time");
break;
};
};
if (method=="INVITE")
{
# if the r-uri begins 91, does the
authenticated user have
# permission for long distance
if (uri=~"sip:91[0-9]*@.*")
{
if (!is_user_in("credentials", "ld"))
{
sl_send_reply("403", "Local
calls only");
break;
};
};
};
# authenticated and authorized, now accounting is set
setflag(1);
};
rewritehostport("a.b.c.f:5060");
append_hf("P-hint: GATEWAY\r\n");
if (!t_relay())
{
sl_reply_error();
break;
};
}
# ------------- process calls for users offline
route[4]
{
log (1, "**************** INSIDE ROUTE[4]\n");
if (!t_newtran())
{
sl_reply_error();
};
if (!t_reply("404", "Not Found"))
{
sl_reply_error();
};
break;
}
# ------------- process aliased outbound traffic
# inbound requests that have been aliased to a non-fikus domain
# are not authenticated by fikus
route[5]
{
append_hf("P-hint: ALIASED-OUTBOUND\r\n");
if (!t_relay())
{
sl_reply_error();
break;
};
}
# ------------- CC-Diversion to voicemail
failure_route[4]
{
log (1, "**************** FAILURE_ROUTE CALLING VOICEMAIL\n");
# forward to voicemail now
append_branch("sip:2000 at a.b.c.d.e");
append_urihf("CC-Diversion: ", "\r\n");
append_hf("P-hint: OFFLINE-VOICEMAIL\r\n");
t_relay();
}
More information about the sr-users
mailing list