[OpenSIPS-Users] Getting a Cisco 7960 to register behind a PIX

James Lamanna jlamanna at gmail.com
Thu Dec 9 18:09:49 CET 2010


So here's something I noticed, I'm using nat_uac_test("3") in my configuration.
If you look at the REGISTER message, this test does not pass, because
the NATed IP is in the Contact Header and the VIA tag.
However, test "16" looks at the source port != VIA port, which would pass.
I wonder if this would fix the issue.

Is adding that test bad in any way?

-- James

On Thu, Dec 9, 2010 at 9:04 AM, James Lamanna <jlamanna at gmail.com> wrote:
> Here's the SIP traffic from my phone now running v8.9 with nat_enable
> = 1 and nat_received_processing = 1.
> BTW this phone has no issues registering to asterisk on a different line key.
>
> -- James
>
> U nat.ip:6212 -> opensips.ip:5060
>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
> nat.ip:8427;branch=z9hG4bK67291d74..From:
> <sip:xxxxxxx at opensips.ip>;tag=00036be7b0aa000731de6fab-4eefd488..To:
> <sip:xxxxxxx at opensips.ip>..
>  Call-ID: 00036be7-b0aa0007-5a172506-53e80b15 at nat.ip..Max-Forwards:
> 70..CSeq: 101 REGISTER..User-Agent: Cisco-CP7960G/8.0..Contact:
> <sip:xxxxxxx1 at nat.ip:8427;user=phone;transport=udp>;+sip.
>  instance="<urn:uuid:00000000-0000-0000-0000-00036be7b0aa>";+u.sip!model.ccm.cisco.com="7"..Content-Length:
> 0..Expires: 45....
> #
> Uopensips.ip:5060 -> nat.ip:8427
>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> nat.ip:8427;branch=z9hG4bK67291d74..From:
> <sip:xxxxxxxx at opensips.ip>;tag=00036be7b0aa000731de6fab-4eefd488..To:
> <sip:xxxxxxxxx at opensips.ip>;tag=c5cd5e
>  6c2a1d4c975e04c2ff1b643904.c6b0..Call-ID:
> 00036be7-b0aa0007-5a172506-53e80b15 at nat.ip..CSeq: 101
> REGISTER..WWW-Authenticate: Digest realm="asterisk",
> nonce="4d010bf1000104ac9cec46f3f3eafb667ac1d37dd4
>  c56fce"..Server: OpenSIPS (1.6.3-notls
> (x86_64/linux))..Content-Length: 0....
>
> On Tue, Dec 7, 2010 at 2:29 PM, Advantia VoIP Systems <info at advantia.ca> wrote:
>> James,
>> When I look at my 7940 phones, I am running version 8.8.  It seems to me
>> that this could/should be fixable at your PIX but what are the chance of you
>> flashing your phone to a more recent firmware and seeing if that is helps
>> with the port numbering issue.  Just a guess...
>> Mario
>> On Tue, Dec 7, 2010 at 1:14 PM, James Lamanna <jlamanna at gmail.com> wrote:
>>>
>>> On Tue, Dec 7, 2010 at 11:42 AM, Duane Larson <duane.larson at gmail.com>
>>> wrote:
>>> > From your original post before you set up nat enable on the Cisco phone
>>> > OpenSIPS was replying back on the 2260 port
>>> >
>>> > U nat.ip:2260 -> opensips.ip:5060
>>> >  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>>> >
>>> > #
>>> > U opensips.ip:5060 -> nat.ip:2260
>>> >  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>> >
>>> > So right there without configuring NatEnable on the Cisco phone OpenSIPS
>>> > is
>>> > sending back to the original port that the Cisco phone used correct?
>>>
>>> Yes, that is correct.
>>> That is with nat_enable : 0.
>>>
>>> -- James
>>>
>>> >
>>> >
>>> > On Tue, Dec 7, 2010 at 1:34 PM, James Lamanna <jlamanna at gmail.com>
>>> > wrote:
>>> >>
>>> >> On Tue, Dec 7, 2010 at 9:32 AM, Duane Larson <duane.larson at gmail.com>
>>> >> wrote:
>>> >> > From your SIP message
>>> >> >
>>> >> > U nat.ip:2370 -> opensips.ip:5060 REGISTER sip:opensips.ip
>>> >> > SIP/2.0..Via: SIP/2.0/UDP nat.ip:8427;branch=z9hG4bK79682dfb..
>>> >> > From: <sip:9515013401 at opensips.ip;user=phone>..To:
>>> >> > <sip:9515013401 at opensips.ip;user=phone>..Call-ID:
>>> >> > 00036be7-b0aa0007-736f1483-25859b27 at nat.ip..Date: Mon, 06 Dec 2010
>>> >> > 21:28:11 GMT..CSeq: 200 REGISTER..User-Agent
>>> >> >  : CSCO/7..Contact: <sip:9515013401 at nat.ip:8427>..Content-Length:
>>> >> > 0..Expires: 45....
>>> >> >
>>> >> > In the VIA header I believe your phone is saying "Talk to me over
>>> >> > nat.ip:8427"
>>> >> >
>>> >> > You might want to set up logging on your PIX/ASA firewall to see
>>> >> > whats
>>> >> > getting blocked, but from the way you've explained the issue it
>>> >> > doesn't
>>> >> > sound like an OpenSIPS issue.  Sounds like a firewall issue or Cisco
>>> >> > phone
>>> >> > issue.
>>> >>
>>> >> Logging on the PIX definitely sees packets coming back 8427, which
>>> >> since they aren't part of an established connection get dropped.
>>> >> Maybe going to opensips these phones need sip fixup on, though going
>>> >> directly to Asterisk, they have been working with sip fixup off...
>>> >>
>>> >> -- James
>>> >>
>>> >>
>>> >> >
>>> >> > On Tue, Dec 7, 2010 at 10:22 AM, James Lamanna <jlamanna at gmail.com>
>>> >> > wrote:
>>> >> >>
>>> >> >> Hi Bogdan,
>>> >> >> I guess I'm confused as to why you say its being transmitted back to
>>> >> >> the same IP:Port:
>>> >> >>
>>> >> >> U nat.ip:2370 -> opensips.ip:5060
>>> >> >> U opensips.ip:5060 -> nat.ip:8427
>>> >> >>
>>> >> >> Shouldn't it be going back to port 2370? And not 8427?
>>> >> >>
>>> >> >> -- James
>>> >> >>
>>> >> >> On Tue, Dec 7, 2010 at 2:43 AM, Bogdan-Andrei Iancu
>>> >> >> <bogdan at voice-system.ro> wrote:
>>> >> >> > Hi James,
>>> >> >> >
>>> >> >> > From proxy point of view, everything looks ok - I see the reply
>>> >> >> > sent
>>> >> >> > back to
>>> >> >> > the exact IP:port where the request came from....So the reply
>>> >> >> > should
>>> >> >> > make it
>>> >> >> > through the NAT...But it seams it doesn't as the phone keeps
>>> >> >> > retransmitting
>>> >> >> > the REGISTER..
>>> >> >> >
>>> >> >> > Again, from NAT pov, opensips is doing the right stuff (doing
>>> >> >> > symmetric
>>> >> >> > signalling) - there is nothing more you can do here for
>>> >> >> > opensips..Maybe
>>> >> >> > it
>>> >> >> > is something specific to the NAT device - any possibility to
>>> >> >> > debug/trace
>>> >> >> > on
>>> >> >> > it ?
>>> >> >> >
>>> >> >> > Regards,
>>> >> >> > Bogdan
>>> >> >> >
>>> >> >> > James Lamanna wrote:
>>> >> >> >>
>>> >> >> >> Hi,
>>> >> >> >> I was wondering if anyone had any experience getting a Cisco 7960
>>> >> >> >> phone to register to opensips when the phone is behind a PIX
>>> >> >> >> firewall.
>>> >> >> >> I'm having a hell of a time getting it to register.
>>> >> >> >> I see these messages:
>>> >> >> >>
>>> >> >> >> U nat.ip:2260 -> opensips.ip:5060
>>> >> >> >>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>>> >> >> >>  sip:xxxxxxx at opensips.ip;user=phone>..To:
>>> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>>> >> >> >>  6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec
>>> >> >> >> 2010
>>> >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
>>> >> >> >>  ..User-Agent: CSCO/7..Contact:
>>> >> >> >> <sip:xxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires:
>>> >> >> >> 45....
>>> >> >> >> #
>>> >> >> >> U opensips.ip:5060 -> nat.ip:2260
>>> >> >> >>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>>> >> >> >>  ed=208.90.184.123..From:
>>> >> >> >> <sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>>> >> >> >> <sip:xxxxxxxx at opensips.ip;
>>> >> >> >>  user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>>> >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
>>> >> >> >>  10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>>> >> >> >> realm="asterisk", nonce="4cfd27fe0000780d7
>>> >> >> >>  1826527370e7c8b97f663425df75489"..Server: OpenSIPS (1.6.3-notls
>>> >> >> >> (x86_64/linux))..Content-Length: 0..
>>> >> >> >>  ..
>>> >> >> >> #
>>> >> >> >> U nat.ip:2260 -> opensips.ip:5060
>>> >> >> >>  REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>>> >> >> >>  sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>>> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>>> >> >> >>  6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec
>>> >> >> >> 2010
>>> >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
>>> >> >> >>  ..User-Agent: CSCO/7..Contact:
>>> >> >> >> <sip:xxxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires:
>>> >> >> >> 45....
>>> >> >> >> #
>>> >> >> >> U opensips.ip:5060 -> nat.ip:2260
>>> >> >> >>  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>>> >> >> >>  ed=208.90.184.123..From:
>>> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..To:
>>> >> >> >> <sip:xxxxxxxxx at opensips.ip;
>>> >> >> >>  user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>>> >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
>>> >> >> >>  10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>>> >> >> >> realm="asterisk", nonce="4cfd28000000780e5
>>> >> >> >>  c3381d838a044479357aa6c660df432"..Server: OpenSIPS (1.6.3-notls
>>> >> >> >> (x86_64/linux))..Content-Length: 0..
>>> >> >> >>
>>> >> >> >> This suggests the 401 response is not making it back to the
>>> >> >> >> phone....but I'm not sure why the PIX would be blocking it.
>>> >> >> >> All sip fixup is off.
>>> >> >> >>
>>> >> >> >> Any configuration suggestions would be much appreciated.
>>> >> >> >> The phone has:
>>> >> >> >> nat_enable: 0
>>> >> >> >> nat_received_processing: 0
>>> >> >> >>
>>> >> >> >> That was the only way I could get opensips to send the responses
>>> >> >> >> back
>>> >> >> >> to the correct port.
>>> >> >> >>
>>> >> >> >> Thanks.
>>> >> >> >>
>>> >> >> >> -- James
>>> >> >> >>
>>> >> >> >> _______________________________________________
>>> >> >> >> Users mailing list
>>> >> >> >> Users at lists.opensips.org
>>> >> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >> >> >>
>>> >> >> >>
>>> >> >> >
>>> >> >> >
>>> >> >> > --
>>> >> >> > Bogdan-Andrei Iancu
>>> >> >> > OpenSIPS Bootcamp
>>> >> >> > 15 - 19 November 2010, Edison, New Jersey, USA
>>> >> >> > www.voice-system.ro
>>> >> >> >
>>> >> >> >
>>> >> >> > _______________________________________________
>>> >> >> > Users mailing list
>>> >> >> > Users at lists.opensips.org
>>> >> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >> >> >
>>> >> >>
>>> >> >> _______________________________________________
>>> >> >> Users mailing list
>>> >> >> Users at lists.opensips.org
>>> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > --
>>> >> > *--*--*--*--*--*
>>> >> > Duane
>>> >> > *--*--*--*--*--*
>>> >> > --
>>> >> >
>>> >> > _______________________________________________
>>> >> > Users mailing list
>>> >> > Users at lists.opensips.org
>>> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >> >
>>> >> >
>>> >>
>>> >> _______________________________________________
>>> >> Users mailing list
>>> >> Users at lists.opensips.org
>>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >
>>> >
>>> >
>>> > --
>>> > --
>>> > *--*--*--*--*--*
>>> > Duane
>>> > *--*--*--*--*--*
>>> > --
>>> >
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at lists.opensips.org
>>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >
>>> >
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>



More information about the Users mailing list