<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=428523316-08092006><FONT face=Tahoma
color=#0000ff size=2>Manoj:<BR>Is your PIX giving out DHCP addresses? On
my PIX 501, I have it setup as a DHCP server and these are my DHCP
commands:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=428523316-08092006><FONT face=Tahoma
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=428523316-08092006><FONT face=Tahoma
color=#0000ff size=2>dhcpd address xxx.xxx.xxx.xxx<BR>dhcpd dns xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx<BR>dhcpd wins xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx<BR>dhcpd lease
36000<BR>dhcpd ping_timeout 750<BR>dhcpd domain internaldomain.com<BR>dhcpd
option 150 ip xxx.xxx.xxx.xxx <--TFTP address<BR>dhcpd enable
inside</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] <B>On Behalf Of </B>Manoj
Kalpage<BR><B>Sent:</B> Friday, September 08, 2006 4:18 AM<BR><B>To:</B>
cisco-voip@puck.nether.net<BR><B>Subject:</B> [cisco-voip] Internet IP phone
connect through PIX Firewall<BR></FONT><BR></DIV>
<DIV></DIV>Hi All,<BR>Does any one has configured PIX firewall to connect
internet IP phones to Call Manager. I have configure firewall to open all the
port which CCM need but still no luck. Bellow is the config of my PIX. Am i
missing anything? <BR><FONT face=Arial color=#000000 size=2><BR>Here is the link
I refered to open the TCP and UDP Ports<BR><BR><A
title=http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf
href="http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf">http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf</A><BR><BR></FONT>Thank
you in advance.<BR>Manoj<BR><BR>:<BR>PIX Version 6.3(5)<BR>interface ethernet0
auto<BR>interface ethernet1 auto <BR>nameif ethernet0 outside
security0<BR>nameif ethernet1 inside security100<BR>enable password
u2zabJUOK.TTL3K1 encrypted<BR>passwd 1P5CrRl.dL8Oe4k2 encrypted<BR>hostname
PBXLPIX01<BR>domain-name <A href="http://pbxl.jp">pbxl.jp</A><BR>clock timezone
JST 9<BR>fixup protocol dns maximum-length 512<BR>fixup protocol ftp 21<BR>fixup
protocol h323 h225 1720<BR>fixup protocol h323 ras 1718-1719<BR>fixup protocol
http 80<BR>fixup protocol pptp 1723 <BR>fixup protocol rsh 514<BR>fixup protocol
rtsp 554<BR>fixup protocol sip 5060<BR>fixup protocol sip udp 5060<BR>fixup
protocol skinny 2000<BR>fixup protocol smtp 25<BR>fixup protocol snmp
161<BR>fixup protocol sqlnet 1521 <BR>fixup protocol tftp
69<BR>names<BR>object-group service outbound-tcp tcp<BR> port-object eq
www<BR> port-object eq https<BR> port-object eq smtp<BR>
port-object eq ftp<BR> port-object eq pop3<BR> port-object eq imap4
<BR> port-object eq domain<BR> port-object eq 123<BR>
port-object eq ssh<BR> port-object eq citrix-ica<BR>object-group service
outbound-udp udp<BR> port-object eq domain<BR> port-object eq
ntp<BR>object-group service mail-inbound tcp <BR> port-object eq
www<BR> port-object eq https<BR> port-object eq smtp<BR>object-group
service VoIP-udp udp<BR> port-object range 16384 32768<BR>
port-object eq tftp<BR>object-group service VoIP-tcp tcp<BR> port-object
eq 3804 <BR> port-object eq 2443<BR> port-object eq 2000<BR>
port-object eq www<BR> port-object eq 69<BR> port-object eq
https<BR>access-list 102 permit tcp <A href="http://172.16.0.0">172.16.0.0</A>
<A href="http://255.255.0.0">255.255.0.0</A> any object-group
VoIP-tcp<BR>access-list 102 permit udp <A
href="http://172.16.0.0">172.16.0.0</A> <A
href="http://255.255.0.0">255.255.0.0</A> any object-group
VoIP-udp<BR>access-list 102 permit tcp <A
href="http://172.16.0.0">172.16.0.0</A> <A
href="http://255.255.0.0">255.255.0.0</A> any object-group
outbound-tcp<BR>access-list 102 permit udp <A
href="http://172.16.0.0">172.16.0.0</A> <A
href="http://255.255.0.0">255.255.0.0</A> any object-group outbound-udp
<BR>access-list 101 permit tcp any host <A
href="http://210.81.12.195">210.81.12.195</A> object-group
mail-inbound<BR>access-list 101 permit tcp any host <A
href="http://210.81.12.196">210.81.12.196</A> object-group VoIP-tcp
<BR>access-list 101 permit udp any host <A
href="http://210.81.12.196">210.81.12.196</A> object-group
VoIP-udp<BR>access-list 101 permit tcp any host <A
href="http://210.81.12.197">210.81.12.197</A> object-group
VoIP-tcp<BR>access-list 101 permit udp any host <A
href="http://210.81.12.197">210.81.12.197</A> object-group VoIP-udp<BR>pager
lines 24<BR>logging on<BR>logging trap informational<BR>logging host inside <A
href="http://172.16.0.26">172.16.0.26</A><BR>logging host inside <A
href="http://172.16.0.12">172.16.0.12</A><BR>icmp permit any unreachable
outside<BR>icmp permit any outside<BR>mtu outside 1500<BR>mtu inside 1500<BR>ip
address outside xxx.xxx.xxx.xxx <A
href="http://255.255.255.240">255.255.255.240</A><BR>ip address inside <A
href="http://172.16.0.2">172.16.0.2</A> <A
href="http://255.255.0.0">255.255.0.0</A><BR>ip audit info action alarm<BR>ip
audit attack action alarm <BR>ip local pool pbxlpool
10.1.0.100-10.1.0.200<BR>pdm locationxxx.xxx.xxx.xxx <A
href="http://255.255.255.255">255.255.255.255</A> outside<BR>pdm history
enable<BR>arp timeout 14400<BR>global (outside) 1 interface<BR>nat (inside) 0
access-list VPNREMOTE <BR>nat (inside) 1 <A
href="http://172.16.0.0">172.16.0.0</A> <A
href="http://255.255.0.0">255.255.0.0</A> 0 0<BR>static (inside,outside)
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
href="http://255.255.255.255">255.255.255.255 </A>0 1000<BR>static
(inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
href="http://255.255.255.255">255.255.255.255</A> 0 1000<BR>static
(inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
href="http://255.255.255.255">255.255.255.255</A> 0 1000<BR>access-group 101 in
interface outside<BR>access-group 102 in interface inside<BR>route outside <A
href="http://0.0.0.0">0.0.0.0</A> <A href="http://0.0.0.0">0.0.0.0</A> <A
href="http://210.81.12.193">210.81.12.193</A> 1<BR>timeout xlate
3:00:00<BR>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00<BR>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media
0:02:00<BR>timeout sip-disconnect 0:02:00 sip-invite 0:03:00 <BR>timeout uauth
0:05:00 absolute<BR>aaa-server TACACS+ protocol tacacs+<BR>aaa-server TACACS+
max-failed-attempts 3<BR>aaa-server TACACS+ deadtime 10<BR>aaa-server RADIUS
protocol radius<BR>aaa-server RADIUS max-failed-attempts 3 <BR>aaa-server RADIUS
deadtime 10<BR>aaa-server LOCAL protocol local<BR><BR>aaa authentication ssh
console LOCAL<BR><BR>http <A href="http://172.16.0.12">172.16.0.12</A> <A
href="http://255.255.255.255">255.255.255.255</A> inside<BR>snmp-server host
inside <A href="http://172.16.0.12">172.16.0.12</A><BR>snmp-server location
pbxl-pix-datacentre<BR><BR>snmp-server community pbxl<BR>snmp-server enable
traps<BR>floodguard enable<BR><BR>telnet <A
href="http://172.16.0.0">172.16.0.0</A> <A
href="http://255.255.0.0">255.255.0.0</A> inside<BR>telnet <A
href="http://192.168.0.0">192.168.0.0</A> <A
href="http://255.255.255.0">255.255.255.0</A> inside<BR>telnet timeout 60
<BR>ssh <A href="http://210.101.94.211">210.101.94.211</A> <A
href="http://255.255.255.255">255.255.255.255</A> outside<BR>ssh <A
href="http://0.0.0.0">0.0.0.0</A> <A href="http://0.0.0.0">0.0.0.0</A>
outside<BR>ssh <A href="http://172.16.0.12">172.16.0.12</A> <A
href="http://255.255.255.255">255.255.255.255</A> inside<BR>ssh <A
href="http://172.16.0.0">172.16.0.0</A> <A
href="http://255.255.0.0">255.255.0.0</A> inside<BR>ssh <A
href="http://192.168.1.0">192.168.1.0 </A><A
href="http://255.255.255.0">255.255.255.0</A> inside<BR>ssh timeout
60<BR>console timeout
0<BR>PBXLPIX01(config)#<BR>PBXLPIX01(config)#<BR><BR><BR></BODY></HTML>