<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Manoj,<DIV><BR class="khtml-block-placeholder"></DIV><DIV>Are you doing NAT on your PIX? If so, you will need special CM+PIX config.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>phones download SEP<mac>.cnf.xml from TFTP server. Inside this XML file is a listing of which CM servers the phone should register to using SCCP. This file also tells the phone what TCP port to use for the SCCP communication. The CM servers are listed in this by name or IP address based on how your CM is configured under system->server.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>For NAT traversal, your CM will have to be configured using host names. Your PIX will have to do DNS fixup. Your phone will receive the name cm1.manoj.com. the phone must do DNS lookup on this and receive the external address of your CM server.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Otherwise, you must use a valid internet address for the IP of your CM server.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>/Wes<BR><DIV><DIV>On Sep 9, 2006, at 3:41 PM, Stu Packett wrote:</DIV><BR class="Apple-interchange-newline"> <DIV dir="ltr" align="left"><SPAN class="203463819-09092006"><FONT face="Tahoma" color="#0000ff" size="2">Sorry, I have never tried without the VPN. I thought best practice was to use the VPN because it was not advised to put the CCM on the public internet. If you do get your config working, I'd like to get a copy of your config just for reference. Thanks.</FONT></SPAN></DIV><BR> <DIV class="OutlookMessageHeader" lang="en-us" dir="ltr" align="left"> <HR tabindex="-1"> <FONT face="Tahoma" size="2"><B>From:</B> Manoj Kalpage [<A href="mailto:manoj.kalpage@gmail.com">mailto:manoj.kalpage@gmail.com</A>] <BR><B>Sent:</B> Saturday, September 09, 2006 12:20 AM<BR><B>To:</B> Stu Packett<BR><B>Cc:</B> <A href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><B>Subject:</B> Re: [cisco-voip] Internet IP phone connect through PIX Firewall<BR></FONT><BR></DIV> <DIV></DIV> <DIV>Stu, </DIV> <DIV>Thank you for the reply, I use windows 2003 DHCP server for my phones in LAN but I can get my outside phone connect to CCM through internet. Do you have IP phones connect to your CCM through internet without using VPN? </DIV> <DIV> </DIV> <DIV>Thanks,</DIV> <DIV>Manoj</DIV> <DIV><BR><BR> </DIV> <DIV><SPAN class="gmail_quote">On 9/9/06, <B class="gmail_sendername">Stu Packett</B> <<A href="mailto:SPackett@fenwick.com">SPackett@fenwick.com</A>> wrote:</SPAN> <BLOCKQUOTE class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <DIV> <DIV> <DIV dir="ltr" align="left"><SPAN><FONT face="Tahoma" color="#0000ff" size="2">Manoj:<BR>Is your PIX giving out DHCP addresses? On my PIX 501, I have it setup as a DHCP server and these are my DHCP commands:</FONT></SPAN> </DIV> <DIV dir="ltr" align="left"><SPAN><FONT face="Tahoma" color="#0000ff" size="2"></FONT></SPAN> </DIV> <DIV dir="ltr" align="left"><SPAN><FONT face="Tahoma" color="#0000ff" size="2">dhcpd address xxx.xxx.xxx.xxx<BR>dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx<BR>dhcpd wins xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx<BR>dhcpd lease 36000 <BR>dhcpd ping_timeout 750<BR>dhcpd domain <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://internaldomain.com/" target="_blank">internaldomain.com</A><BR>dhcpd option 150 ip xxx.xxx.xxx.xxx <--TFTP address <BR>dhcpd enable inside</FONT></SPAN></DIV><BR> <DIV lang="en-us" dir="ltr" align="left"> <HR> <FONT face="Tahoma" size="2"><B>From:</B> <A onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</A> [mailto:<A onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank"> cisco-voip-bounces@puck.nether.net</A>] <B>On Behalf Of </B>Manoj Kalpage<BR><B>Sent:</B> Friday, September 08, 2006 4:18 AM<BR><B>To:</B> <A onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</A><BR><B>Subject:</B> [cisco-voip] Internet IP phone connect through PIX Firewall<BR></FONT><BR> </DIV></DIV> <DIV><SPAN class="q"> <DIV></DIV>Hi All,<BR>Does any one has configured PIX firewall to connect internet IP phones to Call Manager. I have configure firewall to open all the port which CCM need but still no luck. Bellow is the config of my PIX. Am i missing anything? <BR><FONT face="Arial" color="#000000" size="2"><BR>Here is the link I refered to open the TCP and UDP Ports<BR><BR><A title="http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf" onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf" target="_blank">http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf</A><BR><BR></FONT>Thank you in advance.<BR>Manoj<BR><BR>:<BR>PIX Version 6.3(5)<BR>interface ethernet0 auto<BR>interface ethernet1 auto <BR>nameif ethernet0 outside security0<BR>nameif ethernet1 inside security100<BR>enable password u2zabJUOK.TTL3K1 encrypted<BR>passwd 1P5CrRl.dL8Oe4k2 encrypted<BR>hostname PBXLPIX01<BR>domain-name <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://pbxl.jp/" target="_blank">pbxl.jp</A><BR></SPAN></DIV> <DIV><SPAN class="e" id="q_10d8e4d6072ddc6a_2">clock timezone JST 9<BR>fixup protocol dns maximum-length 512<BR>fixup protocol ftp 21<BR>fixup protocol h323 h225 1720<BR>fixup protocol h323 ras 1718-1719<BR>fixup protocol http 80 <BR>fixup protocol pptp 1723 <BR>fixup protocol rsh 514<BR>fixup protocol rtsp 554<BR>fixup protocol sip 5060<BR>fixup protocol sip udp 5060<BR>fixup protocol skinny 2000<BR>fixup protocol smtp 25<BR>fixup protocol snmp 161 <BR>fixup protocol sqlnet 1521 <BR>fixup protocol tftp 69<BR>names<BR>object-group service outbound-tcp tcp<BR> port-object eq www<BR> port-object eq https<BR> port-object eq smtp<BR> port-object eq ftp<BR> port-object eq pop3 <BR> port-object eq imap4 <BR> port-object eq domain<BR> port-object eq 123<BR> port-object eq ssh<BR> port-object eq citrix-ica<BR>object-group service outbound-udp udp<BR> port-object eq domain<BR> port-object eq ntp <BR>object-group service mail-inbound tcp <BR> port-object eq www<BR> port-object eq https<BR> port-object eq smtp<BR>object-group service VoIP-udp udp<BR> port-object range 16384 32768<BR> port-object eq tftp<BR>object-group service VoIP-tcp tcp <BR> port-object eq 3804 <BR> port-object eq 2443<BR> port-object eq 2000<BR> port-object eq www<BR> port-object eq 69<BR> port-object eq https<BR></SPAN></DIV> <DIV>access-list 102 permit tcp <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.0/" target="_blank">172.16.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A> any object-group VoIP-tcp<BR>access-list 102 permit udp <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.0/" target="_blank">172.16.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A> any object-group VoIP-udp<BR>access-list 102 permit tcp <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.0/" target="_blank">172.16.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A> any object-group outbound-tcp<BR>access-list 102 permit udp <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.0/" target="_blank">172.16.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A> any object-group outbound-udp <BR>access-list 101 permit tcp any host <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://210.81.12.195/" target="_blank">210.81.12.195</A> object-group mail-inbound <BR>access-list 101 permit tcp any host <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://210.81.12.196/" target="_blank">210.81.12.196</A> object-group VoIP-tcp <BR>access-list 101 permit udp any host <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://210.81.12.196/" target="_blank">210.81.12.196</A> object-group VoIP-udp<BR>access-list 101 permit tcp any host <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://210.81.12.197/" target="_blank">210.81.12.197</A> object-group VoIP-tcp<BR>access-list 101 permit udp any host <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://210.81.12.197/" target="_blank">210.81.12.197</A> object-group VoIP-udp </DIV> <DIV><SPAN class="q"><BR>pager lines 24<BR>logging on<BR>logging trap informational<BR>logging host inside <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.26/" target="_blank">172.16.0.26</A> <BR></SPAN></DIV> <DIV><SPAN class="q">logging host inside <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.12/" target="_blank">172.16.0.12</A><BR></SPAN></DIV> <DIV><SPAN class="q">icmp permit any unreachable outside<BR>icmp permit any outside<BR>mtu outside 1500<BR>mtu inside 1500<BR>ip address outside xxx.xxx.xxx.xxx <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.240/" target="_blank">255.255.255.240</A><BR></SPAN></DIV> <DIV>ip address inside <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.2/" target="_blank">172.16.0.2</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A></DIV> <DIV><SPAN class="q"><BR>ip audit info action alarm<BR>ip audit attack action alarm <BR>ip local pool pbxlpool 10.1.0.100-10.1.0.200<BR></SPAN></DIV> <DIV>pdm locationxxx.xxx.xxx.xxx <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</A> outside</DIV> <DIV><SPAN class="q"><BR>pdm history enable<BR>arp timeout 14400<BR>global (outside) 1 interface<BR>nat (inside) 0 access-list VPNREMOTE <BR></SPAN></DIV> <DIV>nat (inside) 1 <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.0/" target="_blank">172.16.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A> 0 0<BR>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255 </A>0 1000<BR>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</A> 0 1000<BR>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</A> 0 1000</DIV> <DIV><SPAN class="q"><BR>access-group 101 in interface outside<BR>access-group 102 in interface inside<BR></SPAN></DIV> <DIV>route outside <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0.0.0.0/" target="_blank">0.0.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0.0.0.0/" target="_blank">0.0.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://210.81.12.193/" target="_blank">210.81.12.193</A> 1</DIV> <DIV><SPAN class="q"><BR>timeout xlate 3:00:00<BR>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<BR>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<BR>timeout sip-disconnect 0:02:00 sip-invite 0:03:00 <BR>timeout uauth 0:05:00 absolute<BR>aaa-server TACACS+ protocol tacacs+<BR>aaa-server TACACS+ max-failed-attempts 3<BR>aaa-server TACACS+ deadtime 10<BR>aaa-server RADIUS protocol radius<BR>aaa-server RADIUS max-failed-attempts 3 <BR>aaa-server RADIUS deadtime 10<BR>aaa-server LOCAL protocol local<BR><BR>aaa authentication ssh console LOCAL<BR><BR></SPAN></DIV> <DIV>http <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.12/" target="_blank">172.16.0.12</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</A> inside</DIV> <DIV><SPAN class="q"><BR>snmp-server host inside <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.12/" target="_blank">172.16.0.12</A><BR></SPAN></DIV> <DIV><SPAN class="q">snmp-server location pbxl-pix-datacentre<BR><BR>snmp-server community pbxl<BR>snmp-server enable traps<BR>floodguard enable<BR><BR></SPAN></DIV> <DIV>telnet <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.0/" target="_blank">172.16.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A> inside<BR>telnet <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://192.168.0.0/" target="_blank">192.168.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.0/" target="_blank">255.255.255.0</A> inside<BR>telnet timeout 60 <BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://210.101.94.211/" target="_blank">210.101.94.211</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</A> outside<BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0.0.0.0/" target="_blank">0.0.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0.0.0.0/" target="_blank">0.0.0.0</A> outside<BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.12/" target="_blank">172.16.0.12</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</A> inside<BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.16.0.0/" target="_blank">172.16.0.0</A> <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.0.0/" target="_blank">255.255.0.0</A> inside<BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)" href="http://192.168.1.0/" target="_blank">192.168.1.0 </A><A onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.0/" target="_blank">255.255.255.0</A> inside</DIV> <DIV><SPAN class="q"><BR>ssh timeout 60<BR>console timeout 0<BR>PBXLPIX01(config)#<BR>PBXLPIX01(config)#<BR><BR><BR></SPAN></DIV> <DIV></DIV></DIV></BLOCKQUOTE></DIV><BR><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">cisco-voip mailing list</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A></DIV> </DIV><BR></DIV></BODY></HTML>