Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ccm 4.1 and pix 6.2 troubleshooting

Here is my config:

Pix has 3 int: outside, inside, dmz

x.X.X.X, 10.0.1.0/24, 10.0.5.0/24

CCM is on 10.0.5.10 gw 10.0.5.1

pix is hooked to catalyst 4003

4003 is trunked to catalyst 3500

4003 vlan1 native, vlan5 for voice.

if I hook 2 IP Phones on vlan 5 of 3500 it works perfect.

Now, I am trying to hook one IP phone to VLAN1 getting an IP 10.0.1.Y (through another DHCP server having the good option 150)

This phone register perfectly to CCM, can call another phone in 10.0.5.X, however cannot be reached by a phone in 10.0.5.X

At the pix level, I have a NAT 0 statement permitting 10.0.1.Y into 10.0.5.Z

all of this is a first test to try to put IP phones on WAN.

any idea?

2 REPLIES

Re: ccm 4.1 and pix 6.2 troubleshooting

So the CCM is on Vlan5, and the routing between the two Vlans is via the pix. if this is the case I suspect your problem is the default behavior of the pix. that is the inside interface is a higher security level than the dmz interface, and by default traffic can only flow from the higher level to the lower level. That would mean that a phone on vlan 1 can register with the CCM because that instigates the call thats the same with a call from Vlan1 to vlan5, but if you try and instigate a call from vlan5 to vlan1 it wont work as vlan is a higher security level.

to fix this you have to put an access-list on the dmz interface allowing 10.0.5.0/24 to 10.0.1.0/24

HTH

Richard.

New Member

Re: ccm 4.1 and pix 6.2 troubleshooting

I do have this already:

access-list client permit icmp any any

access-list client permit tcp any any

access-list client permit udp any any

access-group client in interface inside

access-group client in interface DMZ

and I can ping easily from a 10.0.5.X address to a 10.0.1.Y address with no problem.

the other strange thing is:

if on the VLAN 1 I put a 7905G, it unreachable

if on the VLAN 1 I put a 7940, it does not ring but a call pops up on the screen: "from AAAA" but I cannot respond the call.

this is getting me nuts. is there a mecanism in the PIX that would not let stream go through ?

could it be a 3500XL issue ?

104
Views
0
Helpful
2
Replies
CreatePlease to create content