Configuring a PIX 506e for Asterisk

Posted by orthogonal3 on Server Fault See other posts from Server Fault or by orthogonal3
Published on 2010-06-15T17:06:44Z Indexed on 2010/06/15 17:13 UTC
Read the original article Hit count: 250

Filed under:
|
|

Hi all!

I'm having problems configuring a old Cisco PIX running 6.3 and wondered if anyone can lend a hand?

Simply put I have a PIX 506e that I want to put in my VoIP data path. I can't update it and getting a compat version of Java for that version of PIX is tough so I can't log onto the web interface.

The PIX straddles two networks..... 192.168.5.0 on the inside, ...50.0 on the outside both net masks are 255.255.255.0

I have a local Asterisk server cluster with a single service IP (<local asterisk>)
SIP is on UDP 5060 and RTP (for the voip data) is on UDP 18000-18999
I know thats a big range but hey may as well.

I need the 192.168.5.0 net to have web and ftp access for updates and the like.
DHCP, DNS and NTP is already provided on that network so I don't need external DNS access.

So I think I want the following rules:

  • SIP or RTP from <my itsp> arriving at <outside voip ip> NATed to <local asterisk>
  • SIP or RTP able to do the reverse route (should be covered by high sec -> low sec??)
  • HTTP and FTP access outbound for software update for the servers etc

I have the following config at the minute - and I think I'm almost there (I hope)...

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password wouldyouliketobeapeppertoo encrypted
passwd wouldyouliketobeapeppertoo encrypted
hostname afirewall
domain-name adomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_ping permit icmp any any
access-list voip permit ip host <my itsp> host <local asterisk>
mtu outside 1500
mtu inside 1500
ip address outside <outside pix ip> 255.255.255.0
ip address inside <inside pix ip> 255.255.255.0
arp timeout 14400
global (outside) 1 <outside generic ip>
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) <outside voip ip> <local asterisk> netmask 255.255.255.255 0 0
static (outside,inside) <local asterisk> <outside voip ip> netmask 255.255.255.255 0 0
access-group acl_ping in interface outside
access-group acl_ping in interface inside
route outside 0.0.0.0 0.0.0.0 <my next hop router> 1
route outside <my itsp> 255.255.255.255 <my next hop router> 1

I think I just need a hand with the access-lists and NAT/static rules.
Would anyone be able to help as I've RTFM'd the Cisco docs a few times and they're heavy.

Wishing I'd completed my CCNA now!

Thanks all for any help,

Phil

© Server Fault or respective owner

Related posts about firewall

Related posts about pix