Solved

VOIP and PIX 501

Posted on 2006-07-06
15
568 Views
Last Modified: 2008-01-09
I am putting in a PIX 501 tomorrow and will have our ISP put their router into bridge mode and I was wondering what was involved with getting the PIX to work with the phone equipment.  I have all of the proper ports redirected.  When we did a test cutover, only incoming phone calls were not working.

The phone system is on our network at 10.0.1.150 and the PIX will be .1

I have ports 22 and 5060 and something else redirected to the .150 incoming.  Also, I added some fixups for h323 today.  What else should I need to do and what could have been the problem with the phone calls not coming in?
0
Comment
Question by:lttech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
15 Comments
 
LVL 13

Expert Comment

by:Dr-IP
ID: 17053239
Have you redirected 1720? As 1720 is required for incoming call setup.
0
 

Author Comment

by:lttech
ID: 17053396
I have 22, 4569, 5060 all redirected.  That is what was redirected in the ISP's router and that is all.  I did the same mappings that were in the ISP's router but our PIX took a public of xx.xxx.xx.82 and their router is .81 and that is what we banked off of before.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17053419
I think the better question is what is the phone equipment terminating the call it sounds like you may not be using a router at all if that is the case you will want to determin what protocol you are using for voice is this a comercial VoIP service or office to office VoIP service and do you know if you are using h.323, SIP or something else?

Thanks
Scott
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17053427
they may have changed your IP.... have they dynamically assigned the PIX501 or is the outside interface DHCP?

Thanks
scott
0
 
LVL 13

Assisted Solution

by:Dr-IP
Dr-IP earned 250 total points
ID: 17053452
5060 is what you need for SIP signaling, but for H323 you need 1720, and you mentioned up applied fixups for H323, so I would figure you are doing H323 as it makes little sense else wise.
0
 

Author Comment

by:lttech
ID: 17053484
they may have changed your IP.... have they dynamically assigned the PIX501 or is the outside interface DHCP?

The address they assigned to their router is .81 and we gave our PIX .82, so externally speaking the address changed.  Does the phone equipment point to that public IP Address?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17053499
on the outbound yes but on the inbound you are no longer using .82 unless you have put a static into the firewall for it with a translation.

What size of subnet have they given you on the outside (how many IP addresses)

Thanks
Scott
0
 

Author Comment

by:lttech
ID: 17053512
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXX encrypted

hostname XXXXXXX

domain-name XXXXXXXx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521


             
fixup protocol tftp 69

names

access-list outsidein permit icmp any any

access-list outsidein permit tcp any any eq pop3

access-list outsidein permit tcp any any eq smtp

access-list outsidein permit tcp any any eq pcanywhere-data

access-list outsidein permit udp any any eq pcanywhere-status

access-list outsidein permit tcp any any eq 3389

access-list outsidein permit tcp any any eq www

access-list outsidein permit tcp any any eq ftp

access-list outsidein permit udp any any eq dnsix

access-list outsidein permit tcp any any eq 8081

access-list outsidein permit tcp any any eq domain

access-list outsidein permit udp any any eq domain

access-list outsidein permit tcp any any eq https

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xxx.82 255.0.0.0

ip address inside 10.0.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.1.10 255.255.255.255 inside

pdm location 10.0.1.150 255.255.255.255 inside
             
pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3268 10.0.1.10 3268 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ldap 10.0.1.10 ldap netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.0.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 10.0.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) udp interface 443 10.0.1.10 443 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 10.0.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) udp interface 25 10.0.1.10 25 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3389 10.0.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh 10.0.1.150 ssh netmask 255.255.255.255 0 0

static (inside,outside) udp interface 22 10.0.1.150 22 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 4569 10.0.1.150 4569 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 5060 10.0.1.150 5060 netmask 255.255.255.255 0 0

access-group outsidein in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.81 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
             
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 outside

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

0
 

Author Comment

by:lttech
ID: 17053516
1 address on the outside.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17053541
when you switched did your route outside switch?  .81 was their router but if you bridge that what happens to that IP address does it need to be changed to the upstream route in a bridge generally you are on a larger subnet with the gateway being further up stream.

Thanks
Scott
0
 

Author Comment

by:lttech
ID: 17053561
Unfortunately their .81 stayed as my gateway and my pix took .82 and that is the only public they gave us.
0
 

Author Comment

by:lttech
ID: 17054562
What do I need to add to the config ? Anything?
0
 
LVL 12

Accepted Solution

by:
Scotty_cisco earned 250 total points
ID: 17054596
If your getting the address via DHCP and you are using H323 or SIP you should be fine everything is defined as interface for your translations and your fixup protocol should work for established traffic.  What or who is the VoIP provider most do an outbound connection and once it is established you are good.

Thanks
scott
0
 

Author Comment

by:lttech
ID: 17054623
So on their side they will point to the xx.xx.xxx.82 rather than .81 and we are all good?
0
 

Author Comment

by:lttech
ID: 17054659
Scotty,

Could I get you to look at this post as well and see if you can offer any help?

http://www.experts-exchange.com/Hardware/Routers/Q_21883737.html


We havent heard back on it in a while....
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month6 days, 13 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question