[fw-wiz] iChat A/V and Cisco PIX 501 (6.3)

From: Brian Galdino (briangaldino_at_mac.com)
Date: 04/27/04

  • Next message: m_at_pavis.biodec.com: "Re: [fw-wiz] Stanford break in" 
    To: firewall-wizards@honor.icsalabs.com
Date: Tue, 27 Apr 2004 11:43:26 -0700

    Hi-

    I am currently experiencing difficulties getting iChat A/V to work
    through my Cisco PIX 501 running PIX OX 6.3. As you can see below, I am
    attempting to connect from my internal address space (172.16.1.x)
    through the Internet and through a friends Linksys router to their
    internal address space (192.168.1.x). Using a home D-link router I had
    no problems communicating with the same person. It seems to be failing
    during translation, and I can't seem to figure out how to get around
    it. Has anyone been able to successfully configure a pix to work with
    iChat, particularly in this type of a configuration using NAT? Any
    help would me most appreciated.

    Thanks-
    Brian

    Here is the path I followed......

    I followed Apple's document on firewall config and implemented
    Configuration A, which they say is compatible with most configurations:
    http://docs.info.apple.com/article.html?artnum=93208

    iChat Connection Doctor Error:
    2004-04-27 11:14:36 -0700: Jamie did not respond.
    Tried to send UDP SIP "invite" to the following IP addresses and ports:
    69.17.55.164:5060, 192.168.1.105:5060

    PIX Log:
    302015: Built outbound UDP connection 5024 for
    outside:69.17.55.164/5060 (69.17.55.164/5060) to
    inside:172.16.1.10/5060 (216.27.176.126/3868)
    305006: regular translation creation failed for udp src
    inside:172.16.1.10/3868 dst outside:69.17.55.164/5060
    607001: Pre-allocate SIP Via UDP secondary channel for
    outside:69.17.55.164 to inside:172.16.1.10/5060 from INVITE message
    607001: Pre-allocate SIP Signalling UDP secondary channel for
    outside:69.17.55.164/5060 to inside:172.16.1.10 from INVITE message
    305006: regular translation creation failed for udp src
    inside:172.16.1.10/3868 dst outside:69.17.55.164/5060
    305006: regular translation creation failed for udp src
    inside:172.16.1.10/3868 dst outside:69.17.55.164/5060
    302015: Built outbound UDP connection 5027 for
    outside:192.168.1.105/5060 (192.168.1.105/5060) to
    inside:172.16.1.10/5060 (216.27.176.126/3868)
    305006: regular translation creation failed for udp src
    inside:172.16.1.10/3868 dst outside:192.168.1.105/5060
    305011: Built dynamic UDP translation from inside:172.16.1.10/16385 to
    outside:216.27.176.126/3871
    305011: Built dynamic UDP translation from inside:172.16.1.10/16384 to
    outside:216.27.176.126/3870
    305011: Built dynamic UDP translation from inside:172.16.1.10/16387 to
    outside:216.27.176.126/3873
    305011: Built dynamic UDP translation from inside:172.16.1.10/16386 to
    outside:216.27.176.126/3872
    607001: Pre-allocate SIP Via UDP secondary channel for
    outside:192.168.1.105 to inside:172.16.1.10/5060 from INVITE message
    607001: Pre-allocate SIP Signalling UDP secondary channel for
    outside:192.168.1.105/5060 to inside:172.16.1.10 from INVITE message
    305006: regular translation creation failed for udp src
    inside:172.16.1.10/3868 dst outside:192.168.1.105/5060
    305006: regular translation creation failed for udp src
    inside:172.16.1.10/3868 dst outside:192.168.1.105/5060

    Relevant PIX Config (I stripped out irrelevant lines in pasting config
    here)

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname vallejo
    names
    name 172.16.1.0 vallejo-inside-net
    name 172.16.1.1 vallejo-inside
    name 216.xxx.xxx.126 vallejo
    access-list outside_in permit icmp any any
    access-list outside_in permit tcp any any eq aol
    access-list outside_in permit tcp any any eq 5298
    access-list outside_in permit tcp any any eq 5297
    access-list outside_in permit udp any any range 1024 65535
    mtu outside 1500
    mtu inside 1500
    ip address outside vallejo 255.255.255.0
    ip address inside vallejo-inside 255.255.0.0
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.1 1

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: m_at_pavis.biodec.com: "Re: [fw-wiz] Stanford break in"

    Relevant Pages

    • Re: Open port PIX 501
      ... :i can't open the port in my PIX. ... :I need open the port 1000 to point to the IP 10.254.254.222. ... in practice only DNS servers doing zone transfers need tcp. ... of UDP, it would be a highly unusual client which did not stick ...
      (comp.dcom.sys.cisco)
    • Re: site to site VPN CISCO PIX
      ... "I want to permit the access only PIX 515 to PIX 501 and deny for PIX ... UDP packet is a new flow, not necessarily a reply to anything ... After that timeout, the next ... it looks to see what the last IP and port was that it ...
      (comp.dcom.sys.cisco)
    • Re: port mapping or forwarding on Cisco Pix 506E
      ... one for udp and one for tcp. ... access-list TCP_ACL permit tcp host 10.0.0.140 eq ftp any ... you apply as the access-group. ...
      (comp.dcom.sys.cisco)
    • Re: Pix VPN client question
      ... protocol through an access-list or conduit? ... on the Pix (or relevant reading material. ... > UDP 500 ... >>- An office behind a Pix 506 with VPN enabled, ...
      (comp.security.firewalls)