opening up CME to internet

tato386 · ‎10-09-2008

I want to be able to have my IP phones and IP communicator machines to be able to register and use CME without having to VPN in. Seems like the port usage is rather complicated but this is what I have come up with so far.

access-list 101 permit udp any host 1.1.1.1 eq tftp

access-list 101 permit tcp any host 1.1.1.2 eq www

access-list 101 permit tcp any host 1.1.1.2 eq 2000

access-list 101 permit udp any host 1.1.1.2 range 24576 32768

Int the example below, 1.1.1.2 is the public IP of my CME box and 1.1.1.1 is the tftp server where I have copied and edited the config files with the public IP of the CME.

As of now the phones can register and dial-out but I am getting no audio.

Also, I see the phones requesting .tlv files from the tftp but I only have cnf files. What are the .tlv files for?

What am I missing for the audio?

Thanks,

Diego

Marwan ALshawi · ‎10-09-2008

the issuse here is u have ACL applied on the outside interface as we know at the end of evry ACL there is an implicit deny now as u stated the phone rigister and dial but no audio audio use random upd port negocited between phones and CME this need to be solved in two

one way not good at all which u oped all upd traffic betwen 16xx 32xx

the best way is to have application inspection in ur case should be CBAC which is abalable on IOS firewall features if u use ISR mostly u have this feature this will open this port based on the seesion and closed after the end of the session (application inspection)

good luck

if helpful Rate

tato386 · ‎10-13-2008

Thank you sir. I will take a look at that.

Diego