[cisco-voip] SCCP through PIX cont'

Voll, Scott Scott.Voll at wesd.org
Fri Apr 14 16:49:44 EDT 2006


In Case someone else comes up with the same problem I wanted to close
the loop on the post:

 

The problem of one way audio all came down to a bad Static command.  The
static command put the network on the wrong DMZ interface.

 

As Always........Wes and the gang at Cisco are the
BEST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Thanks Wes.

 

Scott

 

________________________________

 

Scott,
regarding the line:
static (DMZ1,DMZ2) 10.x.x.0 10.x.x.0 netmask 255.255.255.0 0 0 

The line says, "The 10.x.x.0/24 network physically resides on the DMZ1
interface.  When 10.x.x.0 host on the DMZ1 interface need to access
hosts on the DMZ2 interface, translate their address to themselves (or
don't translate).  In addtion, when a host on the DMZ2 interface
attempts to connect to 10.x.x.0/24, translate the destination address to
10.x.x.0/24 (or don't translate), and forward the packet to the DMZ1
interface"

Thus the break in debug skiny where we see:
819: NAT::static route: embedded host at DMZ1:10.x.x.50/0
820: NAT::pre-allocate connection for DMZ1:10.x.x.50 to
OUTSIDE:y.y.y.58/19664
821: NAT::WARNING: NAT fails to classify DMZ1:10.x.x.50/0 to
OUTSIDE:y.y.y.58
....
827: NAT::static route: embedded host at DMZ1:10.x.x.50/31336
828: NAT::table route: embedded host at OUTSIDE:y.y.y.58/0
829: NAT::pre-allocate connection for OUTSIDE:y.y.y.58 to
DMZ1:10.x.x.50/31336
830: NAT::WARNING: NAT fails to classify DMZ1:10.x.x.50/31336 to
OUTSIDE:y.y.y.58
...
836: NAT::WARNING: NAT fails to classify DMZ1:10.x.x.50/31336 to
OUTSIDE:y.y.y.58
837: NAT::ERROR: failed to locate xlate

With the static removed the PIX will use the route statements to
identify the proper interface for the 10.x.x.0/24 network.

/Wes

Voll, Scott wrote: 

Outside ----- internet - Phone with one way audio issue

 

Inside --- (single network)

 

DMZ1 - (single network)

 

DMZ2 - Inside network  --- PC, Phones, CM, etc

 

Scott

 

Wes Sisk wrote: 

security.  still sounds like pix not opening port.

just to make sure basics are covered:
is your pix running new code?
if you take a packet capture from the back of the outside phone: look at
the startmediatransmission message sent to the phone, is the remote
address the outside address (nat'd or not?)

/Wes



________________________________

Wes Sisk Wrote:

 

you will need to use 'fixup protocol skinny 2000' on your PIX

 

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cm
dref/df.htm#wp1067379

 

You will also need the version of PIX code that supports the SCCP
version that your CM uses.  Beware of CSCdw13911.  This tends to happen
with large Skinny CallInfo messages from CM to the phone.  You have 2
options to avoid it:

1. upgrade to pix version that supports the segmentation

2. enable path MTU auto discovery on your CM servers.  M$ had us disable
it for DoS vulnerabilities.

 

/Wes

 

 

________________________________

 

Why would DTMF work and not audio? Answer: Out of Band

 

Scott

 

________________________________

 

I have set the configuration up like this:

 

IP Phone --- (public)  -- PIX (6.3) --- (Inside) CM / IP Phones/ VGW.

 

I was able to get the phone up and working but I'm getting one way audio
in the direction of the inside is not working.

 

What can I do to fix it?

 

Thanks

 

Scott

 

________________________________

 

Has anyone setup a phone outside your network to work through a pix
firewall?

 

I would like to setup a 7940 just on the other side of our PIX.  So I
don't have a way to VPN it in.  I would like to just permit IP address
to CM on the firewall but was wondering if some fixup or Nat to the CM
will screw it up.

 

Thanks

 

Scott








 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20060414/4fcfcbc4/attachment-0001.html 


More information about the cisco-voip mailing list