[OpenSIPS-Users] Getting a Cisco 7960 to register behind a PIX

James Lamanna jlamanna at gmail.com
Tue Dec 7 22:14:07 CET 2010


On Tue, Dec 7, 2010 at 11:42 AM, Duane Larson <duane.larson at gmail.com> wrote:
> From your original post before you set up nat enable on the Cisco phone
> OpenSIPS was replying back on the 2260 port
>
> U nat.ip:2260 -> opensips.ip:5060
>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>
> #
> U opensips.ip:5060 -> nat.ip:2260
>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>
> So right there without configuring NatEnable on the Cisco phone OpenSIPS is
> sending back to the original port that the Cisco phone used correct?

Yes, that is correct.
That is with nat_enable : 0.

-- James

>
>
> On Tue, Dec 7, 2010 at 1:34 PM, James Lamanna <jlamanna at gmail.com> wrote:
>>
>> On Tue, Dec 7, 2010 at 9:32 AM, Duane Larson <duane.larson at gmail.com>
>> wrote:
>> > From your SIP message
>> >
>> > U nat.ip:2370 -> opensips.ip:5060 REGISTER sip:opensips.ip
>> > SIP/2.0..Via: SIP/2.0/UDP nat.ip:8427;branch=z9hG4bK79682dfb..
>> > From: <sip:9515013401 at opensips.ip;user=phone>..To:
>> > <sip:9515013401 at opensips.ip;user=phone>..Call-ID:
>> > 00036be7-b0aa0007-736f1483-25859b27 at nat.ip..Date: Mon, 06 Dec 2010
>> > 21:28:11 GMT..CSeq: 200 REGISTER..User-Agent
>> >  : CSCO/7..Contact: <sip:9515013401 at nat.ip:8427>..Content-Length:
>> > 0..Expires: 45....
>> >
>> > In the VIA header I believe your phone is saying "Talk to me over
>> > nat.ip:8427"
>> >
>> > You might want to set up logging on your PIX/ASA firewall to see whats
>> > getting blocked, but from the way you've explained the issue it doesn't
>> > sound like an OpenSIPS issue.  Sounds like a firewall issue or Cisco
>> > phone
>> > issue.
>>
>> Logging on the PIX definitely sees packets coming back 8427, which
>> since they aren't part of an established connection get dropped.
>> Maybe going to opensips these phones need sip fixup on, though going
>> directly to Asterisk, they have been working with sip fixup off...
>>
>> -- James
>>
>>
>> >
>> > On Tue, Dec 7, 2010 at 10:22 AM, James Lamanna <jlamanna at gmail.com>
>> > wrote:
>> >>
>> >> Hi Bogdan,
>> >> I guess I'm confused as to why you say its being transmitted back to
>> >> the same IP:Port:
>> >>
>> >> U nat.ip:2370 -> opensips.ip:5060
>> >> U opensips.ip:5060 -> nat.ip:8427
>> >>
>> >> Shouldn't it be going back to port 2370? And not 8427?
>> >>
>> >> -- James
>> >>
>> >> On Tue, Dec 7, 2010 at 2:43 AM, Bogdan-Andrei Iancu
>> >> <bogdan at voice-system.ro> wrote:
>> >> > Hi James,
>> >> >
>> >> > From proxy point of view, everything looks ok - I see the reply sent
>> >> > back to
>> >> > the exact IP:port where the request came from....So the reply should
>> >> > make it
>> >> > through the NAT...But it seams it doesn't as the phone keeps
>> >> > retransmitting
>> >> > the REGISTER..
>> >> >
>> >> > Again, from NAT pov, opensips is doing the right stuff (doing
>> >> > symmetric
>> >> > signalling) - there is nothing more you can do here for
>> >> > opensips..Maybe
>> >> > it
>> >> > is something specific to the NAT device - any possibility to
>> >> > debug/trace
>> >> > on
>> >> > it ?
>> >> >
>> >> > Regards,
>> >> > Bogdan
>> >> >
>> >> > James Lamanna wrote:
>> >> >>
>> >> >> Hi,
>> >> >> I was wondering if anyone had any experience getting a Cisco 7960
>> >> >> phone to register to opensips when the phone is behind a PIX
>> >> >> firewall.
>> >> >> I'm having a hell of a time getting it to register.
>> >> >> I see these messages:
>> >> >>
>> >> >> U nat.ip:2260 -> opensips.ip:5060
>> >> >>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>> >> >>  sip:xxxxxxx at opensips.ip;user=phone>..To:
>> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>> >> >>  6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec 2010
>> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
>> >> >>  ..User-Agent: CSCO/7..Contact:
>> >> >> <sip:xxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires: 45....
>> >> >> #
>> >> >> U opensips.ip:5060 -> nat.ip:2260
>> >> >>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>> >> >>  ed=208.90.184.123..From:
>> >> >> <sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>> >> >> <sip:xxxxxxxx at opensips.ip;
>> >> >>  user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
>> >> >>  10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>> >> >> realm="asterisk", nonce="4cfd27fe0000780d7
>> >> >>  1826527370e7c8b97f663425df75489"..Server: OpenSIPS (1.6.3-notls
>> >> >> (x86_64/linux))..Content-Length: 0..
>> >> >>  ..
>> >> >> #
>> >> >> U nat.ip:2260 -> opensips.ip:5060
>> >> >>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>> >> >>  sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>> >> >>  6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec 2010
>> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
>> >> >>  ..User-Agent: CSCO/7..Contact:
>> >> >> <sip:xxxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires: 45....
>> >> >> #
>> >> >> U opensips.ip:5060 -> nat.ip:2260
>> >> >>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>> >> >>  ed=208.90.184.123..From: <sip:xxxxxxxx at opensips.ip;user=phone>..To:
>> >> >> <sip:xxxxxxxxx at opensips.ip;
>> >> >>  user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
>> >> >>  10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>> >> >> realm="asterisk", nonce="4cfd28000000780e5
>> >> >>  c3381d838a044479357aa6c660df432"..Server: OpenSIPS (1.6.3-notls
>> >> >> (x86_64/linux))..Content-Length: 0..
>> >> >>
>> >> >> This suggests the 401 response is not making it back to the
>> >> >> phone....but I'm not sure why the PIX would be blocking it.
>> >> >> All sip fixup is off.
>> >> >>
>> >> >> Any configuration suggestions would be much appreciated.
>> >> >> The phone has:
>> >> >> nat_enable: 0
>> >> >> nat_received_processing: 0
>> >> >>
>> >> >> That was the only way I could get opensips to send the responses
>> >> >> back
>> >> >> to the correct port.
>> >> >>
>> >> >> Thanks.
>> >> >>
>> >> >> -- James
>> >> >>
>> >> >> _______________________________________________
>> >> >> Users mailing list
>> >> >> Users at lists.opensips.org
>> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Bogdan-Andrei Iancu
>> >> > OpenSIPS Bootcamp
>> >> > 15 - 19 November 2010, Edison, New Jersey, USA
>> >> > www.voice-system.ro
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Users mailing list
>> >> > Users at lists.opensips.org
>> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >> >
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at lists.opensips.org
>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> >
>> >
>> > --
>> > --
>> > *--*--*--*--*--*
>> > Duane
>> > *--*--*--*--*--*
>> > --
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> >
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> --
> --
> *--*--*--*--*--*
> Duane
> *--*--*--*--*--*
> --
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>



More information about the Users mailing list