Forward ports 5000 6200 with Cisco 501

We have a Cisco Pix 501 C using 6.2 - We have purchased a new phone system that requires the we open ports 5000 through 6200 UDP for voice packets. I received some help on opening these porst - now they tell us we need to actually forward these ports (5000 through 6200) I now need to know the configuration iinstructions to forward these ports.  Below is the configuration as it is now.

Thanks again in advance!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1X3ezz1Db6FW8W2P encrypted
passwd /EWUqltKj6jE8Cpw encrypted
hostname cisco-pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name abbatronpdc
name abbatrondc1
object-group service VOIPHONE udp
  port-object range 5000 6200
access-list 101 permit ip
access-list 101 permit ip host
access-list 101 permit ip host
access-list 101 permit ip host
access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nnn.nnn.nnn.nnn eq 5566
access-list acl-out permit tcp any host nnn.nnn.nnn.nnn eq 3389
access-list acl-out permit udp any host nnn.nnn.nnn.nnn eq 3389
access-list acl-out permit udp any host nnn.nnn.nnn.nnn eq 5000
access-list acl-out permit udp any host nnn.nnn.nnn.nnn eq 6200
access-list acl-out permit udp any any range 5000 6200
access-list acl-out permit udp any host nnn.nnn.nnn.nnn range 5000 6200
pager lines 24
logging on
logging buffered errors
logging trap debugging
logging host inside
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside nnn.nnn.nnn.nnn
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0 0
static (inside,outside) tcp interface 3389 abbatrondc1 3389 netmask 255.255.255.
255 0 0
static (inside,outside) udp interface 3389 abbatrondc1 3389 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 5566 5566 netmask
5 0 0
access-group acl-out in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet inside
telnet timeout 5
ssh outside
ssh outside
ssh timeout 60
terminal width 80
Who is Participating?
You can't do that....

If you actually have to forward that many ports, you really, really need another public IP address.
Hi there again!
What IP do you need to forward those to?
mikeplasticAuthor Commented:

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Try this - let me know if it works.
It won't if you are forwarding other ports (which you are - so it probably won't work).
How many public IP addresses do you have? If you have more than one, we will need one for this.
If you only have one, it will not be possible (unless we add 1,200 static commands to your config).
Please let me know.

static (inside,outside) interface netmask

Open in new window

Indeed. You can do it, but it's so uneconomical you might as well not try.
1200 statics aren't very fun.
You CAN do it, but it will break all other outbound Internet traffic and everything else that you are wanting to do.
Agree that 1200 individual statics are not practical at all.
mikeplasticAuthor Commented:
I will heed all your advice.  I am getting a second Static IP for the phone system.  My assumt]ption is then i will have to forwad that second IP to the phone system (  If that assumption is correct could you please verify the instruction to do that?

It's still not a good idea.  I read through your config and it looks like you're going to send VoIP packets straight up through the INTERNET?

First, you should open that many ports on the far end as RTP packets (on those UDP ports) require.  Secondly, it's possible that RTP is required to be opened on the near end as well.  TOOOOOO many holes.  I'd have fun hacking into your network.  Do it this way,  setup a VPN tunnel (peer-to-peer) and allow your interesting traffic to allow the entire IP range both ways through the tunnel.  Cisco even recommends that you traverse VoIP packets between offices using secure lines or tunnelling to allow the entire IP protocol suite.  Otherwise, you'd also have to open up the mgcp ports and H323 ports (for SRST mode in your case since you're using mgcp as the main connection/session protocol).

If you need help setting up a vpn tunnel on your devices, let us know and we can help.  PS-I don't know of or heard of anyone ever setting up voip networking in this way.  You will be creating such a security hole!

I completely agree with you on the toooooo many holes part - the fact though is that we're working on this based on info from a previously asked question and this is the only way to get it to work.
I see.  I would recommend that we setup this Voice/Data network differently.  The reason for this is that all that is truly needed from an infrastructure standpoint is that the ip phone can route to the router and the router can route to the call manager.  That is all.  We can get this guy setup securely using Cisco recommended practices without too much more effort than we're exerting by opening up and forwarding that many UDP ports.

mikeplasticAuthor Commented:
Pugglewuggle and icanhelp:
I would definitley like to set  this up the most efficient and the most secure method.  Let me give more details.  The VoIP phone will be remote (out of state) and is for an Inter-Tel phone system.. The specs that they have provided is as follows:
The following ports will need opened in the firewall for the IP phone to function.
UDP Port 5000-6200 Incoming and Outgoing
TCP Port 5566 Incoming and Outgoing
5566 will need forwarded to the IP of the phone system.
5000-6200 will also need to be forwarded to the phone system.

We currently have 1 Static IP and I will get a 2nd Static IP.

How should i set this up in this router?  I did not set up this router so if you can provide as much detail as possible I would appreciate it!


If both of these edge devices (router/firewall) at these two locations are Cisco, then we can help you setup a VPN tunnel that will allow the entire IP protocol suite through the tunnel, thus meeting Inter-Tel's specs (as RTP/UDP is a sub portion of IP as a whole) and provide the most amount of security.

By the way, do you have Smartnet?
mikeplasticAuthor Commented:
The VoIP phone does not have a router on it.  In fact it may be connected from any location (if the salesman wants to take it on the road with him).
mikeplasticAuthor Commented:
You asked if we have smartnet?  No we do not have a Smartnet contract with Cisco!
mikeplastic said:  The VoIP phone does not have a router on it.  In fact it may be connected from any location (if the salesman wants to take it on the road with him).

My Reply:  The reason I stated this is because the ip phone still needs a VoIP gateway.  The reason this PIX firewall "needs" these UDP ports opened up is because his VoIP gateway needs them opened.  When we're talking Cisco, the VoIP gateway is normally handled by an ISR router (i.e. 2800 series router...etc).  If we're talking about a VoIP service company needing these PIX ports opened, then we're talking about an entirely different thing.

Yes we certainly are... If you're using the PIX as the VOIP gateway this is usually not recommended... an ISR is generally used as icanhelp said.
If the VOIP phone is connecting with SIP (as I would imagine) and using an internal router (vs. an edge router) as the VOIP gateway, then you might seriously consider moving that router to the network perimeter.
Opening that many ports is a huge "hole", but then again, if nothing is there to exploit, any attacker would be shooting into the dark.
Okay Mike.  I think I'm starting to assemble the misunderstanding.  First, Puggle, Irmoore and I are all trying to help but we're not getting the full picture of your network.  This is what we know:

1.  You have a "new phone system"  What kind of VoIP protocol is it running?
2.  You phone system is behind an IP network (interpolated information at best).  We need to know how this network is laid out.  At your "corporate" office (I'm guessing here) is where your Intertel PBX is setup.  My question here is, do you just have a plain IP network going out to the Internet or do you have point-to-point connections?  I doubt it as I see a dynamic map VPN configuration probably for your Cisco VPN client.
3.  Are you trying to connect to your corporate from (i.e.) your house or anywhere else out of that office?  Where is this PIX located?  Offsite?
4.  Lastly, at your corporate where you Intertel is, what is the "edge" device and who makes it (i.e. Cisco router, firewall...etc)

If you can give us more information about your network and better describe what devices do the end-to-end connection between IP phone and the Intertel PBX, we can help.  Definitely.

mikeplasticAuthor Commented:
To try to explain:
The phone system is not using SIP it is using a proprietary protocal.

We are a small company - We have a cable internet connection with a Cisco PIX (in our main facility)connected as our gateway.  Currently we have one Stat IP address.  Then that feeds our electronic switch. The servers are connected to the switch.  Our new phone system also connects to the switch for backup and phone system management.  There is only one (right now) VoIP phone that is located 2000 miles away that we would like to connect to the new phone system as thought thie VoIP phone was an extension on our local phone system.  Technical support from the phone provider now indicates that if we have a "2nd Static IP and can pass that IP through to the phone system (locally) that is all they need and the guarantee that the VoIP phone will operate from any internet connection without a tunnel.  I have procured a 2nd Static IP address and I would know like to forward the 2nd Statip Ip through to the Phone System.  Let me know if this sounds possible and what instructions i need to change on the Cisco Router to accomplish that.

Thanks in advance.  
It looks like you've accepted your own answer as a solution?
Indeed... why?
mikeplasticAuthor Commented:
I am just trying to close this as this methodolgy did not work.  I put out another question that satisfied my need in another fashion.  Is there some way to give you both credit for answering what you tried?
mikeplasticAuthor Commented:
Fine - Yiu can do that and I will assign partial credit to both of you.
mikeplasticAuthor Commented:
I am new to splitting up the credit for the solution - please give me a hint as to how to do that.
mikeplasticAuthor Commented:
Increase points
mikeplasticAuthor Commented:
Very good team work!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.