Can't get external SIP phones to register with Asterisk

[mdillinger]

I am trying to setup my Pix 515E to allow external phones from the internet (either soft phones or hard phones) to register with my asterisk server which sits on my internal network. I can't seem to figure it out.
The internal address is 10.10.10.185. I have setup to what I believe is correct for portforwarding of SIP 5060 and udp port 10000-20000 (per vendor). My phones just sit there and can't register due to timeout.

156.108.xx.xxx is my external IP(masked for security reasons)


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password P/KzUDPb6ucVqnap encrypted
passwd JYOGSeuxUsWHVsfM encrypted
hostname FTM-PIX
domain-name <domainname.com>
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list 101 permit ip 192.168.45.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list 101 permit ip 192.168.201.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list 101 permit ip 192.168.200.0 255.255.255.252 192.168.1.0

255.255.255.0
access-list split permit ip 10.10.10.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list split permit ip 10.0.0.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list split permit ip 192.168.45.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list split permit ip 192.168.50.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list split permit ip 192.168.200.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list split permit ip 192.168.201.0 255.255.255.252 192.168.1.0

255.255.255.0
access-list inbound permit icmp any any
access-list inbound permit tcp any host 156.108.xx.xxx eq https
access-list inbound permit tcp any host 156.108.xx.xxx eq www
access-list inbound permit tcp any host 156.108.xx.xxx eq smtp
access-list inbound permit tcp any host 156.108.xx.xxx eq pop3
access-list inbound permit tcp any host 156.108.xx.xxx eq www
access-list inbound permit tcp any host 156.108.xx.xxx eq https
access-list inbound permit tcp any host 156.108.xx.xxx eq imap4
access-list dmzin permit tcp any host 10.10.10.35 eq www
access-list dmzin permit tcp any host 10.10.10.35 eq https
access-list dmzin permit tcp any host 10.10.10.35 eq ftp
access-list dmzin permit tcp any host 10.10.10.35 eq ssh
access-list dmzin permit udp any host 10.10.10.35 eq domain
access-list dmzin permit tcp any host 10.10.10.35 eq telnet
access-list dmzin deny ip any 10.10.10.0 255.255.255.0
access-list dmzin permit ip any any
access-list asterisk permit udp any host 156.108.xx.xxx range 10000

20000
access-list asterisk permit udp any host 156.108.xx.xxx eq 5060
access-list asterisk permit udp any host 156.108.xx.xxx eq 5061
no pager
logging on
logging timestamp
logging trap informational
logging host inside 10.10.10.102 17/1514
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 156.108.40.14 255.255.255.252
ip address inside 10.10.10.250 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.1.1-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 156.108.xx.xxx
global (DMZ) 1 156.108.xx.xxx
nat (inside) 0 access-list 101
nat (inside) 2 192.168.45.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 156.108.xx.xxx pop3 10.10.10.8 pop3

netmask 255.255.255.255 0 0
static (inside,outside) tcp 156.108.xx.xxx

http://www 10.10.10.8

www

netmask 255.255.255.255 0 0
static (inside,outside) tcp 156.108.xx.xxx https 10.10.10.8 https

netmask 255.255.255.255 0 0
static (inside,outside) tcp 156.108.xx.xxx imap4 10.10.10.8 imap4

netmask 255.255.255.255 0 0
static (inside,outside) tcp 156.108.xx.xxx smtp 10.10.10.8 smtp

netmask 255.255.255.255 0 0
static (DMZ,outside) tcp 156.108.40.194

http://www 192.168.100.2

www

netmask 255.255.255.255 0 0
static (DMZ,outside) tcp 156.108.40.194 https 192.168.100.2 https

netmask 255.255.255.255 0 0
static (inside,outside) udp 156.108.xx.xxx 5060 10.10.10.185 5060

netmask 255.255.255.255 0 0
static (inside,outside) udp 156.108.xx.xxx 5061 10.10.10.185 5061

netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.10.35 10.10.10.35 netmask 255.255.255.255

0 0
access-group inbound in interface outside
access-group dmzin in interface DMZ
route outside 0.0.0.0 0.0.0.0 156.108.40.13 1
route inside 10.0.0.0 255.255.255.0 10.0.0.254 1
route inside 192.168.45.0 255.255.255.0 10.10.10.254 1
route inside 192.168.50.0 255.255.255.0 10.10.10.254 1
route inside 192.168.200.0 255.255.255.252 10.10.10.254 1
route inside 192.168.201.0 255.255.255.0 10.10.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host inside 10.10.10.175
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server inside 10.10.10.98 /FTM-PIX
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool bigpool
vpngroup vpn dns-server 10.10.10.5 10.10.10.7
vpngroup vpn wins-server 10.10.10.9
vpngroup vpn default-domain cityofftmorgan.com
vpngroup vpn split-tunnel split
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 66.45.15.254 255.255.255.255 outside
ssh 24.9.174.169 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 66.45.15.254 255.255.255.255 inside
ssh 24.9.174.169 255.255.255.255 inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:a62e798453d9e5096f9cc205492836e6
: end

 

[Supergrrover]

You've disabled the fixup -
no fixup protocol sip 5060
no fixup protocol sip udp 5060

Try re-enabling them then verify with

show sip
show call active voice brief
show conn detail

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[mdillinger]

I did re-enable the fixup for sip and still the phones will not register. I am thinking it could do with one of my access-lists. I did create a separate access called asterisk to allow that traffic to go to the asterisk server. Am I wrong with doing that? Could my first access list, inbound, be blocking that traffic?

 

[mdillinger]

Thanks for your help supergrrover. It has to do with my access lists and the fixup protocol command. I just removed the access-list for asterisk and added it to my inbound access-list and now everything is working! Thanks again for your help. I appreciated the assistance!

 

[Supergrrover]

Cool beans - good work.

Brent
Systems Engineer / Consultant
CCNP, CCSP