?
Solved

PIX 506e forwarding VOIP on T1

Posted on 2010-04-08
15
Medium Priority
?
678 Views
Last Modified: 2012-05-09
Im trying to use a VOIP phone in chicago to communicate here in bloomington, how in the world can i do this, the phone company left me and i need to know what im missing in my pix config to get it to work?

domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list 101 permit tcp host 65.121.247.XXX host 192.168.1.254 eq h323
access-list 101 permit tcp host 65.121.247.XXX host 192.168.1.254 eq 5060
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 65.121.247.XXX 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.10.1-172.16.10.8
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.254 255.255.255.255 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
alias (inside) 192.168.1.152 67.XXX.135.XXX255.255.255.255
static (inside,outside) 65.121.247.XXX 192.168.1.150 dns netmask 255.255.255.255
 0 0
static (inside,outside) 65.121.247.XXX 192.168.1.175 netmask 255.255.255.255 0 0

static (inside,outside) 65.121.247.XXX 192.168.1.160 dns netmask 255.255.255.255
 0 0
static (inside,outside) 67.133.135.XXX 192.168.1.152 dns netmask 255.255.255.255
 0 0
conduit permit tcp host 65.121.247.XXX eq smtp any
conduit permit tcp host 65.121.247.XXX eq 3389 any
conduit permit tcp host 65.121.247.XXX eq www any
conduit permit icmp any any
conduit permit tcp host 65.121.247.XXX eq 3389 any
conduit permit tcp host 65.121.247.XXX eq 3389 any
conduit deny tcp host 65.121.247.XXX eq smtp host 79.190.39.130
conduit deny tcp host 65.121.247.xXX eq smtp host 121.88.4.XXX
conduit deny tcp host 65.121.247.XXX eq pop3 host 79.190.39.XXX
conduit deny tcp host 65.121.247.XXX eq pop3 host 121.88.4.XXX
conduit deny tcp host 65.121.247.XXX eq ftp host 79.190.39.XXX
conduit deny tcp host 65.121.247.XXXX eq ftp host 121.88.4.XXX
conduit permit tcp host 67.133.135.XXX eq 3392 any
conduit permit tcp host 67.133.135.XXX eq www any
conduit permit tcp host 67.133.135.XXX eq https any
conduit permit tcp host 67.133.135.XXX eq 8080 any
conduit permit tcp host 67.133.135.XXX eq ftp any
conduit permit tcp host 67.133.135.XXX eq 5800 any
conduit permit tcp host 67.133.135.XXX eq 5900 any
conduit permit tcp host 65.121.247.XXX eq 5060 any
route outside 0.0.0.0 0.0.0.0 65.121.247.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set myset
crypto map kec 99 ipsec-isakmp dynamic dynmap
crypto map kec interface outside
isakmp enable outside
isakmp identity address
isakmp policy 99 authentication pre-share
isakmp policy 99 encryption 3des
isakmp policy 99 hash md5
isakmp policy 99 group 2
isakmp policy 99 lifetime 86400

PLEASE HELP FAST!!!!!!
0
Comment
Question by:Mutogi
13 Comments
 
LVL 3

Author Comment

by:Mutogi
ID: 30210365
anyone?
0
 
LVL 4

Expert Comment

by:Pro4ia
ID: 30232223
are you saying that you have a voip phone in chicago and want to connect to a voip pbx in bloomington?
0
 
LVL 3

Author Comment

by:Mutogi
ID: 30240144
i have an LPIU in bloomington and i need to allow trafiic thru PIX to chicago from here
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
LVL 22

Expert Comment

by:mcsween
ID: 30510426
1. Is this the firewall config from Chicago or Bloomington?
2. Are you trying to allow outgoing or incoming traffic for this PIX?
3. Is this going to travel across the open internet or are you going to encrypt it with VPN or something?
4. I've never heard of LPIU can you please explain a little better what type of VOIP setup you have?  Is this just a VOIP phone in Chicago connecting to a VOIP phone switch (PBX) in Bloomington?
0
 
LVL 14

Expert Comment

by:bfason
ID: 30519595
Could we get more details please. I'm not familiar with "LPIU".

What kind of phone system do you have? What is the model of phone in question?
0
 
LVL 3

Author Comment

by:Mutogi
ID: 30554738
sorry its LIPU

phone system and pix in bloomington

client with VOIP in chicago

no encryption

this is what is on the PCB....
Toshiba Strata LIPU-X1A 16CH IP Base PCB CardLIPU-X1A

the hard thing is it uses ports 5060, 5000, 2000, 1024-65535 for voice travel, yeah i know its alot


LIPU.bmp
0
 
LVL 22

Accepted Solution

by:
mcsween earned 1500 total points
ID: 30627783
A couple things I see but before I start I am going to STRONGLY suggest setting up a VPN between these sites.  If you setup a VPN most of my further comments will be moot.

1. You have not assigned an access list to the outside interface.  I see access list 101 there but not assigned to any interface.  (access-group 101 in interface outside)

2. I don't see the static NAT mappings for the ports you need.

If I were to build this access list it would look like this (<CHIC-IP> = Chicago Public IP, <PIXPIP> = PIX public IP <LIPU-LIP> = VOIP server LAN IP)

access-list 102 allow tcp <CHIC-IP> <PIXPIP> eq 5060
access-list 102 allow tcp <CHIC-IP> <PIXPIP> eq 5000
access-list 102 allow tcp <CHIC-IP> <PIXPIP> eq 2000
access-list 102 allow tcp <CHIC-IP> <PIXPIP> range 1024 65535
access-group 102 in interface outside
static (inside,outside) <PIXPIP> <LIPU-LIP> netmask 255.255.255.255 access-list 102 0 0

 
0
 
LVL 3

Author Comment

by:Mutogi
ID: 30952721
away from office will advise sat-the 17th 2010
0
 
LVL 3

Author Comment

by:Mutogi
ID: 31154389
All commands added but much better quality, you can hear both ends but very  very choppy. phone extentions stay light for approx 6-10secs after the person hangs up phone?
0
 
LVL 3

Author Closing Comment

by:Mutogi
ID: 31712468
Problem not completely fixed. still cutting out, 90% good to go.
0
 
LVL 22

Expert Comment

by:mcsween
ID: 31297740
Sorry, I missed your comments.  It looks like you may be having a latency issue with the choppy calling.  You need very low latency to support VOIP.

You should be under 150ms for proper call quality.  Over 300ms and the calls become unacceptable.  You may have to increase the internet speed at one end to reduce latency.
0
 
LVL 3

Author Comment

by:Mutogi
ID: 31298320
Mcsween,

we are in the process of getting 2x T1, which should allow QoS and other phones call to work will keep you posted.
0
 
LVL 22

Expert Comment

by:mcsween
ID: 31299477
If these T1s aren't going to be bonded from the ISP you might look into a device like this

http://www.ecessa.com/pages/products/products_powerlink_pl100.php
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering cloud tradeoffs and determining the right mix for your organization.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question