[cisco-voip] Internet IP phone connect through PIX Firewall
Wes Sisk
wsisk at cisco.com
Mon Sep 11 14:04:10 EDT 2006
I believe this is what you need:
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1063720
and this, but with inside/outsider reversed:
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K72511039
/Wes
Manoj Kalpage wrote:
> Wes,
> Thank You for the reply. Yes I have NAT on my PIX. Regarding DNS fixup,
> do i need additional settings on my PIX except the fixup protocol dns
> maximum-length 512 ?
>
> Best Regards,
> Manoj
>
>
> ----- Original Message -----
> *From:* Wes Sisk <mailto:wsisk at cisco.com>
> *To:* Manoj Kalpage <mailto:manoj.kalpage at gmail.com>
> *Cc:* ciscovoip Voip <mailto:cisco-voip at puck.nether.net> ; Stu
> Packett <mailto:SPackett at fenwick.com>
> *Sent:* Sunday, September 10, 2006 10:28 PM
> *Subject:* Re: [cisco-voip] Internet IP phone connect through PIX
> Firewall
>
> Manoj,
>
> Are you doing NAT on your PIX? If so, you will need special CM+PIX
> config.
>
> phones download SEP<mac>.cnf.xml from TFTP server. Inside this XML
> file is a listing of which CM servers the phone should register to
> using SCCP. This file also tells the phone what TCP port to use for
> the SCCP communication. The CM servers are listed in this by name
> or IP address based on how your CM is configured under system->server.
>
> For NAT traversal, your CM will have to be configured using host
> names. Your PIX will have to do DNS fixup. Your phone will receive
> the name cm1.manoj.com. the phone must do DNS lookup on this and
> receive the external address of your CM server.
>
> Otherwise, you must use a valid internet address for the IP of your
> CM server.
>
> /Wes
> On Sep 9, 2006, at 3:41 PM, Stu Packett wrote:
>
> Sorry, I have never tried without the VPN. I thought best practice
> was to use the VPN because it was not advised to put the CCM on the
> public internet. If you do get your config working, I'd like to get
> a copy of your config just for reference. Thanks.
>
> ------------------------------------------------------------------------
> *From:* Manoj Kalpage [mailto:manoj.kalpage at gmail.com]
> *Sent:* Saturday, September 09, 2006 12:20 AM
> *To:* Stu Packett
> *Cc:* cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] Internet IP phone connect through PIX
> Firewall
>
> Stu,
> Thank you for the reply, I use windows 2003 DHCP server for my
> phones in LAN but I can get my outside phone connect to CCM through
> internet. Do you have IP phones connect to your CCM through internet
> without using VPN?
>
> Thanks,
> Manoj
>
>
>
> On 9/9/06, *Stu Packett* <SPackett at fenwick.com
> <mailto:SPackett at fenwick.com>> wrote:
>
> Manoj:
> Is your PIX giving out DHCP addresses? On my PIX 501, I have it
> setup as a DHCP server and these are my DHCP commands:
>
> dhcpd address xxx.xxx.xxx.xxx
> dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> dhcpd wins xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> dhcpd lease 36000
> dhcpd ping_timeout 750
> dhcpd domain internaldomain.com <http://internaldomain.com/>
> dhcpd option 150 ip xxx.xxx.xxx.xxx <--TFTP address
> dhcpd enable inside
>
> ------------------------------------------------------------------------
> *From:* cisco-voip-bounces at puck.nether.net
> <mailto:cisco-voip-bounces at puck.nether.net> [mailto:
> cisco-voip-bounces at puck.nether.net
> <mailto:cisco-voip-bounces at puck.nether.net>] *On Behalf Of
> *Manoj Kalpage
> *Sent:* Friday, September 08, 2006 4:18 AM
> *To:* cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> *Subject:* [cisco-voip] Internet IP phone connect through PIX
> Firewall
>
>
> Hi All,
> Does any one has configured PIX firewall to connect internet IP
> phones to Call Manager. I have configure firewall to open all
> the port which CCM need but still no luck. Bellow is the config
> of my PIX. Am i missing anything?
>
> Here is the link I refered to open the TCP and UDP Ports
>
> http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf
>
> Thank you in advance.
> Manoj
>
> :
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password u2zabJUOK.TTL3K1 encrypted
> passwd 1P5CrRl.dL8Oe4k2 encrypted
> hostname PBXLPIX01
> domain-name pbxl.jp <http://pbxl.jp/>
> clock timezone JST 9
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol pptp 1723
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol snmp 161
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> object-group service outbound-tcp tcp
> port-object eq www
> port-object eq https
> port-object eq smtp
> port-object eq ftp
> port-object eq pop3
> port-object eq imap4
> port-object eq domain
> port-object eq 123
> port-object eq ssh
> port-object eq citrix-ica
> object-group service outbound-udp udp
> port-object eq domain
> port-object eq ntp
> object-group service mail-inbound tcp
> port-object eq www
> port-object eq https
> port-object eq smtp
> object-group service VoIP-udp udp
> port-object range 16384 32768
> port-object eq tftp
> object-group service VoIP-tcp tcp
> port-object eq 3804
> port-object eq 2443
> port-object eq 2000
> port-object eq www
> port-object eq 69
> port-object eq https
> access-list 102 permit tcp 172.16.0.0 <http://172.16.0.0/>
> 255.255.0.0 <http://255.255.0.0/> any object-group VoIP-tcp
> access-list 102 permit udp 172.16.0.0 <http://172.16.0.0/>
> 255.255.0.0 <http://255.255.0.0/> any object-group VoIP-udp
> access-list 102 permit tcp 172.16.0.0 <http://172.16.0.0/>
> 255.255.0.0 <http://255.255.0.0/> any object-group outbound-tcp
> access-list 102 permit udp 172.16.0.0 <http://172.16.0.0/>
> 255.255.0.0 <http://255.255.0.0/> any object-group outbound-udp
> access-list 101 permit tcp any host 210.81.12.195
> <http://210.81.12.195/> object-group mail-inbound
> access-list 101 permit tcp any host 210.81.12.196
> <http://210.81.12.196/> object-group VoIP-tcp
> access-list 101 permit udp any host 210.81.12.196
> <http://210.81.12.196/> object-group VoIP-udp
> access-list 101 permit tcp any host 210.81.12.197
> <http://210.81.12.197/> object-group VoIP-tcp
> access-list 101 permit udp any host 210.81.12.197
> <http://210.81.12.197/> object-group VoIP-udp
>
> pager lines 24
> logging on
> logging trap informational
> logging host inside 172.16.0.26 <http://172.16.0.26/>
> logging host inside 172.16.0.12 <http://172.16.0.12/>
> icmp permit any unreachable outside
> icmp permit any outside
> mtu outside 1500
> mtu inside 1500
> ip address outside xxx.xxx.xxx.xxx 255.255.255.240
> <http://255.255.255.240/>
> ip address inside 172.16.0.2 <http://172.16.0.2/> 255.255.0.0
> <http://255.255.0.0/>
>
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool pbxlpool 10.1.0.100-10.1.0.200
> pdm locationxxx.xxx.xxx.xxx 255.255.255.255
> <http://255.255.255.255/> outside
>
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list VPNREMOTE
> nat (inside) 1 172.16.0.0 <http://172.16.0.0/> 255.255.0.0
> <http://255.255.0.0/> 0 0
> static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
> 255.255.255.255 <http://255.255.255.255/>0 1000
> static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
> 255.255.255.255 <http://255.255.255.255/> 0 1000
> static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
> 255.255.255.255 <http://255.255.255.255/> 0 1000
>
> access-group 101 in interface outside
> access-group 102 in interface inside
> route outside 0.0.0.0 <http://0.0.0.0/> 0.0.0.0
> <http://0.0.0.0/> 210.81.12.193 <http://210.81.12.193/> 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
> h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
>
> aaa authentication ssh console LOCAL
>
> http 172.16.0.12 <http://172.16.0.12/> 255.255.255.255
> <http://255.255.255.255/> inside
>
> snmp-server host inside 172.16.0.12 <http://172.16.0.12/>
> snmp-server location pbxl-pix-datacentre
>
> snmp-server community pbxl
> snmp-server enable traps
> floodguard enable
>
> telnet 172.16.0.0 <http://172.16.0.0/> 255.255.0.0
> <http://255.255.0.0/> inside
> telnet 192.168.0.0 <http://192.168.0.0/> 255.255.255.0
> <http://255.255.255.0/> inside
> telnet timeout 60
> ssh 210.101.94.211 <http://210.101.94.211/> 255.255.255.255
> <http://255.255.255.255/> outside
> ssh 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/> outside
> ssh 172.16.0.12 <http://172.16.0.12/> 255.255.255.255
> <http://255.255.255.255/> inside
> ssh 172.16.0.0 <http://172.16.0.0/> 255.255.0.0
> <http://255.255.0.0/> inside
> ssh 192.168.1.0 <http://192.168.1.0/>255.255.255.0
> <http://255.255.255.0/> inside
>
> ssh timeout 60
> console timeout 0
> PBXLPIX01(config)#
> PBXLPIX01(config)#
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
More information about the cisco-voip
mailing list