[fw-wiz] Pix, VoIP and ATA's

To:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Subject:	[fw-wiz] Pix, VoIP and ATA's
From:	"J. Oquendo" <sil@infiltrated.net>
Date:	Wed, 29 Nov 2006 14:43:45 -0500
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	fwwizards-list2@consult.net
Delivered-to:	firewall-wizards@listserv.icsalabs.com
List-archive:	<https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help:	<mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id:	Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post:	<mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
Reply-to:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender:	firewall-wizards-bounces@listserv.icsalabs.com
User-agent:	Thunderbird 1.5.0.8 (Windows/20061025)

Hey all, having an issue with a Pix and VoiP protocols. I have 3 ATA'shooked up to a bridge, that's being given DHCP via a Pix. Every machineworks fine getting DHCP and connecting except the ATA's. My connectionis as follows:


Internet --> Adtran Router --> Pix --> Internal

There are no rules on the Adtran side that would prohibit anything, andthe Pix is very minimal (mid sized location). The ATA's connect toanother Pix which is VPN'd with this one.

LocationA ---> Pix --> Adtran --> Internet --> Adtran --> Pix -->LocationB(ATA's are here)


I created an acl on LocationB:

access-list acl_inside permit ip 192.168.20.0 255.255.255.0 hostxxx.xxx.xxx.xxx

Where xxx.xxx.xxx.xxx is the registrar for these ATA's (LocationB). Whenit comes to DHCP, the Pix will not spit out an address for these ATA's.Before someone comments: "The ATA's are broken and they're not gettingDHCP" or something. I can hook them up into any other device and theywill obtain DHCP. I can hook up a laptop into the same ports as theATA's, and the laptop works fine. Seems like there is something I ammissing? If I statically assign them addresses, still no dice.



Here are relevant Pix configs:

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

timeout h323 1:39:00 mgcp 1:39:00 sip 9:30:00 sip_media 1:39:00
timeout sip-disconnect 0:10:00 sip-invite 0:10:00

dhcpd address 192.168.10.2-192.168.10.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside



--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

<Prev in Thread]	Current Thread	[Next in Thread>
[fw-wiz] Pix, VoIP and ATA's, J. Oquendo <= Re: [fw-wiz] Pix, VoIP and ATA's, Chris Wargaski

Previous by Date:	Re: [fw-wiz] Nmap Online, Francois Yang
Next by Date:	Re: [fw-wiz] Pix, VoIP and ATA's, Chris Wargaski
Previous by Thread:	[fw-wiz] Nmap Online, Matousec - Transparent security
Next by Thread:	Re: [fw-wiz] Pix, VoIP and ATA's, Chris Wargaski
Indexes:	[Date] [Thread] [Top] [All Lists]