Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Command For Opening Port

I am using pix firewall 501 6.3.4

Can anyone show me the command to open the following port in my pix firewall.

SIP: Port 5060 UDP

RTP: Port 8000 UDP

RTP: Ports 16384 to 20384 UDP

Thanks

8 REPLIES
Bronze

Re: Command For Opening Port

to explicitly open ports you should use access-list and access-group commands but maybe your problem solve by the fixup protocol so pls see the below link :

http://www.ciscopress.com/articles/article.asp?p=24685&seqNum=3&rl=1

New Member

Re: Command For Opening Port

Firstly thanks for reply

Can you please write down the command to open the port. I dont want to touch my current pix config until i knows the accurate command my network may goes down.

Thanks

Bronze

Re: Command For Opening Port

it doesn't recommend but if you have to open thoes ports from outside to inside :

access-list acl_out permit udp any any range 16384 20384

access-list acl_out permit udp any any eq 5060

access-list acl_out permit udp any any eq 8000

access-group acl_out in interface outside

please note if a access-group is applied to your outside interface, append above access lists to exist access lists.

if you can pls specify source/destination address or both of them in above access lists.

for more information about those commands :

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755

New Member

Re: Command For Opening Port

Thanks for your reply.

See i will explain you why i want to open the port.

I would like to test the voip service through broadvoice they asked me to follow these steps http://www.broadvoice.com/support_install_byod_cis79xx.html

I am using cisco 7940 IP phone. I am not getting registered to the voip provider. They asked to to open the ports as because ip phone is behind firewall.

===================================================

Here is no current Pix Firewall Config

===================================================

Melbourne(config)# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd xxxx encrypted

hostname Melbourne

domain-name Lex.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service UDPList udp

port-object eq 5060

port-object eq 8000

port-object range 16384 20384

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inbound permit udp any host 203.49.XXX.XXX object-group UDPList

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac

crypto map rtpmap 1 ipsec-isakmp

crypto map rtpmap 1 match address 101

crypto map rtpmap 1 match address 101

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 460

8000

crypto map rtpmap interface outside

isakmp enable outside

isakmp key ******** address 61.17.XXX.XXX netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Internet request dialout pppoe

vpdn group Internet localname lex@dodo.com.au

vpdn group Internet ppp authentication chap

vpdn username lex@dodo.com.au password *********

vpdn enable inside

terminal width 80

Cryptochecksum:xxxx

: end

Melbourne(config)#

================================================

Any Suggestion please so that i can use the voip service through cisco IP Phones.

Thanks

Bronze

Re: Command For Opening Port

you're using invalid ip address for your ip phone so did you enable nat on the 7940? do you obtain public ip address through pppoe? or you nat again at your service provider

New Member

Re: Command For Opening Port

I am using static IP which is provided by ISP. 203.49..xxx.xxx

DHCP is enabled on 7940. I have entered VOIP provider TFTP server in 7940.

Yes i obtain Public IP through PPPOE an you can see in my pix configuration.

Thanks

New Member

Re: Command For Opening Port

As a side note, you should make sure protocol fixup for SIP is confugured also.

New Member

Re: Command For Opening Port

I am using static IP which is provided by ISP. 203.49..xxx.xxx

DHCP is enabled on 7940. I have entered VOIP provider TFTP server in 7940.

602
Views
0
Helpful
8
Replies
CreatePlease login to create content