[cisco-voip] Internet IP phone connect through PIX Firewall
Manoj Kalpage
manoj.kalpage at gmail.com
Wed Sep 13 05:21:53 EDT 2006
Thanks Wes, I will try this and post the outcome.
On 9/12/06, Wes Sisk <wsisk at cisco.com> wrote:
>
> I believe this is what you need:
>
> http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1063720
>
> and this, but with inside/outsider reversed:
> http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K72511039
>
> /Wes
>
> Manoj Kalpage wrote:
> > Wes,
> > Thank You for the reply. Yes I have NAT on my PIX. Regarding DNS fixup,
> > do i need additional settings on my PIX except the fixup protocol dns
> > maximum-length 512 ?
> >
> > Best Regards,
> > Manoj
> >
> >
> > ----- Original Message -----
> > *From:* Wes Sisk <mailto:wsisk at cisco.com>
> > *To:* Manoj Kalpage <mailto:manoj.kalpage at gmail.com>
> > *Cc:* ciscovoip Voip <mailto:cisco-voip at puck.nether.net> ; Stu
> > Packett <mailto:SPackett at fenwick.com>
> > *Sent:* Sunday, September 10, 2006 10:28 PM
> > *Subject:* Re: [cisco-voip] Internet IP phone connect through PIX
> > Firewall
> >
> > Manoj,
> >
> > Are you doing NAT on your PIX? If so, you will need special CM+PIX
> > config.
> >
> > phones download SEP<mac>.cnf.xml from TFTP server. Inside this XML
> > file is a listing of which CM servers the phone should register to
> > using SCCP. This file also tells the phone what TCP port to use for
> > the SCCP communication. The CM servers are listed in this by name
> > or IP address based on how your CM is configured under
> system->server.
> >
> > For NAT traversal, your CM will have to be configured using host
> > names. Your PIX will have to do DNS fixup. Your phone will receive
> > the name cm1.manoj.com. the phone must do DNS lookup on this and
> > receive the external address of your CM server.
> >
> > Otherwise, you must use a valid internet address for the IP of your
> > CM server.
> >
> > /Wes
> > On Sep 9, 2006, at 3:41 PM, Stu Packett wrote:
> >
> > Sorry, I have never tried without the VPN. I thought best practice
> > was to use the VPN because it was not advised to put the CCM on the
> > public internet. If you do get your config working, I'd like to get
> > a copy of your config just for reference. Thanks.
> >
> >
> ------------------------------------------------------------------------
> > *From:* Manoj Kalpage [mailto:manoj.kalpage at gmail.com]
> > *Sent:* Saturday, September 09, 2006 12:20 AM
> > *To:* Stu Packett
> > *Cc:* cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> > *Subject:* Re: [cisco-voip] Internet IP phone connect through PIX
> > Firewall
> >
> > Stu,
> > Thank you for the reply, I use windows 2003 DHCP server for my
> > phones in LAN but I can get my outside phone connect to CCM through
> > internet. Do you have IP phones connect to your CCM through internet
> > without using VPN?
> >
> > Thanks,
> > Manoj
> >
> >
> >
> > On 9/9/06, *Stu Packett* <SPackett at fenwick.com
> > <mailto:SPackett at fenwick.com>> wrote:
> >
> > Manoj:
> > Is your PIX giving out DHCP addresses? On my PIX 501, I have it
> > setup as a DHCP server and these are my DHCP commands:
> >
> > dhcpd address xxx.xxx.xxx.xxx
> > dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> > dhcpd wins xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> > dhcpd lease 36000
> > dhcpd ping_timeout 750
> > dhcpd domain internaldomain.com <http://internaldomain.com/>
> > dhcpd option 150 ip xxx.xxx.xxx.xxx <--TFTP address
> > dhcpd enable inside
> >
> >
> ------------------------------------------------------------------------
> > *From:* cisco-voip-bounces at puck.nether.net
> > <mailto:cisco-voip-bounces at puck.nether.net> [mailto:
> > cisco-voip-bounces at puck.nether.net
> > <mailto:cisco-voip-bounces at puck.nether.net>] *On Behalf Of
> > *Manoj Kalpage
> > *Sent:* Friday, September 08, 2006 4:18 AM
> > *To:* cisco-voip at puck.nether.net <mailto:
> cisco-voip at puck.nether.net>
> > *Subject:* [cisco-voip] Internet IP phone connect through PIX
> > Firewall
> >
> >
> > Hi All,
> > Does any one has configured PIX firewall to connect internet IP
> > phones to Call Manager. I have configure firewall to open all
> > the port which CCM need but still no luck. Bellow is the config
> > of my PIX. Am i missing anything?
> >
> > Here is the link I refered to open the TCP and UDP Ports
> >
> >
> http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf
> >
> > Thank you in advance.
> > Manoj
> >
> > :
> > PIX Version 6.3(5)
> > interface ethernet0 auto
> > interface ethernet1 auto
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password u2zabJUOK.TTL3K1 encrypted
> > passwd 1P5CrRl.dL8Oe4k2 encrypted
> > hostname PBXLPIX01
> > domain-name pbxl.jp <http://pbxl.jp/>
> > clock timezone JST 9
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol pptp 1723
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol snmp 161
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > object-group service outbound-tcp tcp
> > port-object eq www
> > port-object eq https
> > port-object eq smtp
> > port-object eq ftp
> > port-object eq pop3
> > port-object eq imap4
> > port-object eq domain
> > port-object eq 123
> > port-object eq ssh
> > port-object eq citrix-ica
> > object-group service outbound-udp udp
> > port-object eq domain
> > port-object eq ntp
> > object-group service mail-inbound tcp
> > port-object eq www
> > port-object eq https
> > port-object eq smtp
> > object-group service VoIP-udp udp
> > port-object range 16384 32768
> > port-object eq tftp
> > object-group service VoIP-tcp tcp
> > port-object eq 3804
> > port-object eq 2443
> > port-object eq 2000
> > port-object eq www
> > port-object eq 69
> > port-object eq https
> > access-list 102 permit tcp 172.16.0.0 <http://172.16.0.0/>
> > 255.255.0.0 <http://255.255.0.0/> any object-group VoIP-tcp
> > access-list 102 permit udp 172.16.0.0 <http://172.16.0.0/>
> > 255.255.0.0 <http://255.255.0.0/> any object-group VoIP-udp
> > access-list 102 permit tcp 172.16.0.0 <http://172.16.0.0/>
> > 255.255.0.0 <http://255.255.0.0/> any object-group outbound-tcp
> > access-list 102 permit udp 172.16.0.0 <http://172.16.0.0/>
> > 255.255.0.0 <http://255.255.0.0/> any object-group outbound-udp
> > access-list 101 permit tcp any host 210.81.12.195
> > <http://210.81.12.195/> object-group mail-inbound
> > access-list 101 permit tcp any host 210.81.12.196
> > <http://210.81.12.196/> object-group VoIP-tcp
> > access-list 101 permit udp any host 210.81.12.196
> > <http://210.81.12.196/> object-group VoIP-udp
> > access-list 101 permit tcp any host 210.81.12.197
> > <http://210.81.12.197/> object-group VoIP-tcp
> > access-list 101 permit udp any host 210.81.12.197
> > <http://210.81.12.197/> object-group VoIP-udp
> >
> > pager lines 24
> > logging on
> > logging trap informational
> > logging host inside 172.16.0.26 <http://172.16.0.26/>
> > logging host inside 172.16.0.12 <http://172.16.0.12/>
> > icmp permit any unreachable outside
> > icmp permit any outside
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside xxx.xxx.xxx.xxx 255.255.255.240
> > <http://255.255.255.240/>
> > ip address inside 172.16.0.2 <http://172.16.0.2/> 255.255.0.0
> > <http://255.255.0.0/>
> >
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool pbxlpool 10.1.0.100-10.1.0.200
> > pdm locationxxx.xxx.xxx.xxx 255.255.255.255
> > <http://255.255.255.255/> outside
> >
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list VPNREMOTE
> > nat (inside) 1 172.16.0.0 <http://172.16.0.0/> 255.255.0.0
> > <http://255.255.0.0/> 0 0
> > static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
> > 255.255.255.255 <http://255.255.255.255/>0 1000
> > static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
> > 255.255.255.255 <http://255.255.255.255/> 0 1000
> > static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
> > 255.255.255.255 <http://255.255.255.255/> 0 1000
> >
> > access-group 101 in interface outside
> > access-group 102 in interface inside
> > route outside 0.0.0.0 <http://0.0.0.0/> 0.0.0.0
> > <http://0.0.0.0/> 210.81.12.193 <http://210.81.12.193/> 1
> >
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
> > h225 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ max-failed-attempts 3
> > aaa-server TACACS+ deadtime 10
> > aaa-server RADIUS protocol radius
> > aaa-server RADIUS max-failed-attempts 3
> > aaa-server RADIUS deadtime 10
> > aaa-server LOCAL protocol local
> >
> > aaa authentication ssh console LOCAL
> >
> > http 172.16.0.12 <http://172.16.0.12/> 255.255.255.255
> > <http://255.255.255.255/> inside
> >
> > snmp-server host inside 172.16.0.12 <http://172.16.0.12/>
> > snmp-server location pbxl-pix-datacentre
> >
> > snmp-server community pbxl
> > snmp-server enable traps
> > floodguard enable
> >
> > telnet 172.16.0.0 <http://172.16.0.0/> 255.255.0.0
> > <http://255.255.0.0/> inside
> > telnet 192.168.0.0 <http://192.168.0.0/> 255.255.255.0
> > <http://255.255.255.0/> inside
> > telnet timeout 60
> > ssh 210.101.94.211 <http://210.101.94.211/> 255.255.255.255
> > <http://255.255.255.255/> outside
> > ssh 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/> outside
> > ssh 172.16.0.12 <http://172.16.0.12/> 255.255.255.255
> > <http://255.255.255.255/> inside
> > ssh 172.16.0.0 <http://172.16.0.0/> 255.255.0.0
> > <http://255.255.0.0/> inside
> > ssh 192.168.1.0 <http://192.168.1.0/>255.255.255.0
> > <http://255.255.255.0/> inside
> >
> > ssh timeout 60
> > console timeout 0
> > PBXLPIX01(config)#
> > PBXLPIX01(config)#
> >
> >
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20060913/5b744621/attachment-0001.html
More information about the cisco-voip
mailing list