[Serusers] Problems with Cisco ATA 186 + NAT and SER
lists
lists at fikus.com
Tue Oct 19 08:28:34 CEST 2004
Hi Steve,
yes I am able to pass rtp/udp packets through the pix firewall. Actualy
now I am able to make calls between all the phones, except the person
who is using the ATA phone (behind the firewall) is unable to hear the
person usong the cisco 7960 phone. The phones ring on both sides, just
the traffic from 7960 to the ATA is getting lost somwhere. Funny part is
if I make a call from x-lite to that same ATA phone everything works
without a problem.
thanks
fil
Steve Blair wrote:
>
> Check your SER logs to see what IP address appears in the REGISTER
> message from the ATA.
>
> Then make sure you know which UDP ports are being used in the media
> exchange between the 7960 and ATA. Your PIX needs to allow RTP/UDP
> between these two endpoints, along with the SIP signaling of course, to
> have
> a conversation.
>
> Once you know what IP address the ATA attempts to register with make sure
> that address is reachable from the 7960 and SER.
>
> lists wrote:
>
>> Hi,
>>
>> I know that this problem has been discussed before, but being new to SER
>> I am having difficulty making CISCO ATA 186 behind a CISCO 501 NAT work
>> with my SER setup. Here is how I have it set up.
>>
>> +---------+ +----------------+
>> |cisco ata|----| cisco pix (NAT)|----+
>> +---------- +----------------+ |
>> +---+ +-----------+
>> |SER|--+--|asterisk vm|
>> +---+ | +-----------+
>> +--------------------------+ | | +-------------+
>> |cisco 7960 and xten phones|---------+ +--|cisco pstn gw|
>> +--------------------------+ +-------------+
>>
>> All the calls between 7960, xten, voice mail and pstn work great. When I
>> initiate a call from ata I get audio only one way I can hear ata user
>> but he cant hear anthing from 7960 phones or voicemail, and I am unable
>> to initiate calls from any device to ATA. Ok its quite obvious that NAT
>> is preventing this fom working. I tired setting up rtp proxy but that
>> doesn't even let me register the ATA phone correctly. Can anybody help
>> me make this work. I am including my ser.cfg file.
>>
>> Thanks
>> fil
>>
>> ser.cfg
>> ------------ Initial global variables
>> debug=4 # debug level (cmd line: -dddddddddd)
>> fork=yes
>> log_stderror=yes # (cmd line: -E)
>> check_via=no # (cmd. line: -v)
>> dns=no # (cmd. line: -r)
>> rev_dns=no # (cmd. line: -R)
>> port=5060
>> ##children=4
>> fifo="/tmp/ser_fifo"
>> listen=a.b.c.d
>> mhomed=yes
>> memlog=3
>> sip_warning=yes
>> server_signature=yes
>> #syn_branch=yes
>> #reply_to_via=no
>>
>> # ------------------ module loading ----------------------------------
>> loadmodule "/usr/local/lib/ser/modules/mysql.so"
>> loadmodule "/usr/local/lib/ser/modules/sl.so"
>> loadmodule "/usr/local/lib/ser/modules/tm.so"
>> loadmodule "/usr/local/lib/ser/modules/rr.so"
>> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
>> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
>> loadmodule "/usr/local/lib/ser/modules/registrar.so"
>> loadmodule "/usr/local/lib/ser/modules/auth.so"
>> loadmodule "/usr/local/lib/ser/modules/auth_db.so"
>> loadmodule "/usr/local/lib/ser/modules/acc.so"
>> loadmodule "/usr/local/lib/ser/modules/exec.so"
>> loadmodule "/usr/local/lib/ser/modules/group.so"
>> loadmodule "/usr/local/lib/ser/modules/print.so"
>> loadmodule "/usr/local/lib/ser/modules/textops.so"
>> loadmodule "/usr/local/lib/ser/modules/uri.so"
>> loadmodule "/usr/local/lib/ser/modules/uri_db.so"
>> ##loadmodule "/usr/local/lib/ser/modules/nathelper.so"
>>
>> # ----------------- setting module-specific parameters ---------------
>> modparam("tm", "fr_timer", 12)
>> modparam("tm", "fr_inv_timer", 24)
>> modparam("rr", "enable_full_lr", 1)
>> modparam("acc", "log_level", 1)
>> modparam("acc", "log_flag", 1)
>> modparam("acc", "log_missed_flag", 3)
>> modparam("usrloc", "db_mode", 2)
>> modparam("usrloc", "timer_interval", 10)
>> modparam("auth_db", "calculate_ha1", yes)
>> modparam("auth_db", "password_column", "password")
>> ##modparam("registrar", "nat_flag", 6)
>> ##modparam("nathelper", "natping_interval", 10)
>> ##modparam("nathelper", "ping_nated_only", 1) # Ping only clients
>> behind NAT
>>
>> # ------------------------- request routing logic -------------------
>> route{
>> # messed up setup
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> break;
>> };
>>
>> # someonw is doing something bad
>> if (msg:len >= max_len ) {
>> sl_send_reply("513", "Message too big");
>> break;
>> };
>>
>> # record all routes
>> if (!method=="REGISTER")
>> record_route();
>>
>> # separate the destination r-uri from the set of proxies that
>> must be traversed
>> loose_route();
>>
>> # if the host portion of the request uri is not local, send it
>> directly
>> # to route processing.
>> if (!(uri==myself)) {
>> route(2);
>> break;
>> };
>>
>>
>> # we record-route all messages -- to make sure that
>> # subsequent messages will go through our proxy; that's
>> # particularly good if upstream and downstream entities
>> # use different transport protocol
>> ## if(method=="REGISTER") {
>> ## setflag(1); # remember this is ATA
>> ## force_rport();
>> ## fix_nated_contact();
>> ## log("LOG: In NAT clause\n");
>> ## fix_nated_sdp("3");
>> ## };
>>
>> # All REGISTER attempts are processed and must always be
>> authenticated
>> if (method=="REGISTER")
>> {
>> # make sure that users don't register infinite loops
>> if (search("^(Contact|m):
>> .*@(a\.b\.c\.d\|xxxxx\.xxxxx\.com)"))
>> {
>> log(1, "**************** LOG: alert: someone
>> trying to set aor==contact\n");
>> sl_send_reply("476", "No Server Address in
>> Contacts Allowed" );
>> break;
>> };
>> # digest authentcation
>> if (!www_authorize("xxxxx", "subscriber")) {
>> www_challenge("xxxxx", "0");
>> break;
>> };
>>
>> # it is an authenticated request, update Contact
>> database now
>> if (!save("location"))
>> {
>> sl_reply_error();
>> };
>> break;
>> };
>>
>> # find canonical names
>> lookup("aliases");
>>
>> #if not local domain after alias lookup forward it away
>> if
>> (!(uri=~"^sip:(.+@)?(a\.b\.c\.d|xxxxx\.)?xxxxx\.com)([:;\?].*)?$"))
>> {
>> log(1, "**************** LOG: route(5)\n");
>> route(5);
>> break;
>> };
>>
>> #pstn 911, 9911, all number between 7 and 20 digits
>> if ( (uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*") |
>> (uri=~"sip:[0-9]{7,20}@.*") )
>> {
>> log(1, "**************** LOG: route(3)\n");
>> route(3);
>> break;
>> };
>>
>> #voice mail
>> if (is_user_in("Request-URI", "voicemail"))
>> {
>> log(1, "**************** LOG: voicemail\n");
>> t_on_failure("4");
>> setflag(4);
>> };
>>
>> if (!lookup("location")) {
>> log(1, "**************** LOG: route(4)\n");
>> route(4);
>> break;
>> };
>>
>> # check whether some inventive user has uploaded gateway
>> # contacts to usrloc to bypass authorization logic
>> if (uri=~"@192\.168\.0\.1|209\.208\.224\.4([;:].*)*" )
>> {
>> log(1, "**************** LOG: Gateway address in
>> UsrLoc\n");
>> route(3);
>> break;
>> };
>>
>> # this flag is used with the acc module to report missed calls
>> # to syslog.
>> setflag(3);
>>
>> # do it (words to live by)
>> append_hf("P-hint: usrloc applied\r\n");
>> route(1);
>> }
>>
>> # ------------- process all local traffic
>> route[1]
>> {
>> if (!t_relay()) {
>> sl_reply_error();
>> break;
>> };
>> }
>>
>> # ------------- process traffic leaving fikus for Internet
>> route[2]
>> {
>>
>> # outbound requests are allowed only for registered BigU users
>> if (!(src_ip==a.b.c.d) & !(src_ip==192.168.0.15) &
>> !(proxy_authorize("fikus", "subscriber")))
>> {
>> # ACK and CANCEL have no security mechanisms so they
>> are just
>> # noted
>> if (method=="ACK" | method=="BYE")
>> {
>> log("**************** LOG: failed outbound
>> authentication for ACK granted\n");
>> } else if (method=="CANCEL") {
>> log("**************** LOG: failed outbound
>> authentication for CANCEL granted\n");
>> } else {
>> proxy_challenge("fikus", "0");
>> break;
>> };
>> };
>>
>> # to maintain credibility of our proxy, we check From in INVITEs
>> if (!src_ip==a.b.c.d & !src_ip==192.168.0.15 & method=="INVITE"
>> & !check_from()) {
>> log(1, "**************** LOG: Spoofed from attempt\n");
>> sl_send_reply("403", "Use From=id next time");
>> break;
>> };
>>
>> append_hf("P-hint: OUTBOUND ON INTERNET\r\n");
>> if (!t_relay()) {
>> sl_reply_error();
>> break;
>> };
>> }
>>
>> # ------------- process traffic leaving Internet for PSTN
>> route[3]
>> {
>> # all calls through the gateway must be record routed to assure
>> # acl acceptance on the gateway
>> record_route();
>>
>> # send out emergency calls to pstn gateway immediately
>> if ((uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*"))
>> {
>> rewritehostport("a.b.c.e:5060");
>> forward(uri:host, uri:port);
>> break;
>> };
>>
>> # seven digit numeric addresses are internal freebies sent to
>> the pbx
>> # without authentication
>> if
>> (uri=~"^sip:[0-9]{7}@(a.b.c.d|192.168.0.15|xxxxx|(xxxx\,)?\.xxxx\.com)")
>> {
>> rewritehostport("a.b.c.d.f:5060");
>> forward(uri:host, uri:port);
>> break;
>> };
>>
>> # all numeric addresses beginning with 9 go to the pbx on the way
>> # to the PSTN
>>
>> # first the caller needs to be authenticated
>> if (uri=~"^sip:9[0-9]*@(a\.b\.c\.d|xxxxx|192\.168\.0\.15)")
>> {
>> if (!(src_ip==209.208.224.15 | src_ip==192.168.0.15 |
>> method==ACK | method=="CANCEL" | method=="BYE"))
>> {
>> if (!proxy_authorize("xxxxx", "subscriber"))
>> {
>> proxy_challenge("xxxxxx","0");
>> break;
>> } else if (method=="INVITE" & !check_from()) {
>> log(1, "**************** LOG: Spoofed
>> from attempt\n");
>> sl_send_reply("403", "Use From=id next
>> time");
>> break;
>> };
>> };
>> if (method=="INVITE")
>> {
>> # if the r-uri begins 91, does the
>> authenticated user have
>> # permission for long distance
>> if (uri=~"sip:91[0-9]*@.*")
>> {
>> if (!is_user_in("credentials", "ld"))
>> {
>> sl_send_reply("403", "Local
>> calls only");
>> break;
>> };
>> };
>> };
>>
>> # authenticated and authorized, now accounting is set
>> setflag(1);
>> };
>>
>> rewritehostport("a.b.c.f:5060");
>> append_hf("P-hint: GATEWAY\r\n");
>> if (!t_relay())
>> {
>> sl_reply_error();
>> break;
>> };
>> }
>>
>> # ------------- process calls for users offline
>> route[4]
>> {
>> log (1, "**************** INSIDE ROUTE[4]\n");
>>
>> if (!t_newtran())
>> {
>> sl_reply_error();
>> };
>> if (!t_reply("404", "Not Found"))
>> {
>> sl_reply_error();
>> };
>> break;
>> }
>>
>> # ------------- process aliased outbound traffic
>> # inbound requests that have been aliased to a non-fikus domain
>> # are not authenticated by fikus
>> route[5]
>> {
>> append_hf("P-hint: ALIASED-OUTBOUND\r\n");
>> if (!t_relay())
>> {
>> sl_reply_error();
>> break;
>> };
>> }
>>
>>
>> # ------------- CC-Diversion to voicemail
>> failure_route[4]
>> {
>> log (1, "**************** FAILURE_ROUTE CALLING VOICEMAIL\n");
>> # forward to voicemail now
>> append_branch("sip:2000 at a.b.c.d.e");
>> append_urihf("CC-Diversion: ", "\r\n");
>> append_hf("P-hint: OFFLINE-VOICEMAIL\r\n");
>> t_relay();
>> }
>>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>
>
>
More information about the sr-users
mailing list