Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pix, VoIP and ATA's

From: "Chris Wargaski" <cwargaski () rmstsi com>
Date: Thu, 30 Nov 2006 00:55:27 -0600
So it sounds like you are having two problems, please confirm:

1) The ATAs can not get an IP address from the PIX at location B
2) The ATAs are unable to send voice data across the VPN

Can you answer the following questions:

- You say that every machine (except the ATAs) connect fine. Do you mean they connect to they connect fine to location 
A over the VPN? 
- Can machines at location A ping an ATA when the ATA has a statically assigned IP address?
- Can you post the entire config of the location B PIX? I want to see all the ACLs, IPs and crypto stuff.



cjw

Christopher J. Wargaski 
RMS Technology Solutions, Inc.
cwargaski () rmstsi com
(847) 215-1661 x223



-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com on behalf of J. Oquendo
Sent: Wed 11/29/2006 1:43 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Pix, VoIP and ATA's
 
Hey all, having an issue with a Pix and VoiP protocols. I have 3 ATA's 
hooked up to a bridge, that's being given DHCP via a Pix. Every machine 
works fine getting DHCP and connecting except the ATA's. My connection 
is as follows:

Internet --> Adtran Router --> Pix --> Internal

There are no rules on the Adtran side that would prohibit anything, and 
the Pix is very minimal (mid sized location). The ATA's connect to 
another Pix which is VPN'd with this one.

LocationA ---> Pix --> Adtran --> Internet --> Adtran --> Pix --> 
LocationB(ATA's are here)

I created an acl on LocationB:

access-list acl_inside permit ip 192.168.20.0 255.255.255.0 host 
xxx.xxx.xxx.xxx

Where xxx.xxx.xxx.xxx is the registrar for these ATA's (LocationB). When 
it comes to DHCP, the Pix will not spit out an address for these ATA's. 
Before someone comments: "The ATA's are broken and they're not getting 
DHCP" or something. I can hook them up into any other device and they 
will obtain DHCP. I can hook up a laptop into the same ports as the 
ATA's, and the laptop works fine. Seems like there is something I am 
missing? If I statically assign them addresses, still no dice.


Here are relevant Pix configs:

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

timeout h323 1:39:00 mgcp 1:39:00 sip 9:30:00 sip_media 1:39:00
timeout sip-disconnect 0:10:00 sip-invite 0:10:00

dhcpd address 192.168.10.2-192.168.10.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside



-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams

<<winmail.dat>>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: