Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Opening the 515e up for IP Video conferencing

Status
Not open for further replies.
Quincyhelp

Quincyhelp

IS-IT--Management
Oct 8, 2003
1
US
I am new to the Cisco 515e and do not know the command language but I am trying to demo IP Video conferencing. I have been asked to open the following ports for this demo:
80 Web & ICMP
1718-1720 TCP & UDP
3230-3235 TCP & UDP

And to allow access by the following IP: 216.186.3.227.

How do I go about doing this?

Thanks...Chris

Password: **  ******
QSDHSPX515E# f conf t
QSDHSPX515E(config)# show config
: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password vcFLy50lwOfLCBq0 encrypted
passwd vcFLy50lwOfLCBq0 encrypted
hostname QSDHSPX515E
domain-name QSD.WEDNET.EDU
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 7001
names
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit tcp any host 168.99.76.12 eq smtp
access-list outside_access_in permit tcp host 164.116.35.3 168.99.76.0 255.255.254.0
access-list inside_access_in permit tcp host 168.99.76.11 any
access-list inside_access_in permit tcp host 168.99.76.12 any
access-list inside_access_in permit tcp host 168.99.76.13 any
access-list inside_access_in permit tcp host 168.99.76.14 any
access-list inside_access_in permit tcp host 168.99.76.17 any
access-list inside_access_in permit tcp host 168.99.76.22 any
access-list inside_access_in permit tcp host 168.99.76.28 any
access-list inside_access_in permit tcp host 168.99.76.29 any
access-list inside_access_in deny tcp 168.99.76.0 255.255.254.0 any eq www
access-list inside_access_in permit ip 168.99.76.0 255.255.254.0 any
pager lines 24
logging on
logging buffered informational
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.144.2 255.255.255.252
ip address inside 168.99.76.1 255.255.254.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 168.99.76.14 255.255.255.255 inside
pdm location 66.119.197.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.252 outside
pdm location 66.119.197.1 255.255.255.255 inside
pdm location 168.99.76.12 255.255.255.255 inside
pdm location 164.116.35.3 255.255.255.255 outside
pdm location 168.99.76.11 255.255.255.255 inside
pdm location 168.99.76.13 255.255.255.255 inside
pdm location 168.99.76.17 255.255.255.255 inside
pdm location 64.146.128.26 255.255.255.255 outside
pdm location 64.146.128.40 255.255.255.255 outside
pdm location 66.119.197.73 255.255.255.255 outside
pdm location 164.116.35.3 255.255.255.255 inside
pdm location 64.146.128.11 255.255.255.255 outside
pdm location 168.99.76.22 255.255.255.255 inside
pdm location 168.99.76.29 255.255.255.255 inside
pdm location 168.99.76.28 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 168.99.76.12 168.99.76.12 netmask 255.255.255.255 0 0
static (inside,outside) 168.99.76.11 168.99.76.11 netmask 255.255.255.255 0 0
static (inside,outside) 168.99.76.13 168.99.76.13 netmask 255.255.255.255 0 0
static (inside,outside) 168.99.76.14 168.99.76.14 netmask 255.255.255.255 0 0
static (inside,outside) 168.99.76.17 168.99.76.17 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.144.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 64.146.128.26 255.255.255.255 outside
http 64.146.128.40 255.255.255.255 outside
http 66.119.197.73 255.255.255.255 outside
http 64.146.128.11 255.255.255.255 outside
http 168.99.76.14 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable trap
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 66.119.197.1 255.255.255.255 inside
ssh 168.99.76.14 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:7444616345e42da376f1aa7801eeee9
QSDHSPX515E(config)#
 
Sort by date Sort by votes
wow that’s a messy config
I have never seen a pix setup like this
Please correct me if I am wrong because I do not consider my self to be a pro (yet!)

This pix is behind a router doing NAT
The pix should be the permiter device doing the NATing
<ip address outside 192.168.144.2 255.255.255.252 <- pvt IP should be public
<ip address inside 168.99.76.1 255.255.254.0 <- should be your LAN GW
you should open up the router and let the pix do the filtering work

to accomplish your needs
you need a static statement to put the inside host outside and a access-list to allow only the ports needed to be open
like:

Static (inside,outside) OUTSIDEIP INSIDEHOSTIP netmask 255.255.255.255 0 0
access-list 101 permit tcp any hosy OUTSIDEIP eq PORT#

some things you will need to consider or change if you move the pix

1:Statics
Your static statements are doing nothing

<static (inside,outside) 168.99.76.12 168.99.76.12 netmask 255.255.255.255 0 0
<static (inside,outside) 168.99.76.11 168.99.76.11 netmask 255.255.255.255 0 0
<static (inside,outside) 168.99.76.13 168.99.76.13 netmask 255.255.255.255 0 0
<static (inside,outside) 168.99.76.14 168.99.76.14 netmask 255.255.255.255 0 0
<static (inside,outside) 168.99.76.17 168.99.76.17 netmask 255.255.255.255 0 0
the ip’a are on the same interface

Ex: static (inside,outside) OUTSIDEIP INSIDEHOSTIP netmask 255.255.255.255 0 0
a static statement it used to put an internal host on the outside

use them with access-lists to filter the ports available

2:Access-lists
heh I’m not sure what you are tring to do but I don’t think it is done right!

Ex: access-list outside_access_in permit tcp any host OUTSIDEIP eq smtp

3:NAT
Shouldn’t it be:
< nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0 0
Nat (inside) 0 0ACLNAME is used for VPN’s

3:Global command
I don’t see one it should be
Global (outside) 1 interface

This will xlate all outbound traffic off the outside ip address


Good luck
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
786
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
583
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
650
Johnkite
Johnkite
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
187
Russtoleum
Russtoleum
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
795
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top