CCM on one side of a PIX and phones on the other = a problem !!!

vidirk · ‎11-21-2001

Can anyone give me an example of configuration of a PIX that supports having IP Phone and SoftPhone on one side of a PIX and CCM on other side.

I need to use NAT. I have PIX 6.1.1, CCM 3.1(1), SoftPhone 1.2

I have tried to use static nat and fixup protocol skinny but with no luck.

Thanks

v.kangin · ‎11-21-2001

you mean 'NO fixup protocol skinny' right?

both the IP phones and softphone's don't work?

also, be more specific about what is not working, at what point the phones/calls are failing ...

vidirk · ‎11-21-2001

I have fixup protocol skinny 2000 in my config and I am also using static nat for the phones.

Is that not the way to do it ?

I have opened for IP traffic from my gateway and CCM (they are on the same side) to the IP Phones (on the oter side). The strange thing is that I can call from the PSTN to the IP Phones and everthing works but when I call from my IP phone to the PSTN then it is disconnected in about 3-4 seconds (doesn´t matter wether the pstn user answers or not). What is more the display on the IP phone freeze for a few seconds when the call is disconnected (but not when the call comes from the pstn) Strange !!!

v.kangin · ‎11-23-2001

I had the EXACT same problem you are describing! and the problem turned out to be the "fixup protocol skinny" command. After I put NO fixup ... and rebooted my phones, voila, 2 1/2 days of torture were over with. We have a little bit diff. of a situation in that the phones were on the other side of PIX IPsec tunnell, and we had to put NO fixup .. on both PIX's, but do this and you should be ok. let me know how it works.

vidirk · ‎11-23-2001

Thanks,

if you put No fixup protocol skinny - then I guess you have to open udp (16xxx - 32xxx) and some tcp ports (2000 and few others) - right ?

v.kangin · ‎11-23-2001

yes, i believe you're right. we don't limit ports considering we are tunnelling, so i don't know exactly what ports to open up, but i've seen dave post a list of them before in these forums.

vidirk · ‎11-23-2001

Thanks,

I have a list of all the ports - I just don´t understand why the fixup protocol skinny doesn´t work because the Cisco documentations says it does - but hey life ain´t perfect :-)

vidirk · ‎11-27-2001

The solution for the IP Phone is to use PIX version 6.0.1 105 with the 3.1.1 version of CCM

rlyons · ‎11-29-2001

Hello Vidir,

What do you mean "105 with the 3.1.1 version of CCM"? What is the "105"?

Also are the phones able to do a Cisco TFTP request through the PIX?

Thanks,

Bob

vidirk · ‎11-29-2001

Hi,

Cisco says that the skinny headers changed between CM 3.0 and CM 3.1 so you need this version of the PIX sw.

105 seems to be some version under 6.0(1) release as you can see below.

Cisco Secure PIX Firewall Version 6.0(1)105

Compiled on Mon 01-Oct-01 12:54 by morlee

The only thing you need is to have this software and the fixup protocol skinny 2000. I have no problem with tftp.

Vidir

dcrabbe · ‎12-03-2001

FYI:

(running 3.1(2c) over 6.1.1 pix, build 105)

The fixup skinny command tells the PIX to check the message numbers in the skinny packets (use the latest Ethereal (www.ethereal.org) to decode them). This command was added at about pix 6.1.

The bravo build of CCM (3.1) uses higher message numbers than Encore, and versions of PIX < 6.1.1 build 105 block these messages and hence the phones don't work properly.

As for TFTP, it works fine if you open a conduit for it on the PIX.

Doug.

jangbi · ‎12-10-2001

Can someone tell me where I can download 6.0(1) 105.

I looked at the CCO and they only have 6.1.1 or 6.0.1 but compile date is old.

Thanks