SIP connection Through PIX

Similar Messages

• XPunlimited connection through Pix 506e

  I have a Pix506e that I need to open port 3389 for remote connection to a Win2003 server that is running XPunlimited for 2003 Servers. I have searched the internet and have tried numerous different access list commands to try and make this work. What I'm looking for is a CCNE that can help me get this going and maybe look at my existing configuration file to tell me what isn't set up properly.

  You bet....here it is
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password wVolyRqUC55O9Zpf encrypted
  passwd wVolyRqUC55O9Zpf encrypted
  hostname TOS
  domain-name
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  access-list nat0 permit ip 172.20.10.0 255.255.255.0 172.20.11.0 255.255.255.0
  access-list acl-out permit tcp any interface outside eq pcanywhere-data
  access-list acl-out permit udp any interface outside eq pcanywhere-status
  access-list acl-out permit tcp any host eq pcanywhere-data
  access-list acl_out permit udp any host eq 5631
  access-list acl_out permit tcp any host eq pcanywhere-data
  access-list acl_out permit udp any host eq pcanywhere-status
  access-list acl_out permit tcp any host eq 3389
  access-list acl_out permit udp any host eq 3389
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside dhcp setroute
  ip address inside 172.20.10.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool vpnpool 172.20.11.1-172.20.11.10
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nat0
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp interface pcanywhere-data 172.20.10.51 pcanywhere-da
  ta netmask 255.255.255.255 0 0
  static (inside,outside) udp interface pcanywhere-status 172.20.10.51 pcanywhere-
  status netmask 255.255.255.255 0 0
  access-group acl-out in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set vpn1 esp-des esp-md5-hmac
  crypto dynamic-map dynmap 1 set transform-set vpn1
  crypto map seabrook 1 ipsec-isakmp dynamic dynmap
  crypto map seabrook interface outside
  isakmp enable outside
  isakmp nat-traversal 20
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption des
  isakmp policy 1 hash md5
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 1000
  vpngroup sclient address-pool vpnpool
  vpngroup sclient split-tunnel nat0
  vpngroup sclient idle-time 1000
  vpngroup sclient password ********
  telnet 172.20.10.0 255.255.255.0 inside
  telnet timeout 5
  ssh 24.61.165.168 255.255.255.248 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  terminal width 80

• Sporadic SIP phone connectivity through MBR1515a

  I have an IP phone (SIP)  connected through the MBR1515a. It works fine for roughly 6 hours. At that point it loses connectivity with the phone system which is on the internet. Restarting the phone makes no difference. Forcing the phone to get a different IP address enables it to work. Rebooting the MBR1515a also works. Both of these things are getting tedious. Sometime the router starts passing UDP packets again spontaneously  I have packet captures from both the phone and the phone system. No SIP packets are being forwarded from the phone through the router to the phone system. I can ping the phone system from a terminal window through the router.  Any suggestions would be appreciated.

  John,
  Just to qualify the re-register concept:
  - Re-registering the phone on the same ip address, either forcing a
  re-register, or rebooting the phone (which generally results in the same
  ip address being DHCP assigned, based on MAC Address match).  This does
  not resolve the issue.
  - Changing the ip address of the phone, simply by making the ip address
  static instead of DHCP assigned, and incrementing it by one low-order
  octet, will always resolve the issue.
  In my test area, I have a laptop assigned as the .2 address, the router
  is .1, and the phone starts off as .3, each time I have to increment the
  phone's ip address I increase to .4, .5 etc. I haven't tried going back
  to .3 however, which would be interesting.
  A couple of wrinkles in attempting to isolate this issue are:
  - On some occasions, the phone re-registers spontaneously (on the same
  ip address) with no outside intervention some time later, where time is
  measured in quanties of 10 minutes to 2 hours.  For some reason, the
  router decides to pass the register packet.
  - the phone has now been registered for > 24 hours, which is
  frustrating. I may have to reset back to DHCP to make it happen again.
  I may have gotten the attention of VZW support, which makes me really
  want to have a concise problem description, pcap files, etc.
  I have another phone sitting next to it, configured the same, going out
  over a Cradlepoint router with an analogous 4g modem. that's been
  connected for 6 months.  I've swapped phones a couple of times, and the
  problem stays with the VZW router.
  That's where it stands at present. Thanks for your review... It keeps me
  honest and opens up new things to try
  ronb-netweave-signature
  Ron Byer Jr.
  NetWeave Integrated Solutions, Inc.
  +1 732.786.8830 x120
  [email protected]

• Vpn connected to Pix but no Internet Access after connection

  Hi,
  We have just changed over our firewall to a Pix 515. The VPN Client (4.6) has been set up and remote users can connect ok and authenticate using Windows IAS. However, once they connect to the VPN they can no longer surf the internet. Our support company are saying that this is impossible because it can cause spoofing. Is this really impossible on the Pix? Is there a way that the remote user can surf the internet via their local connection when connected on the VPN?
  Many thanks for looking.
  PJ.

  Hello,
  It is possible to connect through Cisco VPN client while keep using the internet. You have to use something called Split Tunneling. Below you can find a link how to configure split tunneling:
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
  Hope this helps,
  Appreciate your rating,
  Regards,

• Client connecting through firewall

  Hi
            We have two clustered servers.Our client is connecting through
            firewall NAT. When iam connect to first server the response is very slow and
            at the same time clustering is not working.If i stop the second server the
            response fast .
            The same configaration is working fine when my client is local.
            Can you explain the reason for this problem ?
            Presently iam using weblogic 6.1 version.
            Thank you
            

  OK I spoke too soon. The user looked like it was working but it was working because it matched another IAS policy further down the list. It seems as though the PIX refuses to use ms-chap of any sort. If I include the authentication type in the VPN policy conditions as ms-chap, it skips the VPN policy I am using to authenticate this. If I remove it, then it gives an invalid authentication type as if whatever the PIX is sending the IAS server does not understand as ms-chap.
  It seems like the PIX authentication is totally wrong for use with IAS. What else do I need to add to this configuration to gewt it to work with ms-chap of any kind? I really don't get it.

• CME 7.1 with SCCP 7940G phones and SIP connection to a VOIP provider - inbound outbound fails

  Here's a quick and dirty diagram of a CME 7.1 configuration. The phone can all call each other but something is not quite right with the SIP provider. The registrar and SIP registration pieces are working but most of the configuration examples that I've seen make me think that the CME router was being used as the edge device to the internet. From my drawing, you can see that is not the case here. My edge device is a Cisco ASA5505 with 9.2.x software running. I might be missing something in the SIP gateway knowledge department. Without diving into the configuration, I'm wondering if SIP messages are failing for calls because of NAT'ing? Trying to do searches has been tricky because I keep running into information that is more about setting up CME for SIP phones or just getting SIP to work between CME and a SIP provider. I have that part working. I'm just a bit unsure about how an SCCP 7940G gets an outbound call or even gets one to come in.
  When I dial from my cell phone to the pilot number, there are no rings, it just goes to the VOIP provider's voice mail. When I try to dial out, I get a fast busy.
  So, is NAT a consideration? Will the SIP gateway set up a call (forward) via the pre-established SIP connection? Yeah, I do sound like a newb.
  If anyone has good information about, let's say, an inbound call and how that traffic flow works.
  Thanks!

  Have you configured your ASA to either NAT the IP address of the CME router or to do port forwarding for port 5060?

• Problem with socket connection through Java Embedding...

  We are trying to create a simple socket connection to a socket server through BPEL PM using the Java Embedding component.
  BPEL Process : Client makes an asynchronous request. Passes an input variable. The input variable is sent to the Server Program through a socket connection through the Java embedding component.
  Server: We are running a simple Socket Server program from command prompt.
  The code below works fine as long as we do not try to receive a response from the server (Commented Code).
  If we uncomment the code and try to receive a response, it refuses to create an instance for the BPEL Process. And sometimes restarts the BPEL Server.
  Client Code:
  String msg="NONE";
  try{
  org.w3c.dom.Element input = (org.w3c.dom.Element) getVariableData("inputVariable","payload","/client:clientProcessRequest/client:input");
  msg = input.getNodeValue();
  Socket clientsoc=new Socket("ServerIP",1000);
  PrintWriter out1=new PrintWriter(clientsoc.getOutputStream());
  out1.write(msg);
  out1.flush();
  BufferedReader cin1=new BufferedReader(new InputStreamReader(clientsoc.getInputStream()));
  msg=cin1.readLine();
  setVariableData("outputVariable","payload","/client:result",new String(msg));
  clientsoc.close();
  catch(UnknownHostException e)
  System.err.println("Don't know about host: dev.");
  System.exit(1);
  catch (IOException e)
  System.err.println("Couldn't get I/O for "+ "the connection to: dev.");
  System.exit(1);
  }

  Repost

• HT1430 I CANT GET my IPad to connect to my WiFi and now I can't get it to go back so I can connect through iTunes- any ideas??

  cannot get iPad to connect to WiFi because I can't find the password-and now i can't get the iPad to reset to be able to connect through iTunes--help

  cannot get iPad to connect to WiFi because I can't find the password-and now i can't get the iPad to reset to be able to connect through iTunes--help

• Help I purchase an Ipad yesterday I amusing internet connection through a netgear wired to my home computor since yesterday I am unable to open my emails or access my bank account ps I am not technical I am with orange broad band and have followed their i

  Help I purchased an ipad yesterday I am using internet connection through a wired up netgear router through my pc.Since then I cannot open my hotmail emails or access my online banking on wired pc and the navigator on ipad not working.
  I would appreciate help I followed all directions that Orange provided with netgear router

  Something here may help
  http://www.apple.com/uk/support/ipad/contact/
  pick a subject from left hand panel
  and this
  http://manuals.info.apple.com/en_US/ipad_user_guide.pdf

• HT2250 I have been able to get my MacBook Pro to print wirelessly through my Airport device. How do I make it so other computers (non-Mac) can also print wirelessly as well? They are able to connect through my wireless network but can't print.

  I have been able to get my MacBook Pro to print wirelessly through my Airport device. How do I make it so other computers (non-Mac) can also print wirelessly as well? They are able to connect through my wireless network but can't print.

  Well, you could install the drivers to the wireless printer in you other computers.
  blue apple > System Preferences... > sharing
  check printer sharing.

• How can i airplay from my mac connected through ethernet to an aple tv 2 on wifi

  Hi everyone..
  im having troubles using Airplay on my mac.. i connect my mac to the internet and home network using an ethernet connection to my router (non apple branded router) .. my apple tv 2  is connected to my home wifi network from the same router.. when i first set up my apple tv.. i was able to see the Airplay icon on itunes and it would let me Airplay media from my mac to my apple tv.. however.. it disconnects after a little while.. same thing with viewing my itunes library from apple tv.. i was able to detect my shared library from the apple tv.. i was able to play some media but then it disconnected after some time.. but now.. the Airplay icon doesnt show up in itunes anymore.. and i cant see my shared library from my apple tv neither.. ive looked around for a solution and followed the tip to turn the ipv6 off.. it worked for some time but now the problem is back..
  i know the obvious solution is to connect my mac to the same wireless network as my apple tv.. but i would like to keep it connected through ethernet..
  Mac OS X Lion 10.7.4
  Apple TV 2 software version 4.4.4
  Thanks in advance

  thisguy. wrote:
  ......i know the obvious solution is to connect my mac to the same wireless network as my apple tv.. but i would like to keep it connected through ethernet.........
  I wouldn't say that was the obvious answer at all, my Mac is connected by ethernet and 6 of my 7 Apple TV's are connected by wifi, I haven't had any of your problems. The problem is most likely on your network.
  Intermittent problems
  Intermittent problems are often a result of interference. Interference can be caused by other networks in the neighbourhood or from household electrical items.
  You can download and install iStumbler (NetStumbler for windows users) to help you see which channels are used by neighbouring networks so that you can avoid them, but iStumbler will not see household items.
  Refer to your router manual for instructions on changing your wifi channel or adjusting your multicast rate.
  There are other types of problems that can affect networks, but this is by far the most common, hence worth mentioning first. Networks that have inherent issues can be seen to work differently with different versions of the same software. You might also try moving the Apple TV away from other electrical equipment.
  Consistent Problems
  A frequent cause of consistent failure to enable AirPlay or HomeSharing at all, is the service being blocked on the network. Make sure your network isn't hidden, has a unique name, that MAC address authentication is disabled, security is set to use WPA 2 Personal and that there is only one router/device acting as a DHCP server and providing NAT services.
  Make sure your router/computer allows access over the following ports
  Port
  Type
  Protocol
  Used By
  80
  TCP
  HTTP
  AirPlay
  443
  TCP
  HTTPS
  AirPlay
  554
  TCP/UDP
  RTSP
  AirPlay
  3689
  TCP
  DAAP
  iTunes/AirPlay
  5297
  TCP
  Bonjour
  5289
  TCP/UDP
  Bonjour
  5353
  TCP/UDP
  MDNS
  Bonjour/AirPlay
  49159
  UDP
  MDNS (Win)
  Bonjour/AirPlay
  49163
  UDP
  MDNS (Win)
  Bonjour/AirPlay
  Refer to your router manual/manufacturer for any settings that are specific to that model.
  Another frequent cause of consistent failure to enable AirPlay or HomeSharing at all, is security software, in many cases configuring it correctly, disabling it or even uninstalling it can help, but in some cases the security software can cause problems that simply reconfiguring, disabling or uninstalling cannot reverse.
  If you are consistently unable to activate AirPlay, have tried all the steps in this article and have security software installed on your system, you might benefit from contacting its provider or participating in any online forums they run to discuss the matter with them.

• My IPOD and Macbook Pro both will not connect to the Itunes store through Itunes says no internet connection, but I can connect through safari and I have a internet connection

  My IPOD and Macbook Pro both will not connect to the Itunes store through Itunes says no internet connection, but I can connect through safari and I have a internet connection

  As I mentioned above, I am not very tech savvy so I have no idea why a wireless protocol would be showing up there, I'm just listing everything I see in hopes that someone might know something I can try. This is why I am asking for help here - I'm not sure what has happened that has made me unable to connect, especially since it seemingly occured while nobody was using the computer.
  I guess I should clarify that I'm not a total hillbilly- normally my firewall is set to 'on', but I set it to 'off' to try and troubleshoot the issues here as I was told that sometimes it can interfere with the computer's ability to connect to the internet. If this is not the case and firewall does not affect anything, I will turn it back on while I try to fix this.
  I have tried the method you mentioned above a few times - I actually contacted my ISP earlier this week and they recommended resetting the router like that. They didn't mention any known network issues.

• I can print from my macbook pro using airport express usb connected printer, however my iPad is looking for an airprint printer.  Can I direct the iPad to the usb connected printer.  Both macbook and iPad confirm a wifi connection through the airport exp.

  I can print from my macbook pro using airport express usb connected printer, however my iPad and iphone are looking for an airprint printer.  Can I direct the iPad/iphone to the usb connected printer.  Macbook iphone and iPad confirm a wifi connection through the airport express.

  You will need to install an App like Print Central on the iPad to try to print to the printer. It will allow you to print to most printers. Check with their support folks if you need more info.
  PrintCentral for iPad on the iTunes App Store

• How can I know which clients are connected to my network through express and which are connected through extreme?

  I have an airport express extending, through wireless, a network provided by an airport extreme. How can I know which clients are connected to my network through express and which are connected through extreme?
  Here you can see both routers:
  I would expect to some clients connected to the express, other than the extreme. And that's all I see: only the airport extreme appears as client of the airport express.
  Below, one can see the summary of the config for both routers.
  Would somebody explain it?
  Thanks,
  Marcelo
  Message was edited by: Marcelão

  please disregard this answer.
  Message was edited by: Marcelão

• Getting Creative Zen player to connect through amarok [SOLVED]

  Edited 12-27 to include new info
  I'm trying to get myCreative Zen player to connect through amarok but am having some problems. After some looking around I figured out the libmtp in the extra repository doesn't support this player, but the newest versions do. I made a new package for libmtp-0.2.4 and installed it since there's been some tweaks that affect this player since 0.2.2 which is in testing. I also had to recompile amarok since one of libs changed a name with the new libmtp. The instructions from libmtp mentioned udev rules needed to be defined, which was done by copying a file from the source code into /etc/udev/rules.d. That file (minus the parts relating to other players, which is pretty much the same as here):
  # UDEV-style hotplug map for libmtp
  # Put this file in /etc/udev/rules.d
  ACTION!="add", GOTO="libmtp_rules_end"
  ATTR{dev}!="?*", GOTO="libmtp_rules_end"
  SUBSYSTEM=="usb", GOTO="libmtp_usb_rules"
  # The following thing will be deprecated when older kernels are phased out.
  SUBSYSTEM=="usb_device", GOTO="libmtp_usb_device_rules"
  GOTO="libmtp_rules_end"
  LABEL="libmtp_usb_rules"
  # Creative ZEN 8GB
  ATTR{idVendor}=="041e", ATTR{idProduct}=="4157", SYMLINK+="libmtp-%k", MODE="666"
  GOTO="libmtp_rules_end"
  LABEL="libmtp_usb_device_rules"
  # Creative ZEN 8GB
  ATTRS{idVendor}=="041e", ATTRS{idProduct}=="4157", SYMLINK+="libmtp-%k", MODE="666"
  GOTO="libmtp_rules_end"
  LABEL="libmtp_rules_end"
  When I plug the player to my usb port dmesg gives
  usb 5-1: new high speed USB device using ehci_hcd and address 8
  usb 5-1: configuration #1 chosen from 1 choice
  As my normal user amarok doesn't seem to recognize anything, and mtp-detect gives:
  libmtp version: 0.2.4
  Attempting to connect device(s)
  usb_claim_interface(): Operation not permitted
  LIBMTP PANIC: Unable to initialize device 1
  LIBMTP PANIC: configure_usb_devices() error code: 7 on line 1561
  Detect: There has been an error connecting. Exiting
  As root mtp-detect gives me a bunch of output that seems like it's doing what it should, also while it's spitting this out the screen on the player changes to say it's docked, which wasn't happening as the normal user. This makes me think it's some permissions issue. I did find things from google telling me that sometimes the user needs to be added to a certain group to use libmtp, though it seemed somewhat distro dependent. My main user is in the following groups: dbus hal network audio optical storage scanner camera users thinkpad
  However I don't think my problems are solely permission related, since even as root amarok won't recognize the player. I can use gnomad2 as root, which mostly works, though it crashes when I try and close gnomad after adding music and the player thinks it's still docked even after unplugging it. I had to use a pin to reset it just to turn it off. When I ran it from a console I got the following output at the end after the crash
  PTP: Closing session
  ERROR: Could not close session!
  inep: usb_get_endpoint_status(): Protocol error
  outep: usb_get_endpoint_status(): No such device
  usb_clear_halt() on IN endpoint: No such device
  usb_clear_halt() on OUT endpoint: No such device
  usb_clear_halt() on INTERRUPT endpoint: No such device
  The application 'gnomad2' lost its connection to the display :0.0;
  most likely the X server was shut down or you killed/destroyed
  the application.
  Any suggestions for where to go from here?
  Last edited by mcmillan (2008-01-11 05:38:14)

  I tried uploading onto my school website, but it doesn't seem accessable from there. However I just modified the version number from the regular Pkgbuild file from abs. What I have is:
  # $Id: PKGBUILD,v 1.8 2007/05/20 19:11:05 travis Exp $
  # Maintainer: damir <[email protected]>
  #Contributor: Kevin Edmonds <[email protected]>
  pkgname=libmtp
  pkgver=0.2.4
  pkgrel=1
  pkgdesc="library implementation of the Media Transfer Protocol"
  arch=("i686" "x86_64")
  url="http://libmtp.sourceforge.net"
  license=("LGPL")
  depends=("libusb")
  source=(http://easynews.dl.sourceforge.net/sourceforge/libmtp/$pkgname-$pkgver.tar.gz)
  options=('!libtool')
  #md5sums=('597b62d994d9491531b9e67190f6cfe7')
  build() {
  cd $startdir/src/$pkgname-$pkgver
  ./configure --prefix=/usr
  make || return 1
  make DESTDIR=$startdir/pkg install
  If you still have trouble building it let me know some other way than that I can send you the package.
  I've been meaning to post an update about my issues. I've figured out that when I connect the player it creates device nodes with the root group.  Some have permissions set to 666, which seems to fit with the udev rules I posted. But some of them are only rw for owner and group, others only have read permissions. As a test I tried changing the permissions by hand to 666, and I can use gnomad as my regular user, though it's buggy and seems to crash randomly (not just when I transfer files like I originally thought). I haven't been able to test what amarok does, since for some reason it stopped working this weekend and I haven't had a chance to figure out what happened. It seems there some problem with the udev rules, but I don't know much about how that works to figure out what's going wrong.