ccm and pix 515 6.2(2)

[vince62s]

here is the config

CCM4.1 is on subnet1 of PIX (int1)
Phones1 on subnet1 work perfectly calling Phones1 on subnet1

Phones2 on subnet2 of PIX (int2)
int2 more secure than int1

Nat on INT1 but specifically "NAT 0" for ACL subnet2, so technically there should not be any nat

if Phones2 call Phones1 works fine audio both ways

if Phones1 call Phones2, Phones2 just mention on it's screen an incoming call but no Ring! and cannot pickup.

Am I missing something ?

 

[ADB100]

By default each interface has a security level between 0 and 100 and appears in the config like:

nameif ethernet0 outside security0
nameif ethernet1 inside security100

By default the higher security interfaces can access the lower security interfaces and the return traffic is allowed (the PIX creates state for each connection). The PIX also understands certain protocols/applications so can dynamically create state for the return traffic if multiple connections are used for the application. This is why it works for your RTP traffic when the connection is initiated from the higher security interface to the lower one.
To allow the lower security interface to access the higher one you need to create an ACL to allow the TCP/UDP ports and apply it inbound to the lower security interface.

http://www.cisco.com/en/US/products..._guide_chapter09186a008017278b.html#wp1083319

HTH

Andy

 

[vince62s]

I do have this already:
access-list client permit icmp any any
access-list client permit tcp any any
access-list client permit udp any any
access-group client in interface inside
access-group client in interface DMZ

and I can ping easily from a 10.0.5.X (dmz)address to a 10.0.1.Y (inside) address with no problem.


this is getting me nuts. is there a mecanism in the PIX that would not let stream go through ?
could it be a 3500XL issue ?