[cisco-voip] Internet IP phone connect through PIX Firewall

Stu Packett SPackett at fenwick.com
Sat Sep 9 15:41:45 EDT 2006 

Sorry, I have never tried without the VPN.  I thought best practice was
to use the VPN because it was not advised to put the CCM on the public
internet.  If you do get your config working, I'd like to get a copy of
your config just for reference.  Thanks.

________________________________

From: Manoj Kalpage [mailto:manoj.kalpage at gmail.com] 
Sent: Saturday, September 09, 2006 12:20 AM
To: Stu Packett
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Internet IP phone connect through PIX Firewall


Stu, 
Thank you for the reply, I use windows 2003 DHCP server for my phones in
LAN but I can get my outside phone connect to CCM through internet. Do
you have IP phones connect to your CCM through internet without using
VPN?  
 
Thanks,
Manoj


 
On 9/9/06, Stu Packett <SPackett at fenwick.com> wrote: 

	Manoj:
	Is your PIX giving out DHCP addresses?  On my PIX 501, I have it
setup as a DHCP server and these are my DHCP commands: 
	 
	dhcpd address xxx.xxx.xxx.xxx
	dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
	dhcpd wins xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
	dhcpd lease 36000 
	dhcpd ping_timeout 750
	dhcpd domain internaldomain.com <http://internaldomain.com/> 
	dhcpd option 150 ip xxx.xxx.xxx.xxx <--TFTP address 
	dhcpd enable inside

________________________________

	From: cisco-voip-bounces at puck.nether.net [mailto:
cisco-voip-bounces at puck.nether.net
<mailto:cisco-voip-bounces at puck.nether.net> ] On Behalf Of Manoj Kalpage
	Sent: Friday, September 08, 2006 4:18 AM
	To: cisco-voip at puck.nether.net
	Subject: [cisco-voip] Internet IP phone connect through PIX
Firewall
	
	 
	
	Hi All,
	Does any one has configured PIX firewall to connect internet IP
phones to Call Manager. I have configure firewall to open all the port
which CCM need but still no luck. Bellow is the config of my PIX. Am i
missing anything? 
	
	Here is the link I refered to open the TCP and UDP Ports
	
	
http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/c
cmigration_09186a0080536eae.pdf
	
	Thank you in advance.
	Manoj
	
	:
	PIX Version 6.3(5)
	interface ethernet0 auto
	interface ethernet1 auto 
	nameif ethernet0 outside security0
	nameif ethernet1 inside security100
	enable password u2zabJUOK.TTL3K1 encrypted
	passwd 1P5CrRl.dL8Oe4k2 encrypted
	hostname PBXLPIX01
	domain-name pbxl.jp <http://pbxl.jp/> 
	
	clock timezone JST 9
	fixup protocol dns maximum-length 512
	fixup protocol ftp 21
	fixup protocol h323 h225 1720
	fixup protocol h323 ras 1718-1719
	fixup protocol http 80 
	fixup protocol pptp 1723 
	fixup protocol rsh 514
	fixup protocol rtsp 554
	fixup protocol sip 5060
	fixup protocol sip udp 5060
	fixup protocol skinny 2000
	fixup protocol smtp 25
	fixup protocol snmp 161 
	fixup protocol sqlnet 1521 
	fixup protocol tftp 69
	names
	object-group service outbound-tcp tcp
	  port-object eq www
	  port-object eq https
	  port-object eq smtp
	  port-object eq ftp
	  port-object eq pop3 
	  port-object eq imap4 
	  port-object eq domain
	  port-object eq 123
	  port-object eq ssh
	  port-object eq citrix-ica
	object-group service outbound-udp udp
	  port-object eq domain
	  port-object eq ntp 
	object-group service mail-inbound tcp 
	  port-object eq www
	  port-object eq https
	  port-object eq smtp
	object-group service VoIP-udp udp
	  port-object range 16384 32768
	  port-object eq tftp
	object-group service VoIP-tcp tcp 
	  port-object eq 3804 
	  port-object eq 2443
	  port-object eq 2000
	  port-object eq www
	  port-object eq 69
	  port-object eq https
	
	access-list 102 permit tcp 172.16.0.0 <http://172.16.0.0/>
255.255.0.0 <http://255.255.0.0/>  any object-group VoIP-tcp
	access-list 102 permit udp 172.16.0.0 <http://172.16.0.0/>
255.255.0.0 <http://255.255.0.0/>  any object-group VoIP-udp
	access-list 102 permit tcp 172.16.0.0 <http://172.16.0.0/>
255.255.0.0 <http://255.255.0.0/>  any object-group outbound-tcp
	access-list 102 permit udp 172.16.0.0 <http://172.16.0.0/>
255.255.0.0 <http://255.255.0.0/>  any object-group outbound-udp 
	access-list 101 permit tcp any host 210.81.12.195
<http://210.81.12.195/>  object-group mail-inbound 
	access-list 101 permit tcp any host 210.81.12.196
<http://210.81.12.196/>  object-group VoIP-tcp 
	access-list 101 permit udp any host 210.81.12.196
<http://210.81.12.196/>  object-group VoIP-udp
	access-list 101 permit tcp any host 210.81.12.197
<http://210.81.12.197/>  object-group VoIP-tcp
	access-list 101 permit udp any host 210.81.12.197
<http://210.81.12.197/>  object-group VoIP-udp 
	
	pager lines 24
	logging on
	logging trap informational
	logging host inside 172.16.0.26 <http://172.16.0.26/>  
	
	logging host inside 172.16.0.12 <http://172.16.0.12/> 
	
	icmp permit any unreachable outside
	icmp permit any outside
	mtu outside 1500
	mtu inside 1500
	ip address outside xxx.xxx.xxx.xxx 255.255.255.240
<http://255.255.255.240/> 
	
	ip address inside 172.16.0.2 <http://172.16.0.2/>  255.255.0.0
<http://255.255.0.0/> 
	
	ip audit info action alarm
	ip audit attack action alarm 
	ip local pool pbxlpool 10.1.0.100-10.1.0.200
	
	pdm locationxxx.xxx.xxx.xxx 255.255.255.255
<http://255.255.255.255/>  outside
	
	pdm history enable
	arp timeout 14400
	global (outside) 1 interface
	nat (inside) 0 access-list VPNREMOTE 
	
	nat (inside) 1 172.16.0.0 <http://172.16.0.0/>  255.255.0.0
<http://255.255.0.0/>  0 0
	static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
255.255.255.255 <http://255.255.255.255/> 0 1000
	static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
255.255.255.255 <http://255.255.255.255/>  0 1000
	static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
255.255.255.255 <http://255.255.255.255/>  0 1000
	
	access-group 101 in interface outside
	access-group 102 in interface inside
	
	route outside 0.0.0.0 <http://0.0.0.0/>  0.0.0.0
<http://0.0.0.0/>  210.81.12.193 <http://210.81.12.193/>  1
	
	timeout xlate 3:00:00
	timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h225 1:00:00
	timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
	timeout sip-disconnect 0:02:00 sip-invite 0:03:00 
	timeout uauth 0:05:00 absolute
	aaa-server TACACS+ protocol tacacs+
	aaa-server TACACS+ max-failed-attempts 3
	aaa-server TACACS+ deadtime 10
	aaa-server RADIUS protocol radius
	aaa-server RADIUS max-failed-attempts 3 
	aaa-server RADIUS deadtime 10
	aaa-server LOCAL protocol local
	
	aaa authentication ssh console LOCAL
	
	
	http 172.16.0.12 <http://172.16.0.12/>  255.255.255.255
<http://255.255.255.255/>  inside
	
	snmp-server host inside 172.16.0.12 <http://172.16.0.12/> 
	
	snmp-server location pbxl-pix-datacentre
	
	snmp-server community pbxl
	snmp-server enable traps
	floodguard enable
	
	
	telnet 172.16.0.0 <http://172.16.0.0/>  255.255.0.0
<http://255.255.0.0/>  inside
	telnet 192.168.0.0 <http://192.168.0.0/>  255.255.255.0
<http://255.255.255.0/>  inside
	telnet timeout 60 
	ssh 210.101.94.211 <http://210.101.94.211/>  255.255.255.255
<http://255.255.255.255/>  outside
	ssh 0.0.0.0 <http://0.0.0.0/>  0.0.0.0 <http://0.0.0.0/>
outside
	ssh 172.16.0.12 <http://172.16.0.12/>  255.255.255.255
<http://255.255.255.255/>  inside
	ssh 172.16.0.0 <http://172.16.0.0/>  255.255.0.0
<http://255.255.0.0/>  inside
	ssh 192.168.1.0 <http://192.168.1.0/> 255.255.255.0
<http://255.255.255.0/>  inside
	
	ssh timeout 60
	console timeout 0
	PBXLPIX01(config)#
	PBXLPIX01(config)#
	
	
	


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20060909/d907a7f0/attachment.html

More information about the cisco-voip mailing list