Hi All,<br>Does any one has configured PIX firewall to connect internet IP phones to Call Manager. I have configure firewall to open all the port which CCM need but still no luck. Bellow is the config of my PIX. Am i missing anything?
<br><font color="#000000" face="Arial" size="2"><br>Here is the link I refered to open the TCP and UDP Ports<br><br><a title="http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf" href="http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf">
http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf</a><br><br></font>Thank you in advance.<br>Manoj<br><br>:<br>PIX Version 6.3(5)<br>interface ethernet0 auto<br>interface ethernet1 auto
<br>nameif ethernet0 outside security0<br>nameif ethernet1 inside security100<br>enable password u2zabJUOK.TTL3K1 encrypted<br>passwd 1P5CrRl.dL8Oe4k2 encrypted<br>hostname PBXLPIX01<br>domain-name <a href="http://pbxl.jp">
pbxl.jp</a><br>clock timezone JST 9<br>fixup protocol dns maximum-length 512<br>fixup protocol ftp 21<br>fixup protocol h323 h225 1720<br>fixup protocol h323 ras 1718-1719<br>fixup protocol http 80<br>fixup protocol pptp 1723
<br>fixup protocol rsh 514<br>fixup protocol rtsp 554<br>fixup protocol sip 5060<br>fixup protocol sip udp 5060<br>fixup protocol skinny 2000<br>fixup protocol smtp 25<br>fixup protocol snmp 161<br>fixup protocol sqlnet 1521
<br>fixup protocol tftp 69<br>names<br>object-group service outbound-tcp tcp<br> port-object eq www<br> port-object eq https<br> port-object eq smtp<br> port-object eq ftp<br> port-object eq pop3<br> port-object eq imap4
<br> port-object eq domain<br> port-object eq 123<br> port-object eq ssh<br> port-object eq citrix-ica<br>object-group service outbound-udp udp<br> port-object eq domain<br> port-object eq ntp<br>object-group service mail-inbound tcp
<br> port-object eq www<br> port-object eq https<br> port-object eq smtp<br>object-group service VoIP-udp udp<br> port-object range 16384 32768<br> port-object eq tftp<br>object-group service VoIP-tcp tcp<br> port-object eq 3804
<br> port-object eq 2443<br> port-object eq 2000<br> port-object eq www<br> port-object eq 69<br> port-object eq https<br>access-list 102 permit tcp <a href="http://172.16.0.0">172.16.0.0</a> <a href="http://255.255.0.0">
255.255.0.0</a> any object-group VoIP-tcp<br>access-list 102 permit udp <a href="http://172.16.0.0">172.16.0.0</a> <a href="http://255.255.0.0">255.255.0.0</a> any object-group VoIP-udp<br>access-list 102 permit tcp <a href="http://172.16.0.0">
172.16.0.0</a> <a href="http://255.255.0.0">255.255.0.0</a> any object-group outbound-tcp<br>access-list 102 permit udp <a href="http://172.16.0.0">172.16.0.0</a> <a href="http://255.255.0.0">255.255.0.0</a> any object-group outbound-udp
<br>access-list 101 permit tcp any host <a href="http://210.81.12.195">210.81.12.195</a> object-group mail-inbound<br>access-list 101 permit tcp any host <a href="http://210.81.12.196">210.81.12.196</a> object-group VoIP-tcp
<br>access-list 101 permit udp any host <a href="http://210.81.12.196">210.81.12.196</a> object-group VoIP-udp<br>access-list 101 permit tcp any host <a href="http://210.81.12.197">210.81.12.197</a> object-group VoIP-tcp<br>
access-list 101 permit udp any host <a href="http://210.81.12.197">210.81.12.197</a> object-group VoIP-udp<br>pager lines 24<br>logging on<br>logging trap informational<br>logging host inside <a href="http://172.16.0.26">
172.16.0.26</a><br>logging host inside <a href="http://172.16.0.12">172.16.0.12</a><br>icmp permit any unreachable outside<br>icmp permit any outside<br>mtu outside 1500<br>mtu inside 1500<br>ip address outside xxx.xxx.xxx.xxx
<a href="http://255.255.255.240">255.255.255.240</a><br>ip address inside <a href="http://172.16.0.2">172.16.0.2</a> <a href="http://255.255.0.0">255.255.0.0</a><br>ip audit info action alarm<br>ip audit attack action alarm
<br>ip local pool pbxlpool 10.1.0.100-10.1.0.200<br>pdm locationxxx.xxx.xxx.xxx <a href="http://255.255.255.255">255.255.255.255</a> outside<br>pdm history enable<br>arp timeout 14400<br>global (outside) 1 interface<br>nat (inside) 0 access-list VPNREMOTE
<br>nat (inside) 1 <a href="http://172.16.0.0">172.16.0.0</a> <a href="http://255.255.0.0">255.255.0.0</a> 0 0<br>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <a href="http://255.255.255.255">255.255.255.255
</a> 0 1000<br>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <a href="http://255.255.255.255">255.255.255.255</a> 0 1000<br>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <a href="http://255.255.255.255">
255.255.255.255</a> 0 1000<br>access-group 101 in interface outside<br>access-group 102 in interface inside<br>route outside <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://210.81.12.193">
210.81.12.193</a> 1<br>timeout xlate 3:00:00<br>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<br>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<br>timeout sip-disconnect 0:02:00 sip-invite 0:03:00
<br>timeout uauth 0:05:00 absolute<br>aaa-server TACACS+ protocol tacacs+<br>aaa-server TACACS+ max-failed-attempts 3<br>aaa-server TACACS+ deadtime 10<br>aaa-server RADIUS protocol radius<br>aaa-server RADIUS max-failed-attempts 3
<br>aaa-server RADIUS deadtime 10<br>aaa-server LOCAL protocol local<br><br>aaa authentication ssh console LOCAL<br><br>http <a href="http://172.16.0.12">172.16.0.12</a> <a href="http://255.255.255.255">255.255.255.255</a>
inside<br>snmp-server host inside <a href="http://172.16.0.12">172.16.0.12</a><br>snmp-server location pbxl-pix-datacentre<br><br>snmp-server community pbxl<br>snmp-server enable traps<br>floodguard enable<br><br>telnet
<a href="http://172.16.0.0">172.16.0.0</a> <a href="http://255.255.0.0">255.255.0.0</a> inside<br>telnet <a href="http://192.168.0.0">192.168.0.0</a> <a href="http://255.255.255.0">255.255.255.0</a> inside<br>telnet timeout 60
<br>ssh <a href="http://210.101.94.211">210.101.94.211</a> <a href="http://255.255.255.255">255.255.255.255</a> outside<br>ssh <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://0.0.0.0">0.0.0.0</a> outside<br>ssh <a href="http://172.16.0.12">
172.16.0.12</a> <a href="http://255.255.255.255">255.255.255.255</a> inside<br>ssh <a href="http://172.16.0.0">172.16.0.0</a> <a href="http://255.255.0.0">255.255.0.0</a> inside<br>ssh <a href="http://192.168.1.0">192.168.1.0
</a> <a href="http://255.255.255.0">255.255.255.0</a> inside<br>ssh timeout 60<br>console timeout 0<br>PBXLPIX01(config)#<br>PBXLPIX01(config)#<br><br><br>