[OpenSIPS-Users] Getting a Cisco 7960 to register behind a PIX
Duane Larson
duane.larson at gmail.com
Tue Dec 7 23:20:56 CET 2010
Here is a good INVITE I have from being behind a firewall
The firewall has an IP of 75.X.X.158
The internal network the IP phone is on is 192.168.33.X
The OpenSIPS server is 173.X.X.88
U 2010/12/07 16:12:14.459659 75.X.X.158:2048 -> 173.X.X.88:5060
INVITE sip:111 at irock.com <sip%3A111 at irock.com>;user=phone SIP/2.0.
Via: SIP/2.0/UDP 192.168.33.23:2048;branch=z9hG4bK-9se1atq58cbk;rport.
From: "Moo " <sip:9 at irock.com <sip%3A9 at irock.com>>;tag=tq7cj9lj3c.
To: <sip:111 at irock.com <sip%3A111 at irock.com>;user=phone>.
Call-ID: 3c28c61f517f-au6e4a6vh38t.
CSeq: 1 INVITE.
Max-Forwards: 70.
Contact: <sip:9 at 192.168.33.23:2048;line=qtgpvpl1>;reg-id=1.
X-Serialnumber: 0004132902C9.
P-Key-Flags: resolution="31x13", keys="4".
User-Agent: snom360/8.4.18.
Accept: application/sdp.
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK,
MESSAGE, INFO, UPDATE.
Allow-Events: talk, hold, refer, call-info.
Supported: timer, 100rel, replaces, from-change.
Session-Expires: 3600;refresher=uas.
Min-SE: 90.
Content-Type: application/sdp.
Content-Length: 475.
.
v=0.
o=root 217266021 217266021 IN IP4 192.168.33.23.
s=call.
c=IN IP4 192.168.33.23.
t=0 0.
m=audio 60836 RTP/AVP 0 8 9 99 3 18 4 101.
a=crypto:1 AES_CM_128_HMAC_SHA1_32
inline:KDdT1DXlQP7n5ulSDPGv9aOWWmKQzMwlqqpUI8Zc.
a=rtpmap:0 pcmu/8000.
a=rtpmap:8 pcma/8000.
a=rtpmap:9 g722/8000.
a=rtpmap:99 g726-32/8000.
a=rtpmap:3 gsm/8000.
a=rtpmap:18 g729/8000.
a=fmtp:18 annexb=no.
a=rtpmap:4 g723/8000.
a=rtpmap:101 telephone-event/8000.
a=fmtp:101 0-16.
a=ptime:20.
a=sendrecv.
#
U 2010/12/07 16:12:14.459991 173.X.X.88:5060 -> 75.X.X.158:2048
SIP/2.0 407 Proxy Authentication Required.
Via: SIP/2.0/UDP 192.168.33.23:2048
;branch=z9hG4bK-9se1atq58cbk;rport=2048;received=75.X.X.158.
From: "Moo " <sip:9012211612 at irock.com <sip%3A9012211612 at irock.com>
>;tag=tq7cj9lj3c.
To: <sip:111 at irock.com <sip%3A111 at irock.com>
;user=phone>;tag=c97b4d1cb1f3d0da549e06a8d482ef63.9234.
Call-ID: 3c28c61f517f-au6e4a6vh38t.
CSeq: 1 INVITE.
Proxy-Authenticate: Digest realm="irock.com",
nonce="4cfeb15c93b5eb253383911370bef215dfed2212", qop="auth".
Server: OpenSIPS (1.6.3-notls (x86_64/linux)).
Content-Length: 0.
When you don't have NAT enabled on the phone are you still seeing the "407
Authentication Required" message being sent to the firewall and getting
blocked? Just trying to see if the 407 message is not actually being sent
to a private IP which won't work. I am only guessing it is getting sent to
the Firewall when NAT is disabled on the phone because you show
"nat.ip:2260" in your output.
On Tue, Dec 7, 2010 at 3:14 PM, James Lamanna <jlamanna at gmail.com> wrote:
> On Tue, Dec 7, 2010 at 11:42 AM, Duane Larson <duane.larson at gmail.com>
> wrote:
> > From your original post before you set up nat enable on the Cisco phone
> > OpenSIPS was replying back on the 2260 port
> >
> > U nat.ip:2260 -> opensips.ip:5060
> > REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
> >
> > #
> > U opensips.ip:5060 -> nat.ip:2260
> > SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> >
> > So right there without configuring NatEnable on the Cisco phone OpenSIPS
> is
> > sending back to the original port that the Cisco phone used correct?
>
> Yes, that is correct.
> That is with nat_enable : 0.
>
> -- James
>
> >
> >
> > On Tue, Dec 7, 2010 at 1:34 PM, James Lamanna <jlamanna at gmail.com>
> wrote:
> >>
> >> On Tue, Dec 7, 2010 at 9:32 AM, Duane Larson <duane.larson at gmail.com>
> >> wrote:
> >> > From your SIP message
> >> >
> >> > U nat.ip:2370 -> opensips.ip:5060 REGISTER sip:opensips.ip
> >> > SIP/2.0..Via: SIP/2.0/UDP nat.ip:8427;branch=z9hG4bK79682dfb..
> >> > From: <sip:9515013401 at opensips.ip;user=phone>..To:
> >> > <sip:9515013401 at opensips.ip;user=phone>..Call-ID:
> >> > 00036be7-b0aa0007-736f1483-25859b27 at nat.ip..Date: Mon, 06 Dec 2010
> >> > 21:28:11 GMT..CSeq: 200 REGISTER..User-Agent
> >> > : CSCO/7..Contact: <sip:9515013401 at nat.ip:8427>..Content-Length:
> >> > 0..Expires: 45....
> >> >
> >> > In the VIA header I believe your phone is saying "Talk to me over
> >> > nat.ip:8427"
> >> >
> >> > You might want to set up logging on your PIX/ASA firewall to see whats
> >> > getting blocked, but from the way you've explained the issue it
> doesn't
> >> > sound like an OpenSIPS issue. Sounds like a firewall issue or Cisco
> >> > phone
> >> > issue.
> >>
> >> Logging on the PIX definitely sees packets coming back 8427, which
> >> since they aren't part of an established connection get dropped.
> >> Maybe going to opensips these phones need sip fixup on, though going
> >> directly to Asterisk, they have been working with sip fixup off...
> >>
> >> -- James
> >>
> >>
> >> >
> >> > On Tue, Dec 7, 2010 at 10:22 AM, James Lamanna <jlamanna at gmail.com>
> >> > wrote:
> >> >>
> >> >> Hi Bogdan,
> >> >> I guess I'm confused as to why you say its being transmitted back to
> >> >> the same IP:Port:
> >> >>
> >> >> U nat.ip:2370 -> opensips.ip:5060
> >> >> U opensips.ip:5060 -> nat.ip:8427
> >> >>
> >> >> Shouldn't it be going back to port 2370? And not 8427?
> >> >>
> >> >> -- James
> >> >>
> >> >> On Tue, Dec 7, 2010 at 2:43 AM, Bogdan-Andrei Iancu
> >> >> <bogdan at voice-system.ro> wrote:
> >> >> > Hi James,
> >> >> >
> >> >> > From proxy point of view, everything looks ok - I see the reply
> sent
> >> >> > back to
> >> >> > the exact IP:port where the request came from....So the reply
> should
> >> >> > make it
> >> >> > through the NAT...But it seams it doesn't as the phone keeps
> >> >> > retransmitting
> >> >> > the REGISTER..
> >> >> >
> >> >> > Again, from NAT pov, opensips is doing the right stuff (doing
> >> >> > symmetric
> >> >> > signalling) - there is nothing more you can do here for
> >> >> > opensips..Maybe
> >> >> > it
> >> >> > is something specific to the NAT device - any possibility to
> >> >> > debug/trace
> >> >> > on
> >> >> > it ?
> >> >> >
> >> >> > Regards,
> >> >> > Bogdan
> >> >> >
> >> >> > James Lamanna wrote:
> >> >> >>
> >> >> >> Hi,
> >> >> >> I was wondering if anyone had any experience getting a Cisco 7960
> >> >> >> phone to register to opensips when the phone is behind a PIX
> >> >> >> firewall.
> >> >> >> I'm having a hell of a time getting it to register.
> >> >> >> I see these messages:
> >> >> >>
> >> >> >> U nat.ip:2260 -> opensips.ip:5060
> >> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
> >> >> >> sip:xxxxxxx at opensips.ip;user=phone>..To:
> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
> >> >> >> 6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec
> 2010
> >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
> >> >> >> ..User-Agent: CSCO/7..Contact:
> >> >> >> <sip:xxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires:
> 45....
> >> >> >> #
> >> >> >> U opensips.ip:5060 -> nat.ip:2260
> >> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
> >> >> >> ed=208.90.184.123..From:
> >> >> >> <sip:xxxxxxxxx at opensips.ip;user=phone>..To:
> >> >> >> <sip:xxxxxxxx at opensips.ip;
> >> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
> >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
> >> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
> >> >> >> realm="asterisk", nonce="4cfd27fe0000780d7
> >> >> >> 1826527370e7c8b97f663425df75489"..Server: OpenSIPS (1.6.3-notls
> >> >> >> (x86_64/linux))..Content-Length: 0..
> >> >> >> ..
> >> >> >> #
> >> >> >> U nat.ip:2260 -> opensips.ip:5060
> >> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
> >> >> >> sip:xxxxxxxxx at opensips.ip;user=phone>..To:
> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
> >> >> >> 6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec
> 2010
> >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
> >> >> >> ..User-Agent: CSCO/7..Contact:
> >> >> >> <sip:xxxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires:
> 45....
> >> >> >> #
> >> >> >> U opensips.ip:5060 -> nat.ip:2260
> >> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
> >> >> >> ed=208.90.184.123..From: <sip:xxxxxxxx at opensips.ip
> ;user=phone>..To:
> >> >> >> <sip:xxxxxxxxx at opensips.ip;
> >> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
> >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
> >> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
> >> >> >> realm="asterisk", nonce="4cfd28000000780e5
> >> >> >> c3381d838a044479357aa6c660df432"..Server: OpenSIPS (1.6.3-notls
> >> >> >> (x86_64/linux))..Content-Length: 0..
> >> >> >>
> >> >> >> This suggests the 401 response is not making it back to the
> >> >> >> phone....but I'm not sure why the PIX would be blocking it.
> >> >> >> All sip fixup is off.
> >> >> >>
> >> >> >> Any configuration suggestions would be much appreciated.
> >> >> >> The phone has:
> >> >> >> nat_enable: 0
> >> >> >> nat_received_processing: 0
> >> >> >>
> >> >> >> That was the only way I could get opensips to send the responses
> >> >> >> back
> >> >> >> to the correct port.
> >> >> >>
> >> >> >> Thanks.
> >> >> >>
> >> >> >> -- James
> >> >> >>
> >> >> >> _______________________________________________
> >> >> >> Users mailing list
> >> >> >> Users at lists.opensips.org
> >> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Bogdan-Andrei Iancu
> >> >> > OpenSIPS Bootcamp
> >> >> > 15 - 19 November 2010, Edison, New Jersey, USA
> >> >> > www.voice-system.ro
> >> >> >
> >> >> >
> >> >> > _______________________________________________
> >> >> > Users mailing list
> >> >> > Users at lists.opensips.org
> >> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >> >
> >> >>
> >> >> _______________________________________________
> >> >> Users mailing list
> >> >> Users at lists.opensips.org
> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >
> >> >
> >> >
> >> > --
> >> > --
> >> > *--*--*--*--*--*
> >> > Duane
> >> > *--*--*--*--*--*
> >> > --
> >> >
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at lists.opensips.org
> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >
> >> >
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opensips.org
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> > --
> > --
> > *--*--*--*--*--*
> > Duane
> > *--*--*--*--*--*
> > --
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
--
--
*--*--*--*--*--*
Duane
*--*--*--*--*--*
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20101207/e6bba952/attachment-0001.htm>
More information about the Users
mailing list