lttech
asked on
VOIP and PIX 501
I am putting in a PIX 501 tomorrow and will have our ISP put their router into bridge mode and I was wondering what was involved with getting the PIX to work with the phone equipment. I have all of the proper ports redirected. When we did a test cutover, only incoming phone calls were not working.
The phone system is on our network at 10.0.1.150 and the PIX will be .1
I have ports 22 and 5060 and something else redirected to the .150 incoming. Also, I added some fixups for h323 today. What else should I need to do and what could have been the problem with the phone calls not coming in?
The phone system is on our network at 10.0.1.150 and the PIX will be .1
I have ports 22 and 5060 and something else redirected to the .150 incoming. Also, I added some fixups for h323 today. What else should I need to do and what could have been the problem with the phone calls not coming in?
Have you redirected 1720? As 1720 is required for incoming call setup.
ASKER
I have 22, 4569, 5060 all redirected. That is what was redirected in the ISP's router and that is all. I did the same mappings that were in the ISP's router but our PIX took a public of xx.xxx.xx.82 and their router is .81 and that is what we banked off of before.
I think the better question is what is the phone equipment terminating the call it sounds like you may not be using a router at all if that is the case you will want to determin what protocol you are using for voice is this a comercial VoIP service or office to office VoIP service and do you know if you are using h.323, SIP or something else?
Thanks
Scott
Thanks
Scott
they may have changed your IP.... have they dynamically assigned the PIX501 or is the outside interface DHCP?
Thanks
scott
Thanks
scott
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
they may have changed your IP.... have they dynamically assigned the PIX501 or is the outside interface DHCP?
The address they assigned to their router is .81 and we gave our PIX .82, so externally speaking the address changed. Does the phone equipment point to that public IP Address?
The address they assigned to their router is .81 and we gave our PIX .82, so externally speaking the address changed. Does the phone equipment point to that public IP Address?
on the outbound yes but on the inbound you are no longer using .82 unless you have put a static into the firewall for it with a translation.
What size of subnet have they given you on the outside (how many IP addresses)
Thanks
Scott
What size of subnet have they given you on the outside (how many IP addresses)
Thanks
Scott
ASKER
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
hostname XXXXXXX
domain-name XXXXXXXx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outsidein permit icmp any any
access-list outsidein permit tcp any any eq pop3
access-list outsidein permit tcp any any eq smtp
access-list outsidein permit tcp any any eq pcanywhere-data
access-list outsidein permit udp any any eq pcanywhere-status
access-list outsidein permit tcp any any eq 3389
access-list outsidein permit tcp any any eq www
access-list outsidein permit tcp any any eq ftp
access-list outsidein permit udp any any eq dnsix
access-list outsidein permit tcp any any eq 8081
access-list outsidein permit tcp any any eq domain
access-list outsidein permit udp any any eq domain
access-list outsidein permit tcp any any eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xxx.82 255.0.0.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.1.10 255.255.255.255 inside
pdm location 10.0.1.150 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3268 10.0.1.10 3268 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ldap 10.0.1.10 ldap netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.0.1.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.0.1.10 https netmask 255.255.255.255 0 0
static (inside,outside) udp interface 443 10.0.1.10 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.1.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) udp interface 25 10.0.1.10 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh 10.0.1.150 ssh netmask 255.255.255.255 0 0
static (inside,outside) udp interface 22 10.0.1.150 22 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.81 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
hostname XXXXXXX
domain-name XXXXXXXx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outsidein permit icmp any any
access-list outsidein permit tcp any any eq pop3
access-list outsidein permit tcp any any eq smtp
access-list outsidein permit tcp any any eq pcanywhere-data
access-list outsidein permit udp any any eq pcanywhere-status
access-list outsidein permit tcp any any eq 3389
access-list outsidein permit tcp any any eq www
access-list outsidein permit tcp any any eq ftp
access-list outsidein permit udp any any eq dnsix
access-list outsidein permit tcp any any eq 8081
access-list outsidein permit tcp any any eq domain
access-list outsidein permit udp any any eq domain
access-list outsidein permit tcp any any eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xxx.82 255.0.0.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.1.10 255.255.255.255 inside
pdm location 10.0.1.150 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3268 10.0.1.10 3268 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ldap 10.0.1.10 ldap netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.0.1.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.0.1.10 https netmask 255.255.255.255 0 0
static (inside,outside) udp interface 443 10.0.1.10 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.1.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) udp interface 25 10.0.1.10 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh 10.0.1.150 ssh netmask 255.255.255.255 0 0
static (inside,outside) udp interface 22 10.0.1.150 22 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.81 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
ASKER
1 address on the outside.
when you switched did your route outside switch? .81 was their router but if you bridge that what happens to that IP address does it need to be changed to the upstream route in a bridge generally you are on a larger subnet with the gateway being further up stream.
Thanks
Scott
Thanks
Scott
ASKER
Unfortunately their .81 stayed as my gateway and my pix took .82 and that is the only public they gave us.
ASKER
What do I need to add to the config ? Anything?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So on their side they will point to the xx.xx.xxx.82 rather than .81 and we are all good?
ASKER
Scotty,
Could I get you to look at this post as well and see if you can offer any help?
https://www.experts-exchange.com/questions/21883737/Access-List-Help.html
We havent heard back on it in a while....
Could I get you to look at this post as well and see if you can offer any help?
https://www.experts-exchange.com/questions/21883737/Access-List-Help.html
We havent heard back on it in a while....