Solved

Can't open ports to allow hosted VoIP connection

Posted on 2010-11-26
11
611 Views
Last Modified: 2012-05-10
We are in the middle stages of setting up VoIP with OTT communications, www.ott.com. They are a local company whom I have used for my POTS phone system at my business for four years without a glitch so I trust them pretty well.

Only a few commands need to be added, but they have decided to make it as complicated as possible :-). Of course, they could just come over and enter them and get it set up, but I like screwing things up myself. So, here is the situation. The following is my PIX-501 config:

pixfirewall(config)# show config
: Saved
: Written by enable_15 at 22:36:43.912 UTC Mon Apr 5 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6qJ0EmbcKndCH5LG encrypted
passwd bSuKLOOGeZum0lYN encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 72.xx.xxx.99 eq https
access-list outside_access_in permit tcp any host 72.xx.xxx.99 eq 444
access-list outside_access_in permit tcp any host 72.xx.xxx.99 eq 4125
access-list outside_access_in permit tcp any host 72.xx.xxx.99 eq 3389
access-list outside_access_in permit tcp any host 72.xx.xxx.99 eq smtp
access-list outside_access_in permit tcp any host 72.xx.xxx.99 eq pptp
access-list outside_access_in permit tcp any host 72.xx.xxx.99 eq 987
access-list outside_access_in permit tcp any host 72.xx.xxx.100 eq 3390
access-list inside-in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.xx.xxx.98 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.1.30 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 72.xx.xxx.100 3390 192.168.1.30 3389 netmask 255.255
.255.255 0 0
static (inside,outside) 72.xx.xxx.99 192.168.1.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside-in in interface inside
route outside 0.0.0.0 0.0.0.0 72.xx.xxx.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server
vpnclient mode client-mode
vpnclient vpngroup password
terminal width 80

So above is my current configuration. Everything works fine. Internet, RWW, RDP (I know I should change 3389). Of course, VoIP service doesn't connect to host.

Now the first OTT tech gave me commands which replaced my Ethernet0 command which wouldn't allow anything to work. The second tech had the advantage of looking at my emailed config and addressed that so that he wrote me the following:

************************************************************************
access-list OTT extended permit tcp any host 64.135.128.98 eq sip
access-list OTT extended permit tcp any host 64.135.128.98 eq 5060
access-list OTT extended permit udp any host 64.135.128.98 range 10000 65000
access-group OTT in interface outside rule to assign access-lists to the interface.

As far as the group though you cannot have multiple groups assigned to one interface. You will have to add these to your access lists so that they can be used.  These would be changed to be like this:

access-list outside_access_in  extended permit tcp any host 64.135.128.98 eq sip
access-list outside_access_in  extended permit tcp any host 64.135.128.98 eq 5060
access-list outside_access_in  extended permit tcp any host 64.135.128.98 range 10000 65000

This is already assigned to your interface in your config so you don’t have to change anything there.
*********************************************************************
So, I was completely confused as to the first list of access-lists as his next sentence stated you couldn't have two groups on the same interface. Besides any command with the word "extended" wouldn't work. So, I ignored those and entered the last three commands as it seemed he was stating these had to be added to the access list I already had. Again, extended would not work. Two things occurred. The commands took as you can see in the Show Run configuration. But, the one with eq sip does not take. FYI: the phone does not work. I also note that there is no UDP command.





PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6qJ0EmbcKndCH5LG encrypted
passwd bSuKLOOGeZum0lYN encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 72.xx.161.99 eq https
access-list outside_access_in permit tcp any host 72.xx.161.99 eq 444
access-list outside_access_in permit tcp any host 72.xx.161.99 eq 4125
access-list outside_access_in permit tcp any host 72.xx.161.99 eq 3389
access-list outside_access_in permit tcp any host 72.xx.161.99 eq smtp
access-list outside_access_in permit tcp any host 72.xx.161.99 eq pptp
access-list outside_access_in permit tcp any host 72.xx.161.99 eq 987
access-list outside_access_in permit tcp any host 72.xx.161.100 eq 3390
access-list outside_access_in permit tcp any host 64.xxx.128.98 eq 5060
access-list outside_access_in permit tcp any host 64.xxx.128.98 range 10000 6500
0
access-list inside-in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.xx.xxx.98 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.1.30 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 72.xx.xxx.100 3390 192.168.1.30 3389 netmask 255.255
.255.255 0 0
static (inside,outside) 72.xx.xxx.99 192.168.1.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside-in in interface inside
route outside 0.0.0.0 0.0.0.0 72.xx.xxx.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server
vpnclient mode client-mode
vpnclient vpngroup
terminal width 80

I apologize for the confusion. Maybe if I answer your questions, it will be clearer.

The bottom line based on my configuration and based on the IP addresses they want to be allowed to go through, maybe it is just as easy to suggest the best way to enter everything.

I have two major questions:

1. Why does the sip command not enter?
2. Do I need "extended" and if I do, why does it not enter.
0
Comment
Question by:Bert2005
  • 6
  • 4
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 34221594
- OK they are just telling you you can have multiple Access Cotroll Lists applied to the same interface (in the same direction < just put that there for the pedants you can ignore it).

In your case you would simply enter the following

access-list outside_access_in  permit tcp any host 64.135.128.98 eq sip
access-list outside_access_in  permit tcp any host 64.135.128.98 eq 5060
access-list outside_access_in  permit tcp any host 64.135.128.98 range 10000 65000

You knock the work extended out - an extended ACL is one with a name not a number - you will only see the word extended if you were on a Cisco firewall with an OS above version 7 (i.e NOT on your Cisco PIX501 which cant go that far)

That will be all you need traffic wise - I've never really dealt with SIP or VOIP so I'm unsure if it needs anything else

Pete

 - and thanks for visiting the site :)
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 34221619
sip uses ports 5060 so
 access-list outside_access_in permit tcp any host 64.xxx.128.98 eq 5060
should do fine.

the sip keyword is not taken in the version 6.3(5).

if you are using sip with udp  then make sure you have
 access-list outside_access_in permit udp any host 64.xxx.128.98 eq 5060
as well.

and you require a static nat as well.
 static (inside,outside) 64.xxx.128.98 <pvt ip of the server> netmask 255.255.255.255

to answer your 2nd question in pix extended keyword is not required it is taken by default when you mention ip, tcp or udp. if you dont mention any of the 3 it is taken as standard acl.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 34223203
Thanks guys,

Yeah, it wouldn't take the sip line.

I have a really, really dump question.

When I enter these commands and type show run, I can see them in the PIX memory. Are they working then, or do I need to type "wr mem" before they are applied?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 34227523
static (inside,outside) 64.xxx.128.98 <pvt ip of the server> netmask 255.255.255.255

ullas, the above static command shows as error saying it already has a static command, but it references my public ip with the server:

72.xx.xxx.99 192.168.1.100 netmask 255.255.255.255.0 0
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 34227556
to answer your first question, wr mem is to save your config to startup memory so that next time u reboot the system it will take that config. if you do not do a wr mem it would still work and show up in sh run but doesnot get saved to the memory(you wont see it if you do a show start).

so what is the private ip and the public ip of your server? coz all the access-list refers to public ip 64.xxx.128.98.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Bert2005
ID: 34235321
I thought it said in the configuration above that the public IP was 72.xx.xxx.98
The private IP is 192.168.1.100
0
 
LVL 1

Author Comment

by:Bert2005
ID: 34235521
When I try to add:

static (inside,outside) 64.xxx.128.98 192.168.1.100 netmask 255.255.255.255

it tells me it is a "duplicate of an existing status" which it is not. Those are two different IPs in the static commands.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 34235894
you already have 192.168.1.100 mapped to 72.x.x.99 in your config:
 static (inside,outside) 72.xx.xxx.99 192.168.1.100 netmask 255.255.255.255 0 0

that is why you cant map the same 192.168.1.100 to another public ip on the same interface:
 static (inside,outside) 64.xxx.128.98 192.168.1.100 netmask 255.255.255.255
and it shows duplicate of existing.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 34236151
"and you require a static nat as well.
static (inside,outside) 64.xxx.128.98 <pvt ip of the server> netmask 255.255.255.255"

But, you had suggested this in one of your statements above. I apologize if I am being impolite.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 34237794
lol! you dont have to apologize! anyways.. yea i suggested that coz i thought your server would be on a different private ip address... apparently it looks like it is on the same ip address ie. 72.x.x.99. so why dont we create the accss-lsit for the 72.x.x.99 itself opening the ports 5060 and

access-list outside_access_in permit udp any host 72.x.x.99 eq 5060

then we should be good with the existing static itself. i.e.
 static (inside,outside) 72.xx.xxx.99 192.168.1.100 netmask 255.255.255.255 0 0


0
 
LVL 1

Author Comment

by:Bert2005
ID: 34238643
OK, gotta see a lot of little brats (pediatrician) -- no they are nice kids, now the parents -- wish I had a firewall for them. I will try this evening.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now