<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=203463819-09092006><FONT face=Tahoma
color=#0000ff size=2>Sorry, I have never tried without the VPN. I thought
best practice was to use the VPN because it was not advised to put the CCM on
the public internet. If you do get your config working, I'd like to get a
copy of your config just for reference. Thanks.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Manoj Kalpage
[mailto:manoj.kalpage@gmail.com] <BR><B>Sent:</B> Saturday, September 09, 2006
12:20 AM<BR><B>To:</B> Stu Packett<BR><B>Cc:</B>
cisco-voip@puck.nether.net<BR><B>Subject:</B> Re: [cisco-voip] Internet IP phone
connect through PIX Firewall<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Stu, </DIV>
<DIV>Thank you for the reply, I use windows 2003 DHCP server for my phones in
LAN but I can get my outside phone connect to CCM through internet. Do you have
IP phones connect to your CCM through internet without using VPN?
</DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV>Manoj</DIV>
<DIV><BR><BR> </DIV>
<DIV><SPAN class=gmail_quote>On 9/9/06, <B class=gmail_sendername>Stu
Packett</B> <<A
href="mailto:SPackett@fenwick.com">SPackett@fenwick.com</A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Tahoma color=#0000ff
size=2>Manoj:<BR>Is your PIX giving out DHCP addresses? On my PIX 501, I
have it setup as a DHCP server and these are my DHCP commands:</FONT></SPAN>
</DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Tahoma color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Tahoma color=#0000ff size=2>dhcpd
address xxx.xxx.xxx.xxx<BR>dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx<BR>dhcpd
wins xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx<BR>dhcpd lease 36000 <BR>dhcpd
ping_timeout 750<BR>dhcpd domain <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://internaldomain.com/"
target=_blank>internaldomain.com</A><BR>dhcpd option 150 ip xxx.xxx.xxx.xxx
<--TFTP address <BR>dhcpd enable inside</FONT></SPAN></DIV><BR>
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-voip-bounces@puck.nether.net"
target=_blank>cisco-voip-bounces@puck.nether.net</A> [mailto:<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-voip-bounces@puck.nether.net" target=_blank>
cisco-voip-bounces@puck.nether.net</A>] <B>On Behalf Of </B>Manoj
Kalpage<BR><B>Sent:</B> Friday, September 08, 2006 4:18 AM<BR><B>To:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-voip@puck.nether.net"
target=_blank>cisco-voip@puck.nether.net</A><BR><B>Subject:</B> [cisco-voip]
Internet IP phone connect through PIX
Firewall<BR></FONT><BR> </DIV></DIV>
<DIV><SPAN class=q>
<DIV></DIV>Hi All,<BR>Does any one has configured PIX firewall to connect
internet IP phones to Call Manager. I have configure firewall to open all the
port which CCM need but still no luck. Bellow is the config of my PIX. Am i
missing anything? <BR><FONT face=Arial color=#000000 size=2><BR>Here is the
link I refered to open the TCP and UDP Ports<BR><BR><A
title=http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf"
target=_blank>http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf</A><BR><BR></FONT>Thank
you in advance.<BR>Manoj<BR><BR>:<BR>PIX Version 6.3(5)<BR>interface ethernet0
auto<BR>interface ethernet1 auto <BR>nameif ethernet0 outside
security0<BR>nameif ethernet1 inside security100<BR>enable password
u2zabJUOK.TTL3K1 encrypted<BR>passwd 1P5CrRl.dL8Oe4k2 encrypted<BR>hostname
PBXLPIX01<BR>domain-name <A
onclick="return top.js.OpenExtLink(window,event,this)" href="http://pbxl.jp/"
target=_blank>pbxl.jp</A><BR></SPAN></DIV>
<DIV><SPAN class=e id=q_10d8e4d6072ddc6a_2>clock timezone JST 9<BR>fixup
protocol dns maximum-length 512<BR>fixup protocol ftp 21<BR>fixup protocol
h323 h225 1720<BR>fixup protocol h323 ras 1718-1719<BR>fixup protocol http 80
<BR>fixup protocol pptp 1723 <BR>fixup protocol rsh 514<BR>fixup protocol rtsp
554<BR>fixup protocol sip 5060<BR>fixup protocol sip udp 5060<BR>fixup
protocol skinny 2000<BR>fixup protocol smtp 25<BR>fixup protocol snmp 161
<BR>fixup protocol sqlnet 1521 <BR>fixup protocol tftp
69<BR>names<BR>object-group service outbound-tcp tcp<BR> port-object eq
www<BR> port-object eq https<BR> port-object eq smtp<BR>
port-object eq ftp<BR> port-object eq pop3 <BR> port-object eq
imap4 <BR> port-object eq domain<BR> port-object eq 123<BR>
port-object eq ssh<BR> port-object eq citrix-ica<BR>object-group service
outbound-udp udp<BR> port-object eq domain<BR> port-object eq ntp
<BR>object-group service mail-inbound tcp <BR> port-object eq
www<BR> port-object eq https<BR> port-object eq
smtp<BR>object-group service VoIP-udp udp<BR> port-object range 16384
32768<BR> port-object eq tftp<BR>object-group service VoIP-tcp tcp
<BR> port-object eq 3804 <BR> port-object eq 2443<BR>
port-object eq 2000<BR> port-object eq www<BR> port-object eq
69<BR> port-object eq https<BR></SPAN></DIV>
<DIV>access-list 102 permit tcp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
VoIP-tcp<BR>access-list 102 permit udp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
VoIP-udp<BR>access-list 102 permit tcp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
outbound-tcp<BR>access-list 102 permit udp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
outbound-udp <BR>access-list 101 permit tcp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.195/" target=_blank>210.81.12.195</A> object-group
mail-inbound <BR>access-list 101 permit tcp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.196/" target=_blank>210.81.12.196</A> object-group
VoIP-tcp <BR>access-list 101 permit udp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.196/" target=_blank>210.81.12.196</A> object-group
VoIP-udp<BR>access-list 101 permit tcp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.197/" target=_blank>210.81.12.197</A> object-group
VoIP-tcp<BR>access-list 101 permit udp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.197/" target=_blank>210.81.12.197</A> object-group
VoIP-udp </DIV>
<DIV><SPAN class=q><BR>pager lines 24<BR>logging on<BR>logging trap
informational<BR>logging host inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.26/" target=_blank>172.16.0.26</A> <BR></SPAN></DIV>
<DIV><SPAN class=q>logging host inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A><BR></SPAN></DIV>
<DIV><SPAN class=q>icmp permit any unreachable outside<BR>icmp permit any
outside<BR>mtu outside 1500<BR>mtu inside 1500<BR>ip address outside
xxx.xxx.xxx.xxx <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.240/"
target=_blank>255.255.255.240</A><BR></SPAN></DIV>
<DIV>ip address inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.2/" target=_blank>172.16.0.2</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A></DIV>
<DIV><SPAN class=q><BR>ip audit info action alarm<BR>ip audit attack action
alarm <BR>ip local pool pbxlpool 10.1.0.100-10.1.0.200<BR></SPAN></DIV>
<DIV>pdm locationxxx.xxx.xxx.xxx <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> outside</DIV>
<DIV><SPAN class=q><BR>pdm history enable<BR>arp timeout 14400<BR>global
(outside) 1 interface<BR>nat (inside) 0 access-list VPNREMOTE
<BR></SPAN></DIV>
<DIV>nat (inside) 1 <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> 0 0<BR>static
(inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255 </A>0
1000<BR>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> 0
1000<BR>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> 0 1000</DIV>
<DIV><SPAN class=q><BR>access-group 101 in interface outside<BR>access-group
102 in interface inside<BR></SPAN></DIV>
<DIV>route outside <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://0.0.0.0/" target=_blank>0.0.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)" href="http://0.0.0.0/"
target=_blank>0.0.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.193/" target=_blank>210.81.12.193</A> 1</DIV>
<DIV><SPAN class=q><BR>timeout xlate 3:00:00<BR>timeout conn 1:00:00
half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<BR>timeout h323
0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<BR>timeout sip-disconnect
0:02:00 sip-invite 0:03:00 <BR>timeout uauth 0:05:00 absolute<BR>aaa-server
TACACS+ protocol tacacs+<BR>aaa-server TACACS+ max-failed-attempts
3<BR>aaa-server TACACS+ deadtime 10<BR>aaa-server RADIUS protocol
radius<BR>aaa-server RADIUS max-failed-attempts 3 <BR>aaa-server RADIUS
deadtime 10<BR>aaa-server LOCAL protocol local<BR><BR>aaa authentication ssh
console LOCAL<BR><BR></SPAN></DIV>
<DIV>http <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> inside</DIV>
<DIV><SPAN class=q><BR>snmp-server host inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A><BR></SPAN></DIV>
<DIV><SPAN class=q>snmp-server location pbxl-pix-datacentre<BR><BR>snmp-server
community pbxl<BR>snmp-server enable traps<BR>floodguard
enable<BR><BR></SPAN></DIV>
<DIV>telnet <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> inside<BR>telnet <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.0.0/" target=_blank>192.168.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.0/" target=_blank>255.255.255.0</A> inside<BR>telnet
timeout 60 <BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.101.94.211/" target=_blank>210.101.94.211</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A>
outside<BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://0.0.0.0/" target=_blank>0.0.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)" href="http://0.0.0.0/"
target=_blank>0.0.0.0</A> outside<BR>ssh <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> inside<BR>ssh
<A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> inside<BR>ssh <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.1.0/" target=_blank>192.168.1.0 </A><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.0/" target=_blank>255.255.255.0</A> inside</DIV>
<DIV><SPAN class=q><BR>ssh timeout 60<BR>console timeout
0<BR>PBXLPIX01(config)#<BR>PBXLPIX01(config)#<BR><BR><BR></SPAN></DIV>
<DIV></DIV></DIV></BLOCKQUOTE></DIV><BR></BODY></HTML>