Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PIX 506-E Static question

I am trying to publish a voice over IP system to the web. I have 1 public IP address available and need to publish several ports. The ports are 5060-5065 & 10000-30000.

On the access-list I did:

permit udp any any range 5060 5065

permit udp any any range 10000 30000

I created an object-group with:

object-group service voip udp

port-object range 5060 5065

port-object range 10000 30000

How do I configure the static? If possible I want to avoid:

static (inside,outside) interface 10.10.10.10 netmask 255.255.255.255

In favor of being able to map other ports to other inside hosts.

1 REPLY
New Member

Re: PIX 506-E Static question

It would be best to talk about the protocol that the VOIP system is using for signaling. The reason being the fact that there are secondary channels that require openings. Additionally, there may be changes that need to happen within the stream of signaling as it passes through the Pix.

For example, if you have a Cisco phone outside the pix running skinny, the secondary channels that are opened for RTP will be attempted to the private IP addresses (which will fail). To resolve this, the ASA has a "Skinny" fixup (to fix it up).

If the system that you have is using a signaling protocol that the Pix understands then you will only need to open the ports for signaling. The stateful inspection in the pix should create the appropriate nat mappings (xlates) and ACL openings. I hope that makes sense.

133
Views
0
Helpful
1
Replies
CreatePlease to create content