[OpenSIPS-Users] Getting a Cisco 7960 to register behind a PIX

James Lamanna jlamanna at gmail.com
Tue Dec 7 20:34:00 CET 2010


On Tue, Dec 7, 2010 at 9:32 AM, Duane Larson <duane.larson at gmail.com> wrote:
> From your SIP message
>
> U nat.ip:2370 -> opensips.ip:5060 REGISTER sip:opensips.ip
> SIP/2.0..Via: SIP/2.0/UDP nat.ip:8427;branch=z9hG4bK79682dfb..
> From: <sip:9515013401 at opensips.ip;user=phone>..To:
> <sip:9515013401 at opensips.ip;user=phone>..Call-ID:
> 00036be7-b0aa0007-736f1483-25859b27 at nat.ip..Date: Mon, 06 Dec 2010
> 21:28:11 GMT..CSeq: 200 REGISTER..User-Agent
>  : CSCO/7..Contact: <sip:9515013401 at nat.ip:8427>..Content-Length:
> 0..Expires: 45....
>
> In the VIA header I believe your phone is saying "Talk to me over
> nat.ip:8427"
>
> You might want to set up logging on your PIX/ASA firewall to see whats
> getting blocked, but from the way you've explained the issue it doesn't
> sound like an OpenSIPS issue.  Sounds like a firewall issue or Cisco phone
> issue.

Logging on the PIX definitely sees packets coming back 8427, which
since they aren't part of an established connection get dropped.
Maybe going to opensips these phones need sip fixup on, though going
directly to Asterisk, they have been working with sip fixup off...

-- James


>
> On Tue, Dec 7, 2010 at 10:22 AM, James Lamanna <jlamanna at gmail.com> wrote:
>>
>> Hi Bogdan,
>> I guess I'm confused as to why you say its being transmitted back to
>> the same IP:Port:
>>
>> U nat.ip:2370 -> opensips.ip:5060
>> U opensips.ip:5060 -> nat.ip:8427
>>
>> Shouldn't it be going back to port 2370? And not 8427?
>>
>> -- James
>>
>> On Tue, Dec 7, 2010 at 2:43 AM, Bogdan-Andrei Iancu
>> <bogdan at voice-system.ro> wrote:
>> > Hi James,
>> >
>> > From proxy point of view, everything looks ok - I see the reply sent
>> > back to
>> > the exact IP:port where the request came from....So the reply should
>> > make it
>> > through the NAT...But it seams it doesn't as the phone keeps
>> > retransmitting
>> > the REGISTER..
>> >
>> > Again, from NAT pov, opensips is doing the right stuff (doing symmetric
>> > signalling) - there is nothing more you can do here for opensips..Maybe
>> > it
>> > is something specific to the NAT device - any possibility to debug/trace
>> > on
>> > it ?
>> >
>> > Regards,
>> > Bogdan
>> >
>> > James Lamanna wrote:
>> >>
>> >> Hi,
>> >> I was wondering if anyone had any experience getting a Cisco 7960
>> >> phone to register to opensips when the phone is behind a PIX firewall.
>> >> I'm having a hell of a time getting it to register.
>> >> I see these messages:
>> >>
>> >> U nat.ip:2260 -> opensips.ip:5060
>> >>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>> >>  sip:xxxxxxx at opensips.ip;user=phone>..To:
>> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>> >>  6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec 2010
>> >> 18:10:49 GMT..CSeq: 107 REGISTER
>> >>  ..User-Agent: CSCO/7..Contact:
>> >> <sip:xxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires: 45....
>> >> #
>> >> U opensips.ip:5060 -> nat.ip:2260
>> >>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>> >>  ed=208.90.184.123..From: <sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>> >> <sip:xxxxxxxx at opensips.ip;
>> >>  user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>> >> 00036be7-b0aa0007-46220771-115f4fcc@
>> >>  10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>> >> realm="asterisk", nonce="4cfd27fe0000780d7
>> >>  1826527370e7c8b97f663425df75489"..Server: OpenSIPS (1.6.3-notls
>> >> (x86_64/linux))..Content-Length: 0..
>> >>  ..
>> >> #
>> >> U nat.ip:2260 -> opensips.ip:5060
>> >>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>> >>  sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>> >>  6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec 2010
>> >> 18:10:49 GMT..CSeq: 107 REGISTER
>> >>  ..User-Agent: CSCO/7..Contact:
>> >> <sip:xxxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires: 45....
>> >> #
>> >> U opensips.ip:5060 -> nat.ip:2260
>> >>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>> >>  ed=208.90.184.123..From: <sip:xxxxxxxx at opensips.ip;user=phone>..To:
>> >> <sip:xxxxxxxxx at opensips.ip;
>> >>  user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>> >> 00036be7-b0aa0007-46220771-115f4fcc@
>> >>  10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>> >> realm="asterisk", nonce="4cfd28000000780e5
>> >>  c3381d838a044479357aa6c660df432"..Server: OpenSIPS (1.6.3-notls
>> >> (x86_64/linux))..Content-Length: 0..
>> >>
>> >> This suggests the 401 response is not making it back to the
>> >> phone....but I'm not sure why the PIX would be blocking it.
>> >> All sip fixup is off.
>> >>
>> >> Any configuration suggestions would be much appreciated.
>> >> The phone has:
>> >> nat_enable: 0
>> >> nat_received_processing: 0
>> >>
>> >> That was the only way I could get opensips to send the responses back
>> >> to the correct port.
>> >>
>> >> Thanks.
>> >>
>> >> -- James
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at lists.opensips.org
>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >>
>> >>
>> >
>> >
>> > --
>> > Bogdan-Andrei Iancu
>> > OpenSIPS Bootcamp
>> > 15 - 19 November 2010, Edison, New Jersey, USA
>> > www.voice-system.ro
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> --
> --
> *--*--*--*--*--*
> Duane
> *--*--*--*--*--*
> --
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>



More information about the Users mailing list