[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
10/17/2009 at 04:59AM PDT, ID: 24820296 | Points: 500
[x]
Attachment Details

Cisco Pix 501 Site to Site VPN

Asked by DMJorgensen in Cisco PIX Firewall, Virtual Private Networking (VPN), Voice Over IP

Tags: Cisco Pix 501 VPN VOIP

Greetings,
I have a client with a satellite office connected to the main office via Point-to-Point T1.  Weve just replaced this with Comcast internet and site to site VPN with Cisco Pix 501 firewalls.  The VPN connects fine, and the data is flowing great, (file, print, RDP, etc.) but there are 2 IP Phones at the satellite office that will not connect to the PBX at the main building.  Its an NEC Aspire system.  Is there something that Cisco VPN is blocking that these IP Phones need opened?  Any thoughts from anyone would be helpful; Ill post the configs below.
Thanks!
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:

Location 1 (Main Office)
 
: Saved
: Written by enable_15 at 15:09:57.759 UTC Fri Oct 16 2009
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ntlzNF.QlX6zc266 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Main
domain-name Acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_nat0_outbound permit ip 192.168.121.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list outside_cryptomap_10 permit ip 192.168.121.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list outside_access_in permit tcp any interface outside eq 3389 
access-list outside_access_in permit tcp any interface outside eq smtp 
access-list outside_access_in permit tcp any interface outside eq pop3 
access-list outside_access_in permit tcp any interface outside eq www 
access-list outside_access_in permit tcp any interface outside eq https 
access-list outside_access_in permit tcp any interface outside eq ftp 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.121.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.121.6 255.255.255.255 inside
pdm location 192.168.121.10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.121.6 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface 3389 192.168.121.6 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface https 192.168.121.6 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface www 192.168.121.6 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface pop3 192.168.121.6 pop3 netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface ftp 192.168.121.10 ftp netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.gw 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 192.168.121.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set DansSet esp-des esp-md5-hmac 
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set DansSet
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-config-mode 
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.121.2-192.168.121.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:294053b1c5374aa107c46bb35fcab7eb
 
Location 2 (Satellite)
 
: Saved
: Written by enable_15 at 04:43:05.768 UTC Sat Oct 17 2009
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Satellite
domain-name Acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.255.0 192.168.121.0 255.255.255.0 
access-list outside_cryptomap_10 permit ip 192.168.0.0 255.255.255.0 192.168.121.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside y.y.y.y 255.255.255.0
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.121.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 y.y.y.gw 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set DansSet esp-des esp-md5-hmac 
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer x.x.x.x
crypto map outside_map 10 set transform-set DansSet
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.3-192.168.0.34 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:85f8544e899e1720fa576082d50add63
[+][-]10/17/09 05:21 AM, ID: 25595743

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/17/09 07:28 AM, ID: 25596021

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/20/09 01:14 PM, ID: 25618066

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20090824-EE-VQP-74 - Hierarchy / EE_QW_3_20080625