PIX 506-E Static question

Unanswered Question
May 24th, 2009

I am trying to publish a voice over IP system to the web. I have 1 public IP address available and need to publish several ports. The ports are 5060-5065 & 10000-30000.

On the access-list I did:

permit udp any any range 5060 5065

permit udp any any range 10000 30000

I created an object-group with:

object-group service voip udp

port-object range 5060 5065

port-object range 10000 30000

How do I configure the static? If possible I want to avoid:

static (inside,outside) interface netmask

In favor of being able to map other ports to other inside hosts.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

It would be best to talk about the protocol that the VOIP system is using for signaling. The reason being the fact that there are secondary channels that require openings. Additionally, there may be changes that need to happen within the stream of signaling as it passes through the Pix.

For example, if you have a Cisco phone outside the pix running skinny, the secondary channels that are opened for RTP will be attempted to the private IP addresses (which will fail). To resolve this, the ASA has a "Skinny" fixup (to fix it up).

If the system that you have is using a signaling protocol that the Pix understands then you will only need to open the ports for signaling. The stateful inspection in the pix should create the appropriate nat mappings (xlates) and ACL openings. I hope that makes sense.


This Discussion