Solved

VOIP and PIX 501

Posted on 2006-07-06
15
561 Views
Last Modified: 2008-01-09
I am putting in a PIX 501 tomorrow and will have our ISP put their router into bridge mode and I was wondering what was involved with getting the PIX to work with the phone equipment.  I have all of the proper ports redirected.  When we did a test cutover, only incoming phone calls were not working.

The phone system is on our network at 10.0.1.150 and the PIX will be .1

I have ports 22 and 5060 and something else redirected to the .150 incoming.  Also, I added some fixups for h323 today.  What else should I need to do and what could have been the problem with the phone calls not coming in?
0
Comment
Question by:lttech
  • 8
  • 5
  • 2
15 Comments
 
LVL 13

Expert Comment

by:Dr-IP
Comment Utility
Have you redirected 1720? As 1720 is required for incoming call setup.
0
 

Author Comment

by:lttech
Comment Utility
I have 22, 4569, 5060 all redirected.  That is what was redirected in the ISP's router and that is all.  I did the same mappings that were in the ISP's router but our PIX took a public of xx.xxx.xx.82 and their router is .81 and that is what we banked off of before.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
I think the better question is what is the phone equipment terminating the call it sounds like you may not be using a router at all if that is the case you will want to determin what protocol you are using for voice is this a comercial VoIP service or office to office VoIP service and do you know if you are using h.323, SIP or something else?

Thanks
Scott
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
they may have changed your IP.... have they dynamically assigned the PIX501 or is the outside interface DHCP?

Thanks
scott
0
 
LVL 13

Assisted Solution

by:Dr-IP
Dr-IP earned 250 total points
Comment Utility
5060 is what you need for SIP signaling, but for H323 you need 1720, and you mentioned up applied fixups for H323, so I would figure you are doing H323 as it makes little sense else wise.
0
 

Author Comment

by:lttech
Comment Utility
they may have changed your IP.... have they dynamically assigned the PIX501 or is the outside interface DHCP?

The address they assigned to their router is .81 and we gave our PIX .82, so externally speaking the address changed.  Does the phone equipment point to that public IP Address?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
on the outbound yes but on the inbound you are no longer using .82 unless you have put a static into the firewall for it with a translation.

What size of subnet have they given you on the outside (how many IP addresses)

Thanks
Scott
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:lttech
Comment Utility
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXX encrypted

hostname XXXXXXX

domain-name XXXXXXXx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521


             
fixup protocol tftp 69

names

access-list outsidein permit icmp any any

access-list outsidein permit tcp any any eq pop3

access-list outsidein permit tcp any any eq smtp

access-list outsidein permit tcp any any eq pcanywhere-data

access-list outsidein permit udp any any eq pcanywhere-status

access-list outsidein permit tcp any any eq 3389

access-list outsidein permit tcp any any eq www

access-list outsidein permit tcp any any eq ftp

access-list outsidein permit udp any any eq dnsix

access-list outsidein permit tcp any any eq 8081

access-list outsidein permit tcp any any eq domain

access-list outsidein permit udp any any eq domain

access-list outsidein permit tcp any any eq https

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xxx.82 255.0.0.0

ip address inside 10.0.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.1.10 255.255.255.255 inside

pdm location 10.0.1.150 255.255.255.255 inside
             
pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3268 10.0.1.10 3268 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ldap 10.0.1.10 ldap netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.0.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 10.0.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) udp interface 443 10.0.1.10 443 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 10.0.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) udp interface 25 10.0.1.10 25 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh 10.0.1.150 ssh netmask 255.255.255.255 0 0

static (inside,outside) udp interface 22 10.0.1.150 22 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0

access-group outsidein in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.81 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
             
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 outside

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

0
 

Author Comment

by:lttech
Comment Utility
1 address on the outside.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
when you switched did your route outside switch?  .81 was their router but if you bridge that what happens to that IP address does it need to be changed to the upstream route in a bridge generally you are on a larger subnet with the gateway being further up stream.

Thanks
Scott
0
 

Author Comment

by:lttech
Comment Utility
Unfortunately their .81 stayed as my gateway and my pix took .82 and that is the only public they gave us.
0
 

Author Comment

by:lttech
Comment Utility
What do I need to add to the config ? Anything?
0
 
LVL 12

Accepted Solution

by:
Scotty_cisco earned 250 total points
Comment Utility
If your getting the address via DHCP and you are using H323 or SIP you should be fine everything is defined as interface for your translations and your fixup protocol should work for established traffic.  What or who is the VoIP provider most do an outbound connection and once it is established you are good.

Thanks
scott
0
 

Author Comment

by:lttech
Comment Utility
So on their side they will point to the xx.xx.xxx.82 rather than .81 and we are all good?
0
 

Author Comment

by:lttech
Comment Utility
Scotty,

Could I get you to look at this post as well and see if you can offer any help?

http://www.experts-exchange.com/Hardware/Routers/Q_21883737.html


We havent heard back on it in a while....
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now