<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2912" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY
style="WORD-WRAP: break-word; khtml-nbsp-mode: space; khtml-line-break: after-white-space"
bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Wes,</FONT></DIV>
<DIV><FONT face=Arial size=2>Thank You for the reply. Yes I have NAT on my PIX.
Regarding DNS fixup, do i need additional settings on my PIX except the <FONT
face="Times New Roman" size=3>fixup protocol dns maximum-length 512 ?
</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2></FONT></FONT> </DIV>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>Best
Regards,</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman"
size=3>Manoj</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman"
size=3></FONT> </DIV>
<DIV><BR></DIV></FONT>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=wsisk@cisco.com href="mailto:wsisk@cisco.com">Wes Sisk</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=manoj.kalpage@gmail.com
href="mailto:manoj.kalpage@gmail.com">Manoj Kalpage</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=cisco-voip@puck.nether.net
href="mailto:cisco-voip@puck.nether.net">ciscovoip Voip</A> ; <A
title=SPackett@fenwick.com href="mailto:SPackett@fenwick.com">Stu Packett</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Sunday, September 10, 2006 10:28
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cisco-voip] Internet IP
phone connect through PIX Firewall</DIV>
<DIV><BR></DIV>Manoj,
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>Are you doing NAT on your PIX? If so, you will need special CM+PIX
config.</DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>phones download SEP<mac>.cnf.xml from TFTP server. Inside
this XML file is a listing of which CM servers the phone should register to
using SCCP. This file also tells the phone what TCP port to use for the
SCCP communication. The CM servers are listed in this by name or IP
address based on how your CM is configured under system->server.</DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>For NAT traversal, your CM will have to be configured using host
names. Your PIX will have to do DNS fixup. Your phone will receive
the name cm1.manoj.com. the phone must do DNS lookup on this and receive
the external address of your CM server.</DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>Otherwise, you must use a valid internet address for the IP of your CM
server.</DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV>/Wes<BR>
<DIV>
<DIV>On Sep 9, 2006, at 3:41 PM, Stu Packett wrote:</DIV><BR
class=Apple-interchange-newline>
<DIV dir=ltr align=left><SPAN class=203463819-09092006><FONT face=Tahoma
color=#0000ff size=2>Sorry, I have never tried without the VPN. I
thought best practice was to use the VPN because it was not advised to put the
CCM on the public internet. If you do get your config working, I'd like
to get a copy of your config just for reference.
Thanks.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Manoj Kalpage [<A
href="mailto:manoj.kalpage@gmail.com">mailto:manoj.kalpage@gmail.com</A>]
<BR><B>Sent:</B> Saturday, September 09, 2006 12:20 AM<BR><B>To:</B> Stu
Packett<BR><B>Cc:</B> <A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><B>Subject:</B>
Re: [cisco-voip] Internet IP phone connect through PIX
Firewall<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Stu, </DIV>
<DIV>Thank you for the reply, I use windows 2003 DHCP server for my phones in
LAN but I can get my outside phone connect to CCM through internet. Do you
have IP phones connect to your CCM through internet without using
VPN? </DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV>Manoj</DIV>
<DIV><BR><BR> </DIV>
<DIV><SPAN class=gmail_quote>On 9/9/06, <B class=gmail_sendername>Stu
Packett</B> <<A
href="mailto:SPackett@fenwick.com">SPackett@fenwick.com</A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Tahoma color=#0000ff
size=2>Manoj:<BR>Is your PIX giving out DHCP addresses? On my PIX 501,
I have it setup as a DHCP server and these are my DHCP
commands:</FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Tahoma color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Tahoma color=#0000ff size=2>dhcpd
address xxx.xxx.xxx.xxx<BR>dhcpd dns xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx<BR>dhcpd wins xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx<BR>dhcpd lease
36000 <BR>dhcpd ping_timeout 750<BR>dhcpd domain <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://internaldomain.com/"
target=_blank>internaldomain.com</A><BR>dhcpd option 150 ip xxx.xxx.xxx.xxx
<--TFTP address <BR>dhcpd enable inside</FONT></SPAN></DIV><BR>
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-voip-bounces@puck.nether.net"
target=_blank>cisco-voip-bounces@puck.nether.net</A> [mailto:<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-voip-bounces@puck.nether.net" target=_blank>
cisco-voip-bounces@puck.nether.net</A>] <B>On Behalf Of </B>Manoj
Kalpage<BR><B>Sent:</B> Friday, September 08, 2006 4:18 AM<BR><B>To:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-voip@puck.nether.net"
target=_blank>cisco-voip@puck.nether.net</A><BR><B>Subject:</B> [cisco-voip]
Internet IP phone connect through PIX
Firewall<BR></FONT><BR> </DIV></DIV>
<DIV><SPAN class=q>
<DIV></DIV>Hi All,<BR>Does any one has configured PIX firewall to connect
internet IP phones to Call Manager. I have configure firewall to open all
the port which CCM need but still no luck. Bellow is the config of my PIX.
Am i missing anything? <BR><FONT face=Arial color=#000000 size=2><BR>Here is
the link I refered to open the TCP and UDP Ports<BR><BR><A
title=http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf"
target=_blank>http://www.cisco.com/application/pdf/en/us/guest/products/ps5820/c1693/ccmigration_09186a0080536eae.pdf</A><BR><BR></FONT>Thank
you in advance.<BR>Manoj<BR><BR>:<BR>PIX Version 6.3(5)<BR>interface
ethernet0 auto<BR>interface ethernet1 auto <BR>nameif ethernet0 outside
security0<BR>nameif ethernet1 inside security100<BR>enable password
u2zabJUOK.TTL3K1 encrypted<BR>passwd 1P5CrRl.dL8Oe4k2 encrypted<BR>hostname
PBXLPIX01<BR>domain-name <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://pbxl.jp/" target=_blank>pbxl.jp</A><BR></SPAN></DIV>
<DIV><SPAN class=e id=q_10d8e4d6072ddc6a_2>clock timezone JST 9<BR>fixup
protocol dns maximum-length 512<BR>fixup protocol ftp 21<BR>fixup protocol
h323 h225 1720<BR>fixup protocol h323 ras 1718-1719<BR>fixup protocol http
80 <BR>fixup protocol pptp 1723 <BR>fixup protocol rsh 514<BR>fixup protocol
rtsp 554<BR>fixup protocol sip 5060<BR>fixup protocol sip udp 5060<BR>fixup
protocol skinny 2000<BR>fixup protocol smtp 25<BR>fixup protocol snmp 161
<BR>fixup protocol sqlnet 1521 <BR>fixup protocol tftp
69<BR>names<BR>object-group service outbound-tcp tcp<BR> port-object
eq www<BR> port-object eq https<BR> port-object eq
smtp<BR> port-object eq ftp<BR> port-object eq pop3 <BR>
port-object eq imap4 <BR> port-object eq domain<BR> port-object
eq 123<BR> port-object eq ssh<BR> port-object eq
citrix-ica<BR>object-group service outbound-udp udp<BR> port-object eq
domain<BR> port-object eq ntp <BR>object-group service mail-inbound
tcp <BR> port-object eq www<BR> port-object eq https<BR>
port-object eq smtp<BR>object-group service VoIP-udp udp<BR>
port-object range 16384 32768<BR> port-object eq tftp<BR>object-group
service VoIP-tcp tcp <BR> port-object eq 3804 <BR> port-object
eq 2443<BR> port-object eq 2000<BR> port-object eq www<BR>
port-object eq 69<BR> port-object eq https<BR></SPAN></DIV>
<DIV>access-list 102 permit tcp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
VoIP-tcp<BR>access-list 102 permit udp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
VoIP-udp<BR>access-list 102 permit tcp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
outbound-tcp<BR>access-list 102 permit udp <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> any object-group
outbound-udp <BR>access-list 101 permit tcp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.195/" target=_blank>210.81.12.195</A> object-group
mail-inbound <BR>access-list 101 permit tcp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.196/" target=_blank>210.81.12.196</A> object-group
VoIP-tcp <BR>access-list 101 permit udp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.196/" target=_blank>210.81.12.196</A> object-group
VoIP-udp<BR>access-list 101 permit tcp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.197/" target=_blank>210.81.12.197</A> object-group
VoIP-tcp<BR>access-list 101 permit udp any host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.197/" target=_blank>210.81.12.197</A> object-group
VoIP-udp </DIV>
<DIV><SPAN class=q><BR>pager lines 24<BR>logging on<BR>logging trap
informational<BR>logging host inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.26/" target=_blank>172.16.0.26</A> <BR></SPAN></DIV>
<DIV><SPAN class=q>logging host inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A><BR></SPAN></DIV>
<DIV><SPAN class=q>icmp permit any unreachable outside<BR>icmp permit any
outside<BR>mtu outside 1500<BR>mtu inside 1500<BR>ip address outside
xxx.xxx.xxx.xxx <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.240/"
target=_blank>255.255.255.240</A><BR></SPAN></DIV>
<DIV>ip address inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.2/" target=_blank>172.16.0.2</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A></DIV>
<DIV><SPAN class=q><BR>ip audit info action alarm<BR>ip audit attack action
alarm <BR>ip local pool pbxlpool 10.1.0.100-10.1.0.200<BR></SPAN></DIV>
<DIV>pdm locationxxx.xxx.xxx.xxx <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A>
outside</DIV>
<DIV><SPAN class=q><BR>pdm history enable<BR>arp timeout 14400<BR>global
(outside) 1 interface<BR>nat (inside) 0 access-list VPNREMOTE
<BR></SPAN></DIV>
<DIV>nat (inside) 1 <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> 0 0<BR>static
(inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255 </A>0
1000<BR>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> 0
1000<BR>static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> 0
1000</DIV>
<DIV><SPAN class=q><BR>access-group 101 in interface outside<BR>access-group
102 in interface inside<BR></SPAN></DIV>
<DIV>route outside <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://0.0.0.0/" target=_blank>0.0.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://0.0.0.0/" target=_blank>0.0.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.81.12.193/" target=_blank>210.81.12.193</A> 1</DIV>
<DIV><SPAN class=q><BR>timeout xlate 3:00:00<BR>timeout conn 1:00:00
half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<BR>timeout h323
0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<BR>timeout sip-disconnect
0:02:00 sip-invite 0:03:00 <BR>timeout uauth 0:05:00 absolute<BR>aaa-server
TACACS+ protocol tacacs+<BR>aaa-server TACACS+ max-failed-attempts
3<BR>aaa-server TACACS+ deadtime 10<BR>aaa-server RADIUS protocol
radius<BR>aaa-server RADIUS max-failed-attempts 3 <BR>aaa-server RADIUS
deadtime 10<BR>aaa-server LOCAL protocol local<BR><BR>aaa authentication ssh
console LOCAL<BR><BR></SPAN></DIV>
<DIV>http <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A>
inside</DIV>
<DIV><SPAN class=q><BR>snmp-server host inside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A><BR></SPAN></DIV>
<DIV><SPAN class=q>snmp-server location
pbxl-pix-datacentre<BR><BR>snmp-server community pbxl<BR>snmp-server enable
traps<BR>floodguard enable<BR><BR></SPAN></DIV>
<DIV>telnet <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> inside<BR>telnet <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.0.0/" target=_blank>192.168.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.0/" target=_blank>255.255.255.0</A>
inside<BR>telnet timeout 60 <BR>ssh <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://210.101.94.211/" target=_blank>210.101.94.211</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A>
outside<BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://0.0.0.0/" target=_blank>0.0.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://0.0.0.0/" target=_blank>0.0.0.0</A> outside<BR>ssh <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.12/" target=_blank>172.16.0.12</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A>
inside<BR>ssh <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.0.0/" target=_blank>172.16.0.0</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.0.0/" target=_blank>255.255.0.0</A> inside<BR>ssh <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.1.0/" target=_blank>192.168.1.0 </A><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.0/" target=_blank>255.255.255.0</A> inside</DIV>
<DIV><SPAN class=q><BR>ssh timeout 60<BR>console timeout
0<BR>PBXLPIX01(config)#<BR>PBXLPIX01(config)#<BR><BR><BR></SPAN></DIV>
<DIV></DIV></DIV></BLOCKQUOTE></DIV><BR>
<DIV style="MARGIN: 0px">_______________________________________________</DIV>
<DIV style="MARGIN: 0px">cisco-voip mailing list</DIV>
<DIV style="MARGIN: 0px"><A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A></DIV>
<DIV style="MARGIN: 0px"><A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A></DIV></DIV><BR></DIV></BLOCKQUOTE></BODY></HTML>