Setting Cisco 7905G Phones up with Asterisk


Asterisk is a software PBX and Cisco produces SIP phones which can be configured to work with Asterisk. Below, we describe what steps must be taken to configure a Cisco 7905G phone for the Asterisk PBX. The process should be similar with other phones, particularly Cisco ones.

Network Preliminaries

For illustration, we assume that the phone is operated in a private 172.16.16/24 network with the domain name "". The phone will be assigned 160 as its IP number within that network and hardphone as its host name. We also assume that there is a DNS server with IP number 2 and a gateway or firewall with IP number 1. Other required services include DHCP, NTP and TFTP and they are placed on the same or other servers depending on the exact network layout. We assume that the DNS server provides appropriate mappings such that e.g., the TFTP service is provided by the server with host name


Set up a DHCP server and add an entry for the phone's MAC address in the server's dhcpd.conf file. The relevant portions of that configuration file may look e.g., as given below:


option domain-name "";
option domain-name-servers;

subnet netmask
  option routers;
  option ntp-servers;

group {
  option tftp-server-name "";

  host phone-vroth {
    hardware ethernet 00:0d:65:e5:c2:31;

The information that is provided to the phone through DHCP (e.g., the time server, gateway and name server addresses) can also be configured through the phone's configuration file. However, the approach described here is probably simpler and easier to maintain.

The phone expects to find its configuration file on the TFTP server, as well as any firmware upgrades.


The phone expects to be able to download a configuration profile and, optionally, firmware updates from a TFTP server. The TFTP server is typically started through inetd or xinetd and the files are kept e.g., in a directory with the path /tftpboot. We describe the format of the files that the phone expects further below.


Any host-based firewall on the TFTP server must be configured to allow access from the phones to the TFTP port 69/udp. Any host-based firewall on the PBX server must be configured to allow SIP connections from the phones. This requires the SIP port 5060/udp and a range of RTP ports e.g., 50000/udp to 55000/udp, depending on the settings for Asterisk. Additionally, the IAX port 4569/udp must be accessible on the PBX server if calls are routed via the IAX protocol.

The best choice to interface with a VoIP service is through the IAX protocol, which is much easier to manage in a firewalled environment. In particular, no ports must be opened to the outside as long as the VoIP service accepts incoming connections. Asterisk opens a connection from the inside and tunnels all control and data traffic through that connection.

Preparing the Phone

How the Phone Boots

The phone first tries to enter a VLAN using the Cisco Discovery Protocol (CDP). If it finds one then the phone performs 802.1Q VLAN tagging and otherwise it does not. The use of a VLAN can also be switched off in the phone's network configuration menu.

Next, the phone tries to obtain an IP address, subnet mask, DNS server, domain name, NTP server, and a TFTP server via DHCP.

Next, the phone tries to download a number of files from the TFTP server:

Here, xxxxxxxxxxxx denotes the phone's MAC address. The names are case-sensitive and the files are downloaded in order. The first three files are not used for SIP and can be ignored, they are only requested by a SCCP firmware. Once the phone is upgraded to SIP, these files will not be requested any longer.

The file lddefault.cfg will only be loaded if the unique profile ldxxxxxxxxxxxx does not exist on the TFTP server. The firmware upgrade (if necessary) is specified in the profile ldxxxxxxxxxxxx. This file is generated from a text-based configuration file using the cfgfmt tool. If a firmware upgrade is configured then the firmware files must also be made available for download via the TFTP server.

Unlocking and preparing the Phone

The Cisco phone may have to be unlocked. This is accomplished by first navigating to Settings and from there to Network Configuration. In this menu, the unlock code must be entered. This is accomplished by typing **# followed by the password.

The password can be an alphanumeric string of up to nine characters. If it is set to 0 then the phone does not prompt for a password. However, the phone's configuration cannot be modified over the Web if the password is set to 0.

If the password is not known then the phone can be unlocked by restoring the factory settings. This is done as follows:

  1. Press *, 0 and softkey number 4 simultaneously. The manufacturing test-option screen should appear.
  2. Type 322873738# and press *.
  3. Press *, 0 and softkey number 4 simultaneously again, or power-cycle the phone. The phone should return to normal operation.

The phone can then be unlocked with the default password, which is 1234.

Once unlocked, press the Menu key, select Settings and Network Configuration. Choose the TFTP Enabled menu option and set the value to Yes.

Upgrading the Phone

The following table lists the files included in one of the SIP firmware distributions from Cisco for the 7905G and 7912G phones. There are at least two distributions, please refer to the Appendix for more information. We use the distribution of June 23, 2005 in our example. sipexample.txt cfgfmt.exe cfgfmt.linux cfgfmt.sun CP7905010301SIP050608A.sbin CP7905010301SIP050608A.zup lddefault.cfg lddefault.txt prserv.exe prserv.linux prserv.sun Readme.txt sip_ptag.dat bmp2logo.exe

Place the lddefault.cfg file and the dot zup file into the TFTP directory. Then power cycle the phone. The phone should request the lddefault.cfg file, which instructs it to download and install the new firmware provided in the dot zup file. For 7912G phones the dot sbin file should be used.

Once the upgrade is complete the lddefault.cfg and dot zup files should be removed from the TFTP directory, they are not required any longer.

Configuring the Phone Profile

Configuring the phone profile requires eight steps, we will explain these steps in greater detail below:

  1. Copy the sipexample.txt to ldcustom.txt
  2. Edit ldcustom.txt
  3. Generate a new lddefault.cfg from ldcustom.txt without encryption
  4. Copy the new lddefault.cfg to the TFTP directory
  5. Power cycle the phone and let it pull the profile
  6. Generate lddefault.cfg again with encryption
  7. Copy the encrypted lddefault.cfg to the TFTP directory
  8. Power cycle the phone and let it pull the profile

The phone profile should be encrypted such that the login user and password information that the phone is going to use to login into the PBX is protected during network transmission. However, initially the phone and the administrator do not share a secret that could be used to bootstrap the process. Therefore, the secret is entered into the phone profile and the phone profile is downloaded by the phone in the clear. This should be done over a trusted network segment. Once the phone has received the profile with the shared secret, this secret can be used to encrypt the phone profile for future transmission over the production network. Hence, eight steps are required rather than five.

The following lines in ldcustom.txt should be edited:

upgradecodedelete this line
UIDenter the Asterisk context identity for this phone
PWDenter the password for the phone's Asterisk context
TimeZoneenter the two-digit time zone identifier
EncryptKeyenter the shared secret (8 alphanumeric characters)

All other default settings in sipexample.txt should be fine. It does not hurt, though, to verify that the value of UseTftp is set to 1 (enabled) and that none of the information that will be provided through DHCP are configured to static values. Do not leave spaces between the colon and the value of each attribute.

The plain text lddefault.cfg file is generated by invoking the cfgfmt.linux supplied by Cisco as follows:

  ./cfgfmt.linux -E -t sip_ptag.dat ldcustom.txt lddefault.cfg
The -E option surpresses the encryption of the output file if an encryption key is supplied in the input file. Hence, the encrypted output file can be produced as follows:
  ./cfgfmt.linux -t sip_ptag.dat ldcustom.txt lddefault.cfg
The UID is typically displayed also on the phone's LCD. A good strategy might be to use the phone's intended extension as the UID.

Random Notes on Using Softphones


X-Lite is a freely available softphone that appears to be licensed and used by many companies and individuals. X-Lite allows to configure a default proxy as well as additional proxies for routing SIP calls. In order to use proxy number n when placing a call, the dialed number must be prefixed with "#n".

Cisco Firmware Table

Warning: once the phone is upgraded to a firmware build version after March 26th, 2003, the phone cannot be downgraded any longer.

ArchiveVersionDateType 1.3(1) 23-jun-05 SIP 1.01 05-sep-03 SIP 1.0(2) 04-oct-05 H.323

Compiling Asterisk on OpenBSD

When compiling Asterisk on an OpenBSD machine includes of machine/types.h may have to be changed to machine/_types.h.