Link to home
Start Free TrialLog in
Avatar of Trish Benningfield
Trish BenningfieldFlag for United States of America

asked on

Polycom VSX through PIX

Hi all!  I have a Cisco PIX 506E running 6.3(5).  I have a Polycom VSX-7000e behind it on the network, IP address 192.168.1.18.  I am trying to call out, and on all calls, the call is placed, connected, and on the VSX-7000e side I see a black image.  On the remote I see the video just fine.  I've seen others with this same problem but don't find a solution in English that I can apply... can anyone help? We know this unit works as I can remove the PIX from the equation and do not have this problem.  

The Polycom is set as follows:
NAT OFF
Fixed ports is selected
IP address is 192.168.1.18 (as the PIX is handling NAT)

Below is my PIX config, I've substituted the first 3 octects of my public IP's for 1.1.1....

I have 9 of these to setup and need to resolve quickly, Thanks!!

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******
passwd ******
hostname hostpix
domain-name host.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 fres
access-list in2out deny ip 192.168.5.0 255.255.255.0 any
access-list in2out deny ip host 192.168.1.131 any
access-list in2out deny ip any host 66.151.158.177
access-list in2out permit tcp host 192.168.1.23 any eq smtp
access-list in2out permit tcp host 192.168.1.136 any eq smtp
access-list in2out deny tcp any any eq smtp
access-list in2out deny ip fres 255.255.255.0 any
access-list in2out deny ip 192.168.3.0 255.255.255.0 any
access-list in2out deny ip 192.168.4.0 255.255.255.0 any
access-list in2out deny ip 192.168.6.0 255.255.255.0 any
access-list in2out deny ip 192.168.7.0 255.255.255.0 any
access-list in2out deny ip 192.168.8.0 255.255.255.0 any
access-list in2out deny ip 192.168.9.0 255.255.255.0 any
access-list in2out deny ip 192.168.10.0 255.255.255.0 any
access-list in2out deny ip 192.168.11.0 255.255.255.0 any
access-list in2out deny ip 192.168.12.0 255.255.255.0 any
access-list in2out deny ip host 192.168.1.129 any
access-list in2out permit ip any any
access-list outside permit icmp any any
access-list outside permit tcp any host 1.1.1.153 eq www
access-list outside permit tcp any host 1.1.1.140 eq www
access-list outside permit tcp any host 1.1.1.140 eq smtp
access-list outside permit tcp any host 1.1.1.140 eq ftp
access-list outside permit tcp any host 1.1.1.142 eq www
access-list outside permit tcp any host 1.1.1.143 eq www
access-list outside permit tcp any host 1.1.1.144 eq www
access-list outside permit tcp any host 1.1.1.145 eq www
access-list outside permit tcp any host 1.1.1.146 eq www
access-list outside permit tcp any host 1.1.1.147 eq www
access-list outside permit tcp any host 1.1.1.150 eq www
access-list outside permit tcp any host 1.1.1.151 eq www
access-list outside permit tcp any host 1.1.1.152 eq www
access-list outside permit ip any host 1.1.1.1.179
access-list outside permit tcp any host 1.1.1.1.154 eq www
access-list outside permit tcp any host 1.1.1.1.154 eq ftp
access-list outside permit tcp any host 1.1.1.1.158 eq ftp
access-list outside permit tcp any host 1.1.1.1.158 eq www
access-list outside permit tcp any host 1.1.1.1.153 eq ftp
access-list outside permit tcp any host 1.1.1.1.156 eq www
access-list outside permit tcp any host 1.1.1.1.157 eq www
access-list outside permit ip any host 1.1.1.1.129
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 host 192.168.1.68
access-list splitvpn permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging trap debugging
logging host inside 192.168.1.84
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.189 255.255.255.192
ip address inside 192.168.1.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pool1 192.168.0.75-192.168.0.79
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 1.1.1.140 www 192.168.1.23 www dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.140 ftp 192.168.1.220 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.140 smtp 192.168.1.28 smtp netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.143 192.168.1.223 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.142 192.168.1.222 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.144 192.168.1.224 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.145 192.168.1.225 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.146 192.168.1.226 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.147 192.168.1.227 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.150 192.168.1.230 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.151 192.168.1.231 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.152 192.168.1.232 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.153 192.168.1.233 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.180 192.168.1.250 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.179 192.168.1.249 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.154 192.168.1.234 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.158 192.168.1.238 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.156 192.168.1.236 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.157 192.168.1.237 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.129 192.168.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.130 192.168.3.18 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.131 192.168.4.18 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.132 192.168.6.18 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.134 192.168.8.18 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.135 192.168.9.18 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.133 192.168.7.18 dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.136 192.168.10.18 dns netmask 255.255.255.255 0 0

access-group outside in interface outside
access-group in2out in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.190 1
route inside fres 255.255.255.0 192.168.1.5 1
route inside 192.168.3.0 255.255.255.0 192.168.1.5 1
route inside 192.168.4.0 255.255.255.0 192.168.1.5 1
route inside 192.168.5.0 255.255.255.0 192.168.1.5 1
route inside 192.168.7.0 255.255.255.0 192.168.1.5 1
route inside 192.168.8.0 255.255.255.0 192.168.1.5 1
route inside 192.168.9.0 255.255.255.0 192.168.1.5 1
route inside 192.168.10.0 255.255.255.0 192.168.1.5 1
route inside 192.168.11.0 255.255.255.0 192.168.1.5 1
route inside 192.168.12.0 255.255.255.0 192.168.1.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.1.22 cisco123 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.204
snmp-server host inside 192.168.1.4
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 1.1.1.160 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool pool1
vpngroup vpn3000 dns-server 192.168.1.22
vpngroup vpn3000 wins-server 192.168.1.22
vpngroup vpn3000 default-domain host.com
vpngroup vpn3000 split-tunnel splitvpn
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
vpdn group TEST accept dialin pptp
vpdn group TEST ppp authentication pap
vpdn group TEST ppp authentication chap
vpdn group TEST ppp authentication mschap
vpdn group TEST ppp encryption mppe 40
vpdn group TEST client configuration address local pool1
vpdn group TEST client configuration wins 192.168.1.20
vpdn group TEST pptp echo 60
vpdn group TEST client authentication local
vpdn username tcs password *********
vpdn enable outside
terminal width 80

ASKER CERTIFIED SOLUTION
Avatar of nodisco
nodisco
Flag of New Zealand image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Trish Benningfield

ASKER

Hi!  I've turned off the fixup protocol, which is the inspection of these packets, correct?  Everything I've read has instructed me to do this, one example being https://www.experts-exchange.com/questions/22991557/Using-a-Polycom-VSX-7000-Behind-a-Cisco-PIX-Firewall.html

I will change it and see if I get a different result, will advise!

Thanks,

Trish
hey there

I was wondering what your reason was for turning off these fixups.  the EE example says you shouldn't use it for port forwarding - but you are not port forwarding - you are using direct 1:1 static translations.  Plus - the First connections page says you can use the fixups or you can fix the ports as per example 2.  

Try the fixups first and see how you go
Excellent, that works!  I just misunderstood, thanks!
Another quick question on this-- I've been asked to lock down access, from "all IP" to only what is required from outside... which ports must be open to allow incoming calls?
hi

I am not sure exactly which ports as according to the earlier link it varies.  however, you could use the ones from the first link as per

http://www.firstconnections.co.uk/support/viewkb.asp?id=26

And watch the access-list.  After a few weeks of successful operation, recheck the access-list and see what ports get no hits.

hth