iChat A/V and Cisco PIX 501 (6.3)

[Brian Galdino <briangaldino () mac com>]

Hi-

I am currently experiencing difficulties getting iChat A/V to work 
through my Cisco PIX 501 running PIX OX 6.3. As you can see below, I am 
attempting to connect from my internal address space (172.16.1.x) 
through the Internet and through a friends Linksys router to their 
internal address space (192.168.1.x).  Using a home D-link router I had 
no problems communicating with the same person.  It seems to be failing 
during translation, and I can't seem to figure out how to get around 
it.  Has anyone been able to successfully configure a pix to work with 
iChat, particularly in this type of a configuration using NAT?  Any 
help would me most appreciated.

Thanks-
Brian

Here is the path I followed......

I followed Apple's document on firewall config and implemented 
Configuration A, which they say is compatible with most configurations:
http://docs.info.apple.com/article.html?artnum=93208


iChat Connection Doctor Error:
2004-04-27 11:14:36 -0700: Jamie did not respond.
Tried to send UDP SIP "invite" to the following IP addresses and ports:
69.17.55.164:5060, 192.168.1.105:5060

PIX Log:
302015: Built outbound UDP connection 5024 for 
outside:69.17.55.164/5060 (69.17.55.164/5060) to 
inside:172.16.1.10/5060 (216.27.176.126/3868)
305006: regular translation creation failed for udp src 
inside:172.16.1.10/3868 dst outside:69.17.55.164/5060
607001: Pre-allocate SIP Via UDP secondary channel for 
outside:69.17.55.164 to inside:172.16.1.10/5060 from INVITE message
607001: Pre-allocate SIP Signalling UDP secondary channel for 
outside:69.17.55.164/5060 to inside:172.16.1.10 from INVITE message
305006: regular translation creation failed for udp src 
inside:172.16.1.10/3868 dst outside:69.17.55.164/5060
305006: regular translation creation failed for udp src 
inside:172.16.1.10/3868 dst outside:69.17.55.164/5060
302015: Built outbound UDP connection 5027 for 
outside:192.168.1.105/5060 (192.168.1.105/5060) to 
inside:172.16.1.10/5060 (216.27.176.126/3868)
305006: regular translation creation failed for udp src 
inside:172.16.1.10/3868 dst outside:192.168.1.105/5060
305011: Built dynamic UDP translation from inside:172.16.1.10/16385 to 
outside:216.27.176.126/3871
305011: Built dynamic UDP translation from inside:172.16.1.10/16384 to 
outside:216.27.176.126/3870
305011: Built dynamic UDP translation from inside:172.16.1.10/16387 to 
outside:216.27.176.126/3873
305011: Built dynamic UDP translation from inside:172.16.1.10/16386 to 
outside:216.27.176.126/3872
607001: Pre-allocate SIP Via UDP secondary channel for 
outside:192.168.1.105 to inside:172.16.1.10/5060 from INVITE message
607001: Pre-allocate SIP Signalling UDP secondary channel for 
outside:192.168.1.105/5060 to inside:172.16.1.10 from INVITE message
305006: regular translation creation failed for udp src 
inside:172.16.1.10/3868 dst outside:192.168.1.105/5060
305006: regular translation creation failed for udp src 
inside:172.16.1.10/3868 dst outside:192.168.1.105/5060

Relevant PIX Config (I stripped out irrelevant lines in pasting config 
here)

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname vallejo
names
name 172.16.1.0 vallejo-inside-net
name 172.16.1.1 vallejo-inside
name 216.xxx.xxx.126 vallejo
access-list outside_in permit icmp any any
access-list outside_in permit tcp any any eq aol
access-list outside_in permit tcp any any eq 5298
access-list outside_in permit tcp any any eq 5297
access-list outside_in permit udp any any range 1024 65535
mtu outside 1500
mtu inside 1500
ip address outside vallejo 255.255.255.0
ip address inside vallejo-inside 255.255.0.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.1 1

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards