PIX 506e forwarding VOIP on T1

Im trying to use a VOIP phone in chicago to communicate here in bloomington, how in the world can i do this, the phone company left me and i need to know what im missing in my pix config to get it to work?

domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list 101 permit tcp host 65.121.247.XXX host 192.168.1.254 eq h323
access-list 101 permit tcp host 65.121.247.XXX host 192.168.1.254 eq 5060
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 65.121.247.XXX 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.10.1-172.16.10.8
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.254 255.255.255.255 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
alias (inside) 192.168.1.152 67.XXX.135.XXX255.255.255.255
static (inside,outside) 65.121.247.XXX 192.168.1.150 dns netmask 255.255.255.255
 0 0
static (inside,outside) 65.121.247.XXX 192.168.1.175 netmask 255.255.255.255 0 0

static (inside,outside) 65.121.247.XXX 192.168.1.160 dns netmask 255.255.255.255
 0 0
static (inside,outside) 67.133.135.XXX 192.168.1.152 dns netmask 255.255.255.255
 0 0
conduit permit tcp host 65.121.247.XXX eq smtp any
conduit permit tcp host 65.121.247.XXX eq 3389 any
conduit permit tcp host 65.121.247.XXX eq www any
conduit permit icmp any any
conduit permit tcp host 65.121.247.XXX eq 3389 any
conduit permit tcp host 65.121.247.XXX eq 3389 any
conduit deny tcp host 65.121.247.XXX eq smtp host 79.190.39.130
conduit deny tcp host 65.121.247.xXX eq smtp host 121.88.4.XXX
conduit deny tcp host 65.121.247.XXX eq pop3 host 79.190.39.XXX
conduit deny tcp host 65.121.247.XXX eq pop3 host 121.88.4.XXX
conduit deny tcp host 65.121.247.XXX eq ftp host 79.190.39.XXX
conduit deny tcp host 65.121.247.XXXX eq ftp host 121.88.4.XXX
conduit permit tcp host 67.133.135.XXX eq 3392 any
conduit permit tcp host 67.133.135.XXX eq www any
conduit permit tcp host 67.133.135.XXX eq https any
conduit permit tcp host 67.133.135.XXX eq 8080 any
conduit permit tcp host 67.133.135.XXX eq ftp any
conduit permit tcp host 67.133.135.XXX eq 5800 any
conduit permit tcp host 67.133.135.XXX eq 5900 any
conduit permit tcp host 65.121.247.XXX eq 5060 any
route outside 0.0.0.0 0.0.0.0 65.121.247.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set myset
crypto map kec 99 ipsec-isakmp dynamic dynmap
crypto map kec interface outside
isakmp enable outside
isakmp identity address
isakmp policy 99 authentication pre-share
isakmp policy 99 encryption 3des
isakmp policy 99 hash md5
isakmp policy 99 group 2
isakmp policy 99 lifetime 86400

PLEASE HELP FAST!!!!!!
LVL 3
MutogiIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MutogiIT ManagerAuthor Commented:
anyone?
0
Pro4iaCommented:
are you saying that you have a voip phone in chicago and want to connect to a voip pbx in bloomington?
0
MutogiIT ManagerAuthor Commented:
i have an LPIU in bloomington and i need to allow trafiic thru PIX to chicago from here
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

mcsweenSr. Network AdministratorCommented:
1. Is this the firewall config from Chicago or Bloomington?
2. Are you trying to allow outgoing or incoming traffic for this PIX?
3. Is this going to travel across the open internet or are you going to encrypt it with VPN or something?
4. I've never heard of LPIU can you please explain a little better what type of VOIP setup you have?  Is this just a VOIP phone in Chicago connecting to a VOIP phone switch (PBX) in Bloomington?
0
bfasonCommented:
Could we get more details please. I'm not familiar with "LPIU".

What kind of phone system do you have? What is the model of phone in question?
0
MutogiIT ManagerAuthor Commented:
sorry its LIPU

phone system and pix in bloomington

client with VOIP in chicago

no encryption

this is what is on the PCB....
Toshiba Strata LIPU-X1A 16CH IP Base PCB CardLIPU-X1A

the hard thing is it uses ports 5060, 5000, 2000, 1024-65535 for voice travel, yeah i know its alot


LIPU.bmp
0
mcsweenSr. Network AdministratorCommented:
A couple things I see but before I start I am going to STRONGLY suggest setting up a VPN between these sites.  If you setup a VPN most of my further comments will be moot.

1. You have not assigned an access list to the outside interface.  I see access list 101 there but not assigned to any interface.  (access-group 101 in interface outside)

2. I don't see the static NAT mappings for the ports you need.

If I were to build this access list it would look like this (<CHIC-IP> = Chicago Public IP, <PIXPIP> = PIX public IP <LIPU-LIP> = VOIP server LAN IP)

access-list 102 allow tcp <CHIC-IP> <PIXPIP> eq 5060
access-list 102 allow tcp <CHIC-IP> <PIXPIP> eq 5000
access-list 102 allow tcp <CHIC-IP> <PIXPIP> eq 2000
access-list 102 allow tcp <CHIC-IP> <PIXPIP> range 1024 65535
access-group 102 in interface outside
static (inside,outside) <PIXPIP> <LIPU-LIP> netmask 255.255.255.255 access-list 102 0 0

 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MutogiIT ManagerAuthor Commented:
away from office will advise sat-the 17th 2010
0
MutogiIT ManagerAuthor Commented:
All commands added but much better quality, you can hear both ends but very  very choppy. phone extentions stay light for approx 6-10secs after the person hangs up phone?
0
MutogiIT ManagerAuthor Commented:
Problem not completely fixed. still cutting out, 90% good to go.
0
mcsweenSr. Network AdministratorCommented:
Sorry, I missed your comments.  It looks like you may be having a latency issue with the choppy calling.  You need very low latency to support VOIP.

You should be under 150ms for proper call quality.  Over 300ms and the calls become unacceptable.  You may have to increase the internet speed at one end to reduce latency.
0
MutogiIT ManagerAuthor Commented:
Mcsween,

we are in the process of getting 2x T1, which should allow QoS and other phones call to work will keep you posted.
0
mcsweenSr. Network AdministratorCommented:
If these T1s aren't going to be bonded from the ISP you might look into a device like this

http://www.ecessa.com/pages/products/products_powerlink_pl100.php
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.