Solved

Forward ports 5000 6200 with Cisco 501

Posted on 2008-10-11
27
634 Views
Last Modified: 2011-09-20
We have a Cisco Pix 501 C using 6.2 - We have purchased a new phone system that requires the we open ports 5000 through 6200 UDP for voice packets. I received some help on opening these porst - now they tell us we need to actually forward these ports (5000 through 6200) I now need to know the configuration iinstructions to forward these ports.  Below is the configuration as it is now.

Thanks again in advance!


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1X3ezz1Db6FW8W2P encrypted
passwd /EWUqltKj6jE8Cpw encrypted
hostname cisco-pix
domain-name abby.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.0.0.102 abbatronpdc
name 10.0.0.103 abbatrondc1
object-group service VOIPHONE udp
  port-object range 5000 6200
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.13 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.11 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.115 10.0.50.0 255.255.255.0
access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nnn.nnn.nnn.nnn eq 5566
access-list acl-out permit tcp any host nnn.nnn.nnn.nnn eq 3389
access-list acl-out permit udp any host nnn.nnn.nnn.nnn eq 3389
access-list acl-out permit udp any host nnn.nnn.nnn.nnn eq 5000
access-list acl-out permit udp any host nnn.nnn.nnn.nnn eq 6200
access-list acl-out permit udp any any range 5000 6200
access-list acl-out permit udp any host nnn.nnn.nnn.nnn range 5000 6200
pager lines 24
logging on
logging buffered errors
logging trap debugging
logging host inside 10.0.0.100
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside nnn.nnn.nnn.nnn 255.255.255.0
ip address inside 10.0.0.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.50.1-10.0.50.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 abbatrondc1 3389 netmask 255.255.255.
255 0 0
static (inside,outside) udp interface 3389 abbatrondc1 3389 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 5566 10.0.0.68 5566 netmask 255.255.255.25
5 0 0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 24.154.55.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 206.126.161.196 255.255.255.255 outside
ssh timeout 60
terminal width 80
cisco-pix(config)#
0
Comment
Question by:mikeplastic
  • 11
  • 6
  • 6
  • +1
27 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22695621
Hi there again!
What IP do you need to forward those to?
0
 

Author Comment

by:mikeplastic
ID: 22695690
10.0.0.68

Thanks
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22695754
Try this - let me know if it works.
It won't if you are forwarding other ports (which you are - so it probably won't work).
How many public IP addresses do you have? If you have more than one, we will need one for this.
If you only have one, it will not be possible (unless we add 1,200 static commands to your config).
Please let me know.
Cheers!
 

static (inside,outside) interface 10.0.0.68 netmask 255.255.255.255

Open in new window

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 22696118
You can't do that....

If you actually have to forward that many ports, you really, really need another public IP address.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22696306
Indeed. You can do it, but it's so uneconomical you might as well not try.
1200 statics aren't very fun.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22700178
Correction:
You CAN do it, but it will break all other outbound Internet traffic and everything else that you are wanting to do.
Agree that 1200 individual statics are not practical at all.
0
 

Author Comment

by:mikeplastic
ID: 22701880
I will heed all your advice.  I am getting a second Static IP for the phone system.  My assumt]ption is then i will have to forwad that second IP to the phone system (10.0.0.68).  If that assumption is correct could you please verify the instruction to do that?
0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22703492
WHOA!!!!

It's still not a good idea.  I read through your config and it looks like you're going to send VoIP packets straight up through the INTERNET?

First, you should open that many ports on the far end as RTP packets (on those UDP ports) require.  Secondly, it's possible that RTP is required to be opened on the near end as well.  TOOOOOO many holes.  I'd have fun hacking into your network.  Do it this way,  setup a VPN tunnel (peer-to-peer) and allow your interesting traffic to allow the entire IP range both ways through the tunnel.  Cisco even recommends that you traverse VoIP packets between offices using secure lines or tunnelling to allow the entire IP protocol suite.  Otherwise, you'd also have to open up the mgcp ports and H323 ports (for SRST mode in your case since you're using mgcp as the main connection/session protocol).

If you need help setting up a vpn tunnel on your devices, let us know and we can help.  PS-I don't know of or heard of anyone ever setting up voip networking in this way.  You will be creating such a security hole!

cheers,
rc
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22704093
icanhelp,
I completely agree with you on the toooooo many holes part - the fact though is that we're working on this based on info from a previously asked question and this is the only way to get it to work.
Cheers!
0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22704191
I see.  I would recommend that we setup this Voice/Data network differently.  The reason for this is that all that is truly needed from an infrastructure standpoint is that the ip phone can route to the router and the router can route to the call manager.  That is all.  We can get this guy setup securely using Cisco recommended practices without too much more effort than we're exerting by opening up and forwarding that many UDP ports.

rc
0
 

Author Comment

by:mikeplastic
ID: 22704270
Pugglewuggle and icanhelp:
I would definitley like to set  this up the most efficient and the most secure method.  Let me give more details.  The VoIP phone will be remote (out of state) and is for an Inter-Tel phone system.. The specs that they have provided is as follows:
The following ports will need opened in the firewall for the IP phone to function.
UDP Port 5000-6200 Incoming and Outgoing
TCP Port 5566 Incoming and Outgoing
5566 will need forwarded to the IP of the phone system.
5000-6200 will also need to be forwarded to the phone system.

We currently have 1 Static IP and I will get a 2nd Static IP.

How should i set this up in this router?  I did not set up this router so if you can provide as much detail as possible I would appreciate it!

 

0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22704482
If both of these edge devices (router/firewall) at these two locations are Cisco, then we can help you setup a VPN tunnel that will allow the entire IP protocol suite through the tunnel, thus meeting Inter-Tel's specs (as RTP/UDP is a sub portion of IP as a whole) and provide the most amount of security.

By the way, do you have Smartnet?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:mikeplastic
ID: 22704674
The VoIP phone does not have a router on it.  In fact it may be connected from any location (if the salesman wants to take it on the road with him).
0
 

Author Comment

by:mikeplastic
ID: 22706253
icanhelp
You asked if we have smartnet?  No we do not have a Smartnet contract with Cisco!
0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22707482
mikeplastic said:  The VoIP phone does not have a router on it.  In fact it may be connected from any location (if the salesman wants to take it on the road with him).

My Reply:  The reason I stated this is because the ip phone still needs a VoIP gateway.  The reason this PIX firewall "needs" these UDP ports opened up is because his VoIP gateway needs them opened.  When we're talking Cisco, the VoIP gateway is normally handled by an ISR router (i.e. 2800 series router...etc).  If we're talking about a VoIP service company needing these PIX ports opened, then we're talking about an entirely different thing.

rc
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 100 total points
ID: 22708213
Yes we certainly are... If you're using the PIX as the VOIP gateway this is usually not recommended... an ISR is generally used as icanhelp said.
If the VOIP phone is connecting with SIP (as I would imagine) and using an internal router (vs. an edge router) as the VOIP gateway, then you might seriously consider moving that router to the network perimeter.
Opening that many ports is a huge "hole", but then again, if nothing is there to exploit, any attacker would be shooting into the dark.
Cheers!
0
 
LVL 4

Assisted Solution

by:icanhelp
icanhelp earned 100 total points
ID: 22708560
Okay Mike.  I think I'm starting to assemble the misunderstanding.  First, Puggle, Irmoore and I are all trying to help but we're not getting the full picture of your network.  This is what we know:

1.  You have a "new phone system"  What kind of VoIP protocol is it running?
2.  You phone system is behind an IP network (interpolated information at best).  We need to know how this network is laid out.  At your "corporate" office (I'm guessing here) is where your Intertel PBX is setup.  My question here is, do you just have a plain IP network going out to the Internet or do you have point-to-point connections?  I doubt it as I see a dynamic map VPN configuration probably for your Cisco VPN client.
3.  Are you trying to connect to your corporate from (i.e.) your house or anywhere else out of that office?  Where is this PIX located?  Offsite?
4.  Lastly, at your corporate where you Intertel is, what is the "edge" device and who makes it (i.e. Cisco router, firewall...etc)

If you can give us more information about your network and better describe what devices do the end-to-end connection between IP phone and the Intertel PBX, we can help.  Definitely.

rc
0
 

Author Comment

by:mikeplastic
ID: 22715334
To try to explain:
The phone system is not using SIP it is using a proprietary protocal.

We are a small company - We have a cable internet connection with a Cisco PIX (in our main facility)connected as our gateway.  Currently we have one Stat IP address.  Then that feeds our electronic switch. The servers are connected to the switch.  Our new phone system also connects to the switch for backup and phone system management.  There is only one (right now) VoIP phone that is located 2000 miles away that we would like to connect to the new phone system as thought thie VoIP phone was an extension on our local phone system.  Technical support from the phone provider now indicates that if we have a "2nd Static IP and can pass that IP through to the phone system (locally) that is all they need and the guarantee that the VoIP phone will operate from any internet connection without a tunnel.  I have procured a 2nd Static IP address and I would know like to forward the 2nd Statip Ip through to the Phone System.  Let me know if this sounds possible and what instructions i need to change on the Cisco Router to accomplish that.

Thanks in advance.  
0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22756959
It looks like you've accepted your own answer as a solution?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22759088
Indeed... why?
0
 

Author Comment

by:mikeplastic
ID: 22761848
I am just trying to close this as this methodolgy did not work.  I put out another question that satisfied my need in another fashion.  Is there some way to give you both credit for answering what you tried?
0
 

Author Comment

by:mikeplastic
ID: 22762727
Fine - Yiu can do that and I will assign partial credit to both of you.
Thanks!
0
 

Author Comment

by:mikeplastic
ID: 22771433
I am new to splitting up the credit for the solution - please give me a hint as to how to do that.
0
 

Author Comment

by:mikeplastic
ID: 22776252
Increase points
0
 

Author Closing Comment

by:mikeplastic
ID: 31505363
Very good team work!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now